diff --git a/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml
new file mode 100644
index 000000000..eb81ca6d2
--- /dev/null
+++ b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml
@@ -0,0 +1,27 @@
+title: OpenSSH Server Listening On Socket
+id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
+status: experimental
+description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
+references:
+ - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
+ - https://winaero.com/enable-openssh-server-windows-10/
+ - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
+ - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: mdecrevoisier
+date: 2022/10/25
+tags:
+ - attack.lateral_movement
+ - attack.t1021.004
+logsource:
+ product: windows
+ service: openssh
+detection:
+ selection:
+ EventID: 4
+ process: sshd
+ payload|startswith: 'Server listening on '
+ condition: selection
+falsepositives:
+ - Legitimate administrator activity
+level: medium
diff --git a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml
index 8e2b7bf82..4bedaab1b 100644
--- a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml
+++ b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml
@@ -14,6 +14,7 @@ tags:
logsource:
category: file_access
product: windows
+ definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
- FileName|contains:
diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml
index 7e69dc9ea..c6f7445de 100644
--- a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml
+++ b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml
@@ -1,7 +1,9 @@
title: Credential Manager Access
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: experimental
-description: Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
+description: |
+ Detects suspicious processes based on name and location that access the windows credential manager and vault.
+ Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
- https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
@@ -13,6 +15,7 @@ tags:
logsource:
category: file_access
product: windows
+ definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
FileName|contains:
diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
index 46ab0a677..2fd3ea828 100644
--- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
+++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
@@ -1,7 +1,9 @@
title: Suspicious Access To Windows DPAPI Master Keys
id: 46612ae6-86be-4802-bc07-39b59feb1309
status: experimental
-description: Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
+description: |
+ Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.
+ Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
references:
- https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
@@ -13,6 +15,7 @@ tags:
logsource:
category: file_access
product: windows
+ definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
FileName|contains:
diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml
index bcd731435..fb7d89475 100644
--- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml
+++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml
@@ -1,7 +1,9 @@
title: Suspicious Access To Windows Credential History File
id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
status: experimental
-description: Detects suspicious processes based on name and location that access the Windows Credential History File. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
+description: |
+ Detects suspicious processes based on name and location that access the Windows Credential History File.
+ Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
references:
- https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist
- https://www.passcape.com/windows_password_recovery_dpapi_credhist
@@ -13,6 +15,7 @@ tags:
logsource:
category: file_access
product: windows
+ definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider
detection:
selection:
FileName|endswith: '\Microsoft\Protect\CREDHIST'
diff --git a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml
index 0a2643eaf..f39074904 100644
--- a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml
+++ b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml
@@ -2,13 +2,13 @@ title: File Creation Date Changed to Another Year
id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
status: experimental
description: |
- Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
- Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
+ Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
+ Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
references:
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
author: frack113, Florian Roth
date: 2022/08/12
-modified: 2022/09/09
+modified: 2022/10/25
tags:
- attack.t1070.006
- attack.defense_evasion
@@ -33,6 +33,10 @@ detection:
- TargetFilename|endswith:
- '.tmp'
- '.temp'
+ gen_filter_tiworker:
+ Image|startswith: 'C:\WINDOWS\'
+ Image|endswith: '\TiWorker.exe'
+ TargetFilename|endswith: '.cab'
condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter*
falsepositives:
- Changes made to or by the local NTP service
diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml
index a258a8c66..14d236ac8 100644
--- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml
+++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml
@@ -1,11 +1,11 @@
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
status: experimental
-author: Tim Rauch
-date: 2022/09/27
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
+author: Tim Rauch
+date: 2022/09/27
tags:
- attack.initial_access
- attack.t1133
diff --git a/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml b/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml
index 5811518fc..6ba9b58d0 100644
--- a/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml
+++ b/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml
@@ -2,10 +2,13 @@ title: Delete Log from Application
id: b1decb61-ed83-4339-8e95-53ea51901720
status: experimental
description: Deletion of log files is a known anti-forensic technique
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
+author: frack113
date: 2022/01/16
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
logsource:
product: windows
category: file_delete
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.defense_evasion
- - attack.t1070.004
diff --git a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml
index b1a52fe3c..eca8fe8fa 100644
--- a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml
+++ b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml
@@ -2,11 +2,14 @@ title: Deletes Backup Files
id: 06125661-3814-4e03-bfa2-1e4411c60ac3
status: experimental
description: Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
+author: frack113
date: 2022/01/02
modified: 2022/06/02
+tags:
+ - attack.impact
+ - attack.t1490
logsource:
product: windows
category: file_delete
@@ -26,6 +29,3 @@ detection:
falsepositives:
- Legitime usage
level: medium
-tags:
- - attack.impact
- - attack.t1490
diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml
index 925148d68..78179b16c 100755
--- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml
+++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml
@@ -2,7 +2,6 @@ title: Prefetch File Deletion
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: experimental
description: Detects the deletion of a prefetch file (AntiForensic)
-level: high
author: Cedric MAURUGEON
date: 2021/09/29
modified: 2022/05/27
@@ -24,3 +23,4 @@ detection:
condition: selection and not exception
falsepositives:
- Unknown
+level: high
diff --git a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml
index 64ea228a5..e510f5533 100644
--- a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml
+++ b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml
@@ -2,12 +2,15 @@ title: Sysinternals SDelete File Deletion
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2022/09/21
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
logsource:
product: windows
category: file_delete
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Legitime usage of SDelete
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1070.004
diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml
index 51c1d81d0..56289a216 100644
--- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml
+++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml
@@ -1,11 +1,11 @@
title: Unusual File Deletion by dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
status: experimental
-author: Tim Rauch
-date: 2022/09/27
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
+author: Tim Rauch
+date: 2022/09/27
tags:
- attack.initial_access
- attack.t1133
diff --git a/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml b/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml
index b9fbca40b..13c3fa8ae 100644
--- a/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml
+++ b/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml
@@ -6,12 +6,12 @@ references:
- https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch
date: 2022/09/16
-logsource:
- category: file_delete
- product: windows
tags:
- attack.defense_evasion
- attack.t1070
+logsource:
+ category: file_delete
+ product: windows
detection:
selection:
FileName|startswith: 'C:\inetpub\logs\LogFiles\'
@@ -20,4 +20,4 @@ detection:
falsepositives:
- During uninstallation of the IIS service
- During log rotation
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_access_susp_teams.yml b/rules/windows/file/file_event/file_event_win_access_susp_teams.yml
index 332a8a19c..ec6a98c67 100644
--- a/rules/windows/file/file_event/file_event_win_access_susp_teams.yml
+++ b/rules/windows/file/file_event/file_event_win_access_susp_teams.yml
@@ -2,25 +2,25 @@ title: Suspicious File Event With Teams Objects
id: 6902955a-01b7-432c-b32a-6f5f81d8f624
status: experimental
description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
-author: '@SerkinValery'
references:
- - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+ - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
+ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
+author: '@SerkinValery'
date: 2022/09/16
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|contains:
- - '\Microsoft\Teams\Cookies'
- - '\Microsoft\Teams\Local Storage\leveldb'
- filter:
- Image|contains: '\Microsoft\Teams\current\Teams.exe'
- condition: selection and not filter
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.credential_access
- - attack.t1528
+ - attack.credential_access
+ - attack.t1528
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|contains:
+ - '\Microsoft\Teams\Cookies'
+ - '\Microsoft\Teams\Local Storage\leveldb'
+ filter:
+ Image|contains: '\Microsoft\Teams\current\Teams.exe'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml b/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml
index e430a32df..699cd4a1b 100644
--- a/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml
+++ b/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml
@@ -2,12 +2,15 @@ title: Suspicious Unattend.xml File Access
id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb
status: experimental
description: |
- Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
- If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
-author: frack113
+ Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
+ If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
+author: frack113
date: 2021/12/19
+tags:
+ - attack.credential_access
+ - attack.t1552.001
logsource:
product: windows
category: file_event
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.credential_access
- - attack.t1552.001
diff --git a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml
index 3623ece5f..a6a841a0e 100644
--- a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml
+++ b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml
@@ -2,16 +2,19 @@ title: Anydesk Temporary Artefact
id: 0b9ad457-2554-44c1-82c2-d56a99c42377
status: experimental
description: |
- An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
- These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
- Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+ An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+ These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+ Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: frack113
date: 2022/02/11
+tags:
+ - attack.command_and_control
+ - attack.t1219
logsource:
- category: file_event
- product: windows
+ category: file_event
+ product: windows
detection:
selection:
TargetFilename|contains:
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Legitimate use
level: medium
-tags:
- - attack.command_and_control
- - attack.t1219
diff --git a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml
index aaaac6289..810c6cc6e 100644
--- a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml
+++ b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml
@@ -1,11 +1,17 @@
title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: experimental
-description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
-author: Nasreddine Bencherchali
+description: |
+ Detects anydesk writing binaries files to disk other than "gcapi.dll".
+ According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
+ which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
- https://redcanary.com/blog/misbehaving-rats/
+author: Nasreddine Bencherchali
date: 2022/09/28
+tags:
+ - attack.command_and_control
+ - attack.t1219
logsource:
product: windows
category: file_event
@@ -21,6 +27,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.command_and_control
- - attack.t1219
diff --git a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml
index 687865be6..ba06ae6e2 100644
--- a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml
+++ b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml
@@ -4,8 +4,7 @@ related:
- id: 7453575c-a747-40b9-839b-125a0aae324b
type: derived
status: stable
-description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with
- YYTRIUM/APT29 campaign in 2016.
+description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
author: '@41thexplorer, Microsoft Defender ATP'
@@ -19,6 +18,6 @@ logsource:
category: file_event
detection:
selection:
- TargetFilename|contains: 'ds7002.lnk'
+ TargetFilename|contains: 'ds7002.lnk'
condition: selection
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml
index 3bcde4c93..1549b8423 100644
--- a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml
+++ b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml
@@ -1,10 +1,10 @@
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
-description: Detects default file names outputted by the BloodHound collection tool SharpHound
status: experimental
-author: C.J. May
+description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
+author: C.J. May
date: 2022/08/09
modified: 2022/08/09
tags:
diff --git a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml b/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml
index d4b6e6cce..ea83cc117 100644
--- a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml
+++ b/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml
@@ -1,10 +1,10 @@
title: CrackMapExec File Creation Patterns
id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
-description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
status: experimental
-author: Florian Roth
+description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
+author: Florian Roth
date: 2022/03/12
modified: 2022/05/27
tags:
@@ -55,4 +55,4 @@ detection:
condition: 1 of selection*
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml
index 9f8e52580..fea4b166f 100644
--- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml
+++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml
@@ -2,12 +2,15 @@ title: New Shim Database Created in the Default Directory
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: experimental
description: |
- Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
- The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
-author: frack113
+ Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
+ The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
+author: frack113
date: 2021/12/29
+tags:
+ - attack.persistence
+ - attack.t1547.009
logsource:
product: windows
category: file_event
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
- - attack.t1547.009
diff --git a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
index fdb389f1d..8b9034bd3 100644
--- a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
+++ b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml
@@ -2,13 +2,16 @@ title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: experimental
description: |
- Adversaries may establish persistence by executing malicious content triggered by user inactivity.
- Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
-author: frack113
+ Adversaries may establish persistence by executing malicious content triggered by user inactivity.
+ Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
+author: frack113
date: 2021/12/29
modified: 2022/01/10
+tags:
+ - attack.persistence
+ - attack.t1546.002
logsource:
product: windows
category: file_event
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
- - attack.t1546.002
diff --git a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml
index 43f0a7b9c..e8dda4a85 100644
--- a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml
+++ b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml
@@ -2,12 +2,15 @@ title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: experimental
description: |
- Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
- Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
-author: frack113
+ Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
+ Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
+author: frack113
date: 2021/12/30
+tags:
+ - attack.persistence
+ - attack.t1547.009
logsource:
product: windows
category: file_event
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1547.009
diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml
index 4f1bf73ac..6089b9e4c 100755
--- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml
+++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml
@@ -2,51 +2,51 @@ title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
-author: Teymur Kheirkhabarov, oscd.community
references:
- - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
date: 2019/11/01
modified: 2022/09/21
-logsource:
- category: file_event
- product: windows
-detection:
- selection:
- - TargetFilename|contains:
- - '\pwdump'
- - '\kirbi'
- - '\pwhashes'
- - '\wce_ccache'
- - '\wce_krbtkts'
- - '\fgdump-log'
- - TargetFilename|endswith:
- - '\test.pwd'
- - '\lsremora64.dll'
- - '\lsremora.dll'
- - '\fgexec.exe'
- - '\wceaux.dll'
- - '\SAM.out'
- - '\SECURITY.out'
- - '\SYSTEM.out'
- - '\NTDS.out'
- - '\DumpExt.dll'
- - '\DumpSvc.exe'
- - '\cachedump64.exe'
- - '\cachedump.exe'
- - '\pstgdump.exe'
- - '\servpw.exe'
- - '\servpw64.exe'
- - '\pwdump.exe'
- - '\procdump64.exe'
- - '\Dumpy.exe'
- condition: selection
-falsepositives:
- - Legitimate Administrator using tool for password recovery
-level: high
tags:
- - attack.credential_access
- - attack.t1003.001
- - attack.t1003.002
- - attack.t1003.003
- - attack.t1003.004
- - attack.t1003.005
+ - attack.credential_access
+ - attack.t1003.001
+ - attack.t1003.002
+ - attack.t1003.003
+ - attack.t1003.004
+ - attack.t1003.005
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ - TargetFilename|contains:
+ - '\pwdump'
+ - '\kirbi'
+ - '\pwhashes'
+ - '\wce_ccache'
+ - '\wce_krbtkts'
+ - '\fgdump-log'
+ - TargetFilename|endswith:
+ - '\test.pwd'
+ - '\lsremora64.dll'
+ - '\lsremora.dll'
+ - '\fgexec.exe'
+ - '\wceaux.dll'
+ - '\SAM.out'
+ - '\SECURITY.out'
+ - '\SYSTEM.out'
+ - '\NTDS.out'
+ - '\DumpExt.dll'
+ - '\DumpSvc.exe'
+ - '\cachedump64.exe'
+ - '\cachedump.exe'
+ - '\pstgdump.exe'
+ - '\servpw.exe'
+ - '\servpw64.exe'
+ - '\pwdump.exe'
+ - '\procdump64.exe'
+ - '\Dumpy.exe'
+ condition: selection
+falsepositives:
+ - Legitimate Administrator using tool for password recovery
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml
index a985084bc..e6aa57282 100644
--- a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml
+++ b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml
@@ -2,13 +2,16 @@ title: Dynamic C Sharp Compile Artefact
id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
status: experimental
description: |
- When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
- Certain processes are not typically observed compiling C# code, but can do so without touching disk.
- This can be used to unpack a payload for execution
-author: frack113
+ When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
+ Certain processes are not typically observed compiling C# code, but can do so without touching disk.
+ This can be used to unpack a payload for execution
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
+author: frack113
date: 2022/01/09
+tags:
+ - attack.defense_evasion
+ - attack.t1027.004
logsource:
product: windows
category: file_event
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.defense_evasion
- - attack.t1027.004
diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml b/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml
index 045ca1dbf..6e168fe6d 100644
--- a/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml
+++ b/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml
@@ -1,13 +1,12 @@
title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
-description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
-author: Florian Roth
status: experimental
-level: critical
+description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
references:
- https://github.com/hhlxf/PrintNightmare
- https://github.com/afwu/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
+author: Florian Roth
date: 2021/06/29
modified: 2021/12/01
tags:
@@ -28,3 +27,4 @@ fields:
- TargetFilename
falsepositives:
- Unknown
+level: critical
diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml b/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml
index 3fd08abd1..9e9ae31f4 100644
--- a/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml
+++ b/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml
@@ -1,7 +1,10 @@
title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
status: test
-description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange Server’s Unified Messaging service | which could indicate dropping web shells or other malicious content
+description: |
+ Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
+ creation of non-standard files on disk by Exchange Server’s Unified Messaging service
+ which could indicate dropping web shells or other malicious content
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
@@ -25,9 +28,9 @@ detection:
- '.cfg'
- 'cleanup.bin'
condition: selection and not filter
-falsepositives:
- - Unknown
-level: high
fields:
- ComputerName
- TargetFilename
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml b/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml
index 7f56caf56..eb836af3d 100644
--- a/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml
+++ b/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml
@@ -2,11 +2,11 @@ title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
status: experimental
description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
-author: Florian Roth
-date: 2021/11/22
references:
- https://github.com/klinix5/InstallerFileTakeOver
- https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
+author: Florian Roth
+date: 2021/11/22
tags:
- attack.privilege_escalation
- attack.t1068
diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml b/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml
index b25760627..238d5900d 100644
--- a/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml
+++ b/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml
@@ -2,11 +2,14 @@ title: CVE-2021-44077 POC Default Dropped File
id: 7b501acf-fa98-4272-aa39-194f82edc8a3
status: experimental
description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
-author: Nasreddine Bencherchali
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
- https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
+author: Nasreddine Bencherchali
date: 2022/06/06
+tags:
+ - attack.execution
+ - cve.2021.44077
logsource:
category: file_event
product: windows
@@ -17,6 +20,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.execution
- - cve.2021.44077
diff --git a/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml b/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml
index 1a32e0300..ae0f17b84 100644
--- a/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml
+++ b/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml
@@ -1,27 +1,26 @@
title: CVE-2022-24527 Microsoft Connected Cache LPE
id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
-description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
-author: Florian Roth
status: experimental
+description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
references:
- - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
+ - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
+author: Florian Roth
date: 2022/04/13
tags:
- - attack.privilege_escalation
- - attack.t1059.001
- - cve.2022.24527
+ - attack.privilege_escalation
+ - attack.t1059.001
+ - cve.2022.24527
logsource:
- category: file_event
- product: windows
+ category: file_event
+ product: windows
detection:
- selection:
- TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
- filter:
- User|contains: # covers many language settings
- - 'AUTHORI'
- - 'AUTORI'
- condition: selection and not filter
+ selection:
+ TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
+ filter:
+ User|contains: # covers many language settings
+ - 'AUTHORI'
+ - 'AUTORI'
+ condition: selection and not filter
falsepositives:
- Unknown
level: high
-
diff --git a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml
index 9f0dfb2fe..2a33e4696 100644
--- a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml
+++ b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml
@@ -2,16 +2,21 @@ title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: experimental
description: |
- Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
- but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
+ Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
+ but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
- https://twitter.com/cyb3rops/status/1552932770464292864
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali
date: 2022/07/30
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1574.002
logsource:
- category: file_event
- product: windows
+ category: file_event
+ product: windows
detection:
selection:
TargetFilename|startswith:
@@ -23,8 +28,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.defense_evasion
- - attack.t1574.002
diff --git a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml
index 9ff1d6061..cfdfb81b9 100644
--- a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml
+++ b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml
@@ -4,11 +4,13 @@ status: experimental
description: |
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
-author: Nasreddine Bencherchali
references:
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://github.com/last-byte/PersistenceSniper
+author: Nasreddine Bencherchali
date: 2022/08/09
+tags:
+ - attack.persistence
logsource:
category: file_event
product: windows
@@ -19,5 +21,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml
index ae3fa8527..59e2d8a5f 100644
--- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml
+++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml
@@ -1,35 +1,35 @@
title: Suspicious ASPX File Drop by Exchange
id: bd1212e5-78da-431e-95fa-c58e3237a8e6
related:
- - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
- type: similar
-description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
-author: Florian Roth (rule), MSTI (query, idea)
+ - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
+ type: similar
status: experimental
+description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
references:
- - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+ - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+ - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
+ - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+author: Florian Roth (rule), MSTI (query, idea)
date: 2022/10/01
tags:
- - attack.persistence
- - attack.t1505.003
+ - attack.persistence
+ - attack.t1505.003
logsource:
- product: windows
- category: file_event
+ product: windows
+ category: file_event
detection:
- selection:
- Image|endswith: '\w3wp.exe'
- CommandLine|contains: 'MSExchange'
- TargetFilename|contains:
- - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports
- - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
- selection_types:
- TargetFilename|endswith:
- - '.aspx'
- - '.asp'
- - '.ashx'
- condition: all of selection*
+ selection:
+ Image|endswith: '\w3wp.exe'
+ CommandLine|contains: 'MSExchange'
+ TargetFilename|contains:
+ - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports
+ - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
+ selection_types:
+ TargetFilename|endswith:
+ - '.aspx'
+ - '.asp'
+ - '.ashx'
+ condition: all of selection*
falsepositives:
- - Unknown
+ - Unknown
level: high
diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml
index 7f32e3e4f..1c3900cfc 100644
--- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml
+++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml
@@ -1,39 +1,39 @@
title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
- - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
- type: similar
-description: Detects suspicious file type dropped by an Exchange component in IIS
-author: Florian Roth
+ - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
+ type: similar
status: experimental
+description: Detects suspicious file type dropped by an Exchange component in IIS
references:
- - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+ - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
+ - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
+ - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
+author: Florian Roth
date: 2022/10/04
tags:
- - attack.persistence
- - attack.t1190
- - attack.initial_access
- - attack.t1505.003
+ - attack.persistence
+ - attack.t1190
+ - attack.initial_access
+ - attack.t1505.003
logsource:
- product: windows
- category: file_event
+ product: windows
+ category: file_event
detection:
- selection:
- Image|endswith: '\w3wp.exe'
- CommandLine|contains: 'MSExchange'
- selection_types:
- TargetFilename|endswith:
- - '.aspx'
- - '.asp'
- - '.ashx'
- - '.ps1'
- - '.bat'
- - '.exe'
- - '.dll'
- - '.vbs'
- condition: all of selection*
+ selection:
+ Image|endswith: '\w3wp.exe'
+ CommandLine|contains: 'MSExchange'
+ selection_types:
+ TargetFilename|endswith:
+ - '.aspx'
+ - '.asp'
+ - '.ashx'
+ - '.ps1'
+ - '.bat'
+ - '.exe'
+ - '.dll'
+ - '.vbs'
+ condition: all of selection*
falsepositives:
- - Unknown
+ - Unknown
level: medium
diff --git a/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml b/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml
index 09e7847b9..4eb173ba0 100755
--- a/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml
+++ b/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml
@@ -2,10 +2,10 @@ title: SafetyKatz Default Dump Filename
id: e074832a-eada-4fd7-94a1-10642b130e16
status: test
description: Detects default lsass dump filename from SafetyKatz
-author: Markus Neis
references:
- https://github.com/GhostPack/SafetyKatz
- https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
+author: Markus Neis
date: 2018/07/24
modified: 2021/11/27
tags:
diff --git a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml
index 9602ed295..dc356ec8c 100644
--- a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml
+++ b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml
@@ -2,13 +2,16 @@ title: GoToAssist Temporary Installation Artefact
id: 5d756aee-ad3e-4306-ad95-cb1abec48de2
status: experimental
description: |
- An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
- These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
- Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+ An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+ These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+ Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022/02/13
+tags:
+ - attack.command_and_control
+ - attack.t1219
logsource:
category: file_event
product: windows
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Legitimate use
level: medium
-tags:
- - attack.command_and_control
- - attack.t1219
diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml
index b8b818b07..889b3c559 100644
--- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml
+++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml
@@ -29,9 +29,9 @@ detection:
- TargetFilename:
- 'C:\windows\temp\sam' # C# version of HiveNightmare
condition: selection
-falsepositives:
- - Files that accidentally contain these strings
-level: high
fields:
- CommandLine
- ParentCommandLine
+falsepositives:
+ - Files that accidentally contain these strings
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml
index 4a718b7aa..3e6fc7a69 100644
--- a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml
+++ b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml
@@ -2,10 +2,10 @@ title: NPPSpy Hacktool Usage
id: cad1fe90-2406-44dc-bd03-59d0b58fe722
status: experimental
description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
-author: Florian Roth
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy
- https://twitter.com/0gtweet/status/1465282548494487554
+author: Florian Roth
date: 2021/11/29
tags:
- attack.credential_access
diff --git a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml
index 1a8fcf21a..925faee7c 100644
--- a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml
+++ b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml
@@ -2,10 +2,13 @@ title: Installation of TeamViewer Desktop
id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
status: experimental
description: TeamViewer_Desktop.exe is create during install
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
+author: frack113
date: 2022/01/28
+tags:
+ - attack.command_and_control
+ - attack.t1219
logsource:
product: windows
category: file_event
@@ -16,6 +19,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.command_and_control
- - attack.t1219
diff --git a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml
index 195227579..6823bc852 100644
--- a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml
+++ b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml
@@ -8,9 +8,14 @@ references:
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022/08/12
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1574.002
logsource:
- category: file_event
- product: windows
+ category: file_event
+ product: windows
detection:
selection:
TargetFilename|contains|all:
@@ -20,8 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.defense_evasion
- - attack.t1574.002
diff --git a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml
index 52febe0f3..031e74836 100644
--- a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml
+++ b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml
@@ -2,7 +2,7 @@ title: ISO File Created Within Temp Folders
id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
status: experimental
description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
-references:
+references:
- https://twitter.com/Sam0x90/status/1552011547974696960
- https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
author: '@sam0x90'
diff --git a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml
index c4ec55e2e..31e1c934c 100644
--- a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml
+++ b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml
@@ -1,13 +1,15 @@
title: ISO or Image Mount Indicator in Recent Files
id: 4358e5a5-7542-4dcb-b9f3-87667371839b
-description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
status: experimental
-author: Florian Roth
+description: |
+ Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
+ This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
references:
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
- https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
+author: Florian Roth
date: 2022/02/11
logsource:
product: windows
diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml
index c03a1d896..1ca1d28d2 100644
--- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml
+++ b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml
@@ -1,11 +1,14 @@
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
-description: Detects programs on a Windows system that should not write an archive to disk
status: experimental
-author: frack113, Florian Roth
+description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+author: frack113, Florian Roth
date: 2022/08/21
+tags:
+ - attack.defense_evasion
+ - attack.t1218
logsource:
product: windows
category: file_event
@@ -47,6 +50,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1218
diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml
index fb41d165a..34152ab99 100644
--- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml
+++ b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml
@@ -1,11 +1,14 @@
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
-description: Detects programs on a Windows system that should not write executables to disk
status: experimental
-author: frack113, Florian Roth
+description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+author: frack113, Florian Roth
date: 2022/08/21
+tags:
+ - attack.defense_evasion
+ - attack.t1218
logsource:
product: windows
category: file_event
@@ -45,6 +48,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1218
diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml
index 297ecd472..61ec04aa2 100644
--- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml
+++ b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml
@@ -1,11 +1,14 @@
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
-description: Detects programs on a Windows system that should not write scripts to disk
status: experimental
-author: frack113, Florian Roth
+description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
+author: frack113, Florian Roth
date: 2022/08/21
+tags:
+ - attack.defense_evasion
+ - attack.t1218
logsource:
product: windows
category: file_event
@@ -47,6 +50,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1218
diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml
index f1c62f982..7184c6c4d 100644
--- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml
+++ b/rules/windows/file/file_event/file_event_win_lsass_dump.yml
@@ -3,15 +3,15 @@ id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
type: obsoletes
-description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
status: experimental
-author: Florian Roth
+description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials
references:
- https://www.google.com/search?q=procdump+lsass
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
+author: Florian Roth
date: 2021/11/15
modified: 2022/06/27
tags:
diff --git a/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml b/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml
index b36022f26..acd3f9236 100755
--- a/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml
@@ -18,10 +18,10 @@ detection:
TargetFilename|contains: 'lsass'
TargetFilename|endswith: 'dmp'
condition: selection
+fields:
+ - ComputerName
+ - TargetFilename
falsepositives:
- Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator
- Dumps of another process that contains lsass in its process name (substring)
level: high
-fields:
- - ComputerName
- - TargetFilename
diff --git a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml
index 11694c4d6..e0ead914e 100644
--- a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml
+++ b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml
@@ -1,10 +1,10 @@
title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
-description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
status: experimental
-author: Florian Roth
+description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
- https://github.com/helpsystems/nanodump
+author: Florian Roth
date: 2022/06/27
tags:
- attack.credential_access
diff --git a/rules/windows/file/file_event/file_event_win_macro_file.yml b/rules/windows/file/file_event/file_event_win_macro_file.yml
index fc57d6286..9e50c175a 100644
--- a/rules/windows/file/file_event/file_event_win_macro_file.yml
+++ b/rules/windows/file/file_event/file_event_win_macro_file.yml
@@ -2,12 +2,15 @@ title: Dump Office Macro Files from Commandline
id: b1c50487-1967-4315-a026-6491686d860e
status: experimental
description: A office file with macro is created from a commandline or a script
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
+author: frack113
date: 2022/01/23
modified: 2022/07/14
+tags:
+ - attack.initial_access
+ - attack.t1566.001
logsource:
category: file_event
product: windows
@@ -34,6 +37,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.initial_access
- - attack.t1566.001
diff --git a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml
index 89ae6af09..153e0f4d9 100644
--- a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml
+++ b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml
@@ -2,23 +2,23 @@ title: Octopus Scanner Malware
id: 805c55d9-31e6-4846-9878-c34c75054fe9
status: test
description: Detects Octopus Scanner Malware.
-author: NVISO
references:
- - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+ - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
+author: NVISO
date: 2020/06/09
modified: 2021/11/27
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|endswith:
- - '\AppData\Local\Microsoft\Cache134.dat'
- - '\AppData\Local\Microsoft\ExplorerSync.db'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.t1195
- - attack.t1195.001
+ - attack.t1195
+ - attack.t1195.001
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|endswith:
+ - '\AppData\Local\Microsoft\Cache134.dat'
+ - '\AppData\Local\Microsoft\ExplorerSync.db'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml b/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml
index 4aadcd2fc..3e5ceac63 100644
--- a/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml
@@ -2,9 +2,9 @@ title: Mimikatz Kirbi File Creation
id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
status: test
description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz
-author: Florian Roth
references:
- https://cobalt.io/blog/kerberoast-attack-techniques
+author: Florian Roth
date: 2021/11/08
tags:
- attack.credential_access
diff --git a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml
index c497d9784..efdabcb90 100644
--- a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml
+++ b/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml
@@ -2,20 +2,20 @@ title: Mimikatz MemSSP Default Log File Creation
id: 034affe8-6170-11ec-844f-0f78aa0c4d66
status: experimental
description: Detects Mimikatz MemSSP default log file creation
-author: David ANDRE
references:
- - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+ - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
+author: David ANDRE
date: 2021/12/20
tags:
- - attack.credential_access
- - attack.t1003
+ - attack.credential_access
+ - attack.t1003
logsource:
product: windows
category: file_event
detection:
- selection:
- TargetFilename|endswith: 'mimilsa.log'
- condition: selection
+ selection:
+ TargetFilename|endswith: 'mimilsa.log'
+ condition: selection
falsepositives:
- - Unlikely
+ - Unlikely
level: critical
diff --git a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file/file_event/file_event_win_msdt_autorun.yml
index 65151c6fb..4d7362e61 100644
--- a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml
+++ b/rules/windows/file/file_event/file_event_win_msdt_autorun.yml
@@ -1,11 +1,11 @@
-title: MSDT.exe Creates Files in Autorun Directory
+title: MSDT.exe Creates Files in Autorun Directory
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: experimental
description: Detects msdt.exe creating files in suspicious directories
-author: Vadim Varganov, Florian Roth
references:
- - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
+ - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
+author: Vadim Varganov, Florian Roth
date: 2022/08/24
tags:
- attack.persistence
@@ -17,7 +17,7 @@ logsource:
detection:
selection:
Image|endswith: '\msdt.exe'
- TargetFilename|contains:
+ TargetFilename|contains:
- '\Start Menu\Programs\Startup\'
- 'C:\Users\Public\'
- 'C:\PerfLogs\'
diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml
index 31c25d08c..95757847b 100644
--- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml
+++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml
@@ -2,10 +2,13 @@ title: Creation Suspicious File In Uncommon AppData Folder
id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
status: experimental
description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
-author: Nasreddine Bencherchali
references:
- Internal Research
+author: Nasreddine Bencherchali
date: 2022/08/05
+tags:
+ - attack.defense_evasion
+ - attack.execution
logsource:
product: windows
category: file_event
@@ -31,6 +34,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.defense_evasion
- - attack.execution
diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml
index 7caec1c22..6ad24e0ed 100644
--- a/rules/windows/file/file_event/file_event_win_new_src_file.yml
+++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml
@@ -2,30 +2,30 @@ title: SCR File Write Event
id: c048f047-7e2a-4888-b302-55f509d4a91d
status: experimental
description: An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver
-author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
references:
- - https://lolbas-project.github.io/lolbas/Libraries/Desk/
+ - https://lolbas-project.github.io/lolbas/Libraries/Desk/
+author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022/04/27
modified: 2022/10/07
tags:
- - attack.t1218.011
- - attack.defense_evasion
+ - attack.t1218.011
+ - attack.defense_evasion
logsource:
- category: file_event
- product: windows
+ category: file_event
+ product: windows
detection:
- selection:
- TargetFilename|endswith: '.scr'
- filter:
- TargetFilename|startswith:
- - 'C:\Windows\System32\'
- - 'C:\Windows\system32\'
- - 'C:\Windows\SysWOW64\'
- - 'C:\Windows\SysWow64\'
- - 'C:\Windows\winsxs\'
- - 'C:\Windows\WinSxS\'
- - 'C:\$WINDOWS.~BT\NewOS\'
- condition: selection and not filter
+ selection:
+ TargetFilename|endswith: '.scr'
+ filter:
+ TargetFilename|startswith:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\system32\'
+ - 'C:\Windows\SysWOW64\'
+ - 'C:\Windows\SysWow64\'
+ - 'C:\Windows\winsxs\'
+ - 'C:\Windows\WinSxS\'
+ - 'C:\$WINDOWS.~BT\NewOS\'
+ condition: selection and not filter
falsepositives:
- - The installation of new screen savers.
+ - The installation of new screen savers.
level: medium
diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml
index d684b222a..65be22fc8 100644
--- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml
+++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml
@@ -1,12 +1,14 @@
title: Persistence Via Notepad++ Plugins
id: 54127bd4-f541-4ac3-afdb-ea073f63f692
-description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
status: experimental
-author: Nasreddine Bencherchali
+description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
references:
- https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
+author: Nasreddine Bencherchali
date: 2022/06/10
modified: 2022/09/20
+tags:
+ - attack.persistence
logsource:
product: windows
category: file_event
@@ -28,5 +30,3 @@ falsepositives:
- Possible FPs during first installation of Notepad++
- Legitimate use of custom plugins to enhance notepad++ functionality by users
level: medium
-tags:
- - attack.persistence
diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit.yml
index 476846bab..8b70e991a 100644
--- a/rules/windows/file/file_event/file_event_win_ntds_dit.yml
+++ b/rules/windows/file/file_event/file_event_win_ntds_dit.yml
@@ -1,13 +1,13 @@
title: Suspicious NTDS.DIT Creation
id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
-description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner
status: experimental
-author: Florian Roth
+description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
+author: Florian Roth
date: 2022/03/11
modified: 2022/07/14
tags:
diff --git a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml
index 17b5bff09..8ffac4619 100644
--- a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml
+++ b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml
@@ -1,12 +1,12 @@
title: Suspicious NTDS Exfil Filename Patterns
id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
-description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration
status: experimental
-author: Florian Roth
+description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration
references:
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
+author: Florian Roth
date: 2022/03/11
tags:
- attack.credential_access
diff --git a/rules/windows/file/file_event/file_event_win_office_persistence.yml b/rules/windows/file/file_event/file_event_win_office_persistence.yml
index af5c704af..076a0b695 100644
--- a/rules/windows/file/file_event/file_event_win_office_persistence.yml
+++ b/rules/windows/file/file_event/file_event_win_office_persistence.yml
@@ -2,30 +2,30 @@ title: Microsoft Office Add-In Loading
id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
status: test
description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
-author: NVISO
references:
- - Internal Research
+ - Internal Research
+author: NVISO
date: 2020/05/11
modified: 2021/11/27
-logsource:
- category: file_event
- product: windows
-detection:
- selection_wlldropped:
- TargetFilename|contains: '\Microsoft\Word\Startup\'
- TargetFilename|endswith: '.wll'
- selection_xlldropped:
- TargetFilename|contains: '\Microsoft\Excel\Startup\'
- TargetFilename|endswith: '.xll'
- selection_generic:
- TargetFilename|contains: '\Microsoft\Addins\'
- TargetFilename|endswith:
- - '.xlam'
- - '.xla'
- condition: 1 of selection*
-falsepositives:
- - Legitimate add-ins
-level: high
tags:
- - attack.persistence
- - attack.t1137.006
+ - attack.persistence
+ - attack.t1137.006
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection_wlldropped:
+ TargetFilename|contains: '\Microsoft\Word\Startup\'
+ TargetFilename|endswith: '.wll'
+ selection_xlldropped:
+ TargetFilename|contains: '\Microsoft\Excel\Startup\'
+ TargetFilename|endswith: '.xll'
+ selection_generic:
+ TargetFilename|contains: '\Microsoft\Addins\'
+ TargetFilename|endswith:
+ - '.xlam'
+ - '.xla'
+ condition: 1 of selection*
+falsepositives:
+ - Legitimate add-ins
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml b/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml
index 380a47f1d..1e571fc62 100644
--- a/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml
@@ -1,7 +1,10 @@
title: Outlook C2 Macro Creation
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
status: test
-description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
+description: |
+ Detects the creation of a macro file for Outlook.
+ Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.
+ Particularly interesting if both events Registry & File Creation happens at the same time.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
diff --git a/rules/windows/file/file_event/file_event_win_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_outlook_newform.yml
index ba01fea48..022efb165 100644
--- a/rules/windows/file/file_event/file_event_win_outlook_newform.yml
+++ b/rules/windows/file/file_event/file_event_win_outlook_newform.yml
@@ -4,12 +4,12 @@ status: experimental
description: Detects the creation of new Outlook form which can contain malicious code
references:
- https://twitter.com/blueteamsec1/status/1401290874202382336?s=20
-tags:
- - attack.persistence
- - attack.t1137.003
author: Tobias Michalski
date: 2021/06/10
modified: 2022/06/16
+tags:
+ - attack.persistence
+ - attack.t1137.003
logsource:
product: windows
category: file_event
diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
old mode 100755
new mode 100644
index d635b22d6..ffa77d8bd
--- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
+++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
@@ -2,7 +2,6 @@ title: Malicious PowerShell Commandlet Names
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
status: test
description: Detects the creation of known powershell scripts for exploitation
-author: Markus Neis, Nasreddine Bencherchali
references:
- https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml
- https://github.com/PowerShellMafia/PowerSploit
@@ -15,8 +14,12 @@ references:
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
+author: Markus Neis, Nasreddine Bencherchali
date: 2018/04/07
modified: 2022/10/25
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
category: file_event
product: windows
@@ -214,6 +217,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml
index 621b861c0..90fa23699 100644
--- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml
+++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml
@@ -1,16 +1,20 @@
title: PowerShell Writing Startup Shortcuts
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
-description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
status: experimental
+description: |
+ Attempts to detect PowerShell writing startup shortcuts.
+ This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
+ Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
+ In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
+author: Christopher Peacock '@securepeacock', SCYTHE
+date: 2021/10/24
+modified: 2022/08/10
tags:
- attack.persistence
- attack.t1547.001
-date: 2021/10/24
-modified: 2022/08/10
-author: Christopher Peacock '@securepeacock', SCYTHE
logsource:
product: windows
category: file_event
diff --git a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml
index 3e8ca7f58..5670924b8 100755
--- a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml
+++ b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml
@@ -2,24 +2,24 @@ title: QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
-author: Florian Roth
references:
- - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
+ - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
+author: Florian Roth
date: 2018/02/10
modified: 2021/11/27
-logsource:
- category: file_event
- product: windows
-detection:
- selection:
- # Sysmon: File Creation (ID 11)
- TargetFilename|contains|all:
- - '\AppData\Local\Temp\SAM-'
- - '.dmp'
- condition: selection
-falsepositives:
- - Unknown
-level: critical
tags:
- - attack.credential_access
- - attack.t1003.002
+ - attack.credential_access
+ - attack.t1003.002
+logsource:
+ category: file_event
+ product: windows
+detection:
+ selection:
+ # Sysmon: File Creation (ID 11)
+ TargetFilename|contains|all:
+ - '\AppData\Local\Temp\SAM-'
+ - '.dmp'
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml
index 6674129da..3850c9dca 100644
--- a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml
+++ b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml
@@ -2,24 +2,24 @@ title: RedMimicry Winnti Playbook Dropped File
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
-author: Alexander Rausch
references:
- - https://redmimicry.com
+ - https://redmimicry.com
+author: Alexander Rausch
date: 2020/06/24
modified: 2021/11/27
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|contains:
- - gthread-3.6.dll
- - sigcmm-2.4.dll
- - \Windows\Temp\tmp.bat
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.t1027
+ - attack.defense_evasion
+ - attack.t1027
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|contains:
+ - gthread-3.6.dll
+ - sigcmm-2.4.dll
+ - \Windows\Temp\tmp.bat
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml
index 32302222c..109779a3b 100644
--- a/rules/windows/file/file_event/file_event_win_sam_dump.yml
+++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml
@@ -1,14 +1,14 @@
title: SAM Dump File Creation
id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
-description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
status: experimental
-author: Florian Roth
+description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
references:
- https://github.com/search?q=CVE-2021-36934
- https://github.com/cube0x0/CVE-2021-36934
- https://www.google.com/search?q=%22reg.exe+save%22+sam
- https://github.com/HuskyHacks/ShadowSteal
- https://github.com/FireFart/hivenightmare
+author: Florian Roth
date: 2022/02/11
tags:
- attack.credential_access
@@ -18,7 +18,7 @@ logsource:
category: file_event
detection:
selection:
- - TargetFilename|endswith:
+ - TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\Intel\sam'
diff --git a/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml b/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml
index 574f5a596..459a7c16c 100644
--- a/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml
+++ b/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml
@@ -2,13 +2,16 @@ title: ScreenConnect Temporary Installation Artefact
id: fec96f39-988b-4586-b746-b93d59fd1922
status: experimental
description: |
- An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
- These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
- Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+ An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+ These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+ Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022/02/13
+tags:
+ - attack.command_and_control
+ - attack.t1219
logsource:
category: file_event
product: windows
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Legitimate use
level: medium
-tags:
- - attack.command_and_control
- - attack.t1219
diff --git a/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml b/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml
index d8d5d9a7a..22446ba9c 100644
--- a/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml
+++ b/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml
@@ -1,16 +1,16 @@
title: Created Files by Office Applications
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
+status: experimental
description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)'
+date: 2021/08/23
+modified: 2022/07/11
tags:
- attack.t1204.002
- attack.execution
-status: experimental
-date: 2021/08/23
-modified: 2022/07/11
logsource:
product: windows
category: file_event
diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
index 79868daed..e303701db 100644
--- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
+++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml
@@ -2,12 +2,15 @@ title: Startup Folder File Write
id: 2aa0a6b4-a865-495b-ab51-c28249537b75
status: test
description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/12
- https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2022/10/07
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
product: windows
category: file_event
@@ -21,6 +24,3 @@ detection:
falsepositives:
- An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml
index b7afdc19b..0ae200cbc 100755
--- a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml
@@ -2,13 +2,16 @@ title: Suspicious ADSI-Cache Usage By Unknown Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
-author: xknow @xknow_infosec, Tim Shelton
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
+author: xknow @xknow_infosec, Tim Shelton
date: 2019/03/24
modified: 2022/08/24
+tags:
+ - attack.t1001.003
+ - attack.command_and_control
logsource:
product: windows
category: file_event
@@ -39,6 +42,3 @@ detection:
falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: high
-tags:
- - attack.t1001.003
- - attack.command_and_control
diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml
index 1eaa671db..4cd414b40 100644
--- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml
@@ -2,10 +2,13 @@ title: Suspicious Creation with Colorcpl
id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
status: experimental
description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
-author: frack113
references:
- https://twitter.com/eral4m/status/1480468728324231172?s=20
+author: frack113
date: 2022/01/21
+tags:
+ - attack.defense_evasion
+ - attack.t1564
logsource:
product: windows
category: file_event
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1564
diff --git a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml
index fb0b8c602..997f25fbc 100644
--- a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml
@@ -1,13 +1,17 @@
title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
+status: experimental
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
-status: experimental
-level: medium
date: 2022/04/28
modified: 2022/06/02
+tags:
+ - attack.t1055
+ - attack.t1218
+ - attack.execution
+ - attack.defense_evasion
logsource:
product: windows
category: file_event
@@ -21,8 +25,4 @@ detection:
condition: selection_mobsync and filter_created_file
falsepositives:
- Unknown
-tags:
- - attack.t1055
- - attack.t1218
- - attack.execution
- - attack.defense_evasion
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml
index 8d383edf9..9c33fe014 100644
--- a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml
@@ -6,6 +6,9 @@ references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022/04/28
+tags:
+ - attack.t1036.005
+ - attack.defense_evasion
logsource:
product: windows
category: file_event
@@ -18,7 +21,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-tags:
- - attack.t1036.005
- - attack.defense_evasion
level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml
index 1914ec979..25189fd01 100755
--- a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml
@@ -2,11 +2,14 @@ title: Suspicious desktop.ini Action
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
-author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
+author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020/03/19
modified: 2022/10/07
+tags:
+ - attack.persistence
+ - attack.t1547.009
logsource:
product: windows
category: file_event
@@ -28,6 +31,3 @@ falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
-tags:
- - attack.persistence
- - attack.t1547.009
diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml
index ad488b343..231684d35 100644
--- a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml
@@ -2,10 +2,13 @@ title: Suspicious Creation TXT File in User Desktop
id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
status: experimental
description: Ransomware create txt file in the user Desktop
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
+author: frack113
date: 2021/12/26
+tags:
+ - attack.impact
+ - attack.t1486
logsource:
product: windows
category: file_event
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.impact
- - attack.t1486
diff --git a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml
index 1e378a7f1..0c61bb03d 100644
--- a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml
@@ -2,33 +2,33 @@ title: Suspicious Desktopimgdownldr Target File
id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
status: test
description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
-author: Florian Roth
references:
- - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- - https://twitter.com/SBousseaden/status/1278977301745741825
+ - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+ - https://twitter.com/SBousseaden/status/1278977301745741825
+author: Florian Roth
date: 2020/07/03
modified: 2022/06/02
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- Image|endswith: '\svchost.exe'
- TargetFilename|contains: '\Personalization\LockScreenImage\'
- filter1:
- TargetFilename|contains: 'C:\Windows\'
- filter2:
- TargetFilename|contains:
- - '.jpg'
- - '.jpeg'
- - '.png'
- condition: selection and not filter1 and not filter2
-fields:
- - CommandLine
- - ParentCommandLine
-falsepositives:
- - False positives depend on scripts and administrative tools used in the monitored environment
-level: high
tags:
- - attack.defense_evasion
- - attack.t1105
+ - attack.defense_evasion
+ - attack.t1105
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ Image|endswith: '\svchost.exe'
+ TargetFilename|contains: '\Personalization\LockScreenImage\'
+ filter1:
+ TargetFilename|contains: 'C:\Windows\'
+ filter2:
+ TargetFilename|contains:
+ - '.jpg'
+ - '.jpeg'
+ - '.png'
+ condition: selection and not filter1 and not filter2
+fields:
+ - CommandLine
+ - ParentCommandLine
+falsepositives:
+ - False positives depend on scripts and administrative tools used in the monitored environment
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml
index da940be20..14e7663b2 100644
--- a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml
@@ -2,19 +2,19 @@ title: Creation of a Diagcab
id: 3d0ed417-3d94-4963-a562-4a92c940656a
status: experimental
description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
-author: frack113
references:
- - https://threadreaderapp.com/thread/1533879688141086720.html
+ - https://threadreaderapp.com/thread/1533879688141086720.html
+author: frack113
date: 2022/06/08
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|endswith: '.diagcab'
- condition: selection
-falsepositives:
- - Legitimate microsoft diagcab
-level: medium
tags:
- - attack.resource_development
+ - attack.resource_development
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|endswith: '.diagcab'
+ condition: selection
+falsepositives:
+ - Legitimate microsoft diagcab
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
index b94f6c3a4..9fe5b68f7 100644
--- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml
@@ -5,15 +5,18 @@ related:
type: derived
status: experimental
description: Detects dropped files with double extensions which is often used by malware as a method to abuse the fact that windows hide default extensions by default.
-author: Nasreddine Bencherchali, frack113
references:
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
+author: Nasreddine Bencherchali, frack113
date: 2022/06/19
modified: 2022/07/28
+tags:
+ - attack.defense_evasion
+ - attack.t1036.007
logsource:
category: file_event
product: windows
@@ -36,7 +39,7 @@ detection:
selection_exe:
TargetFilename|endswith:
- '.zip.exe'
- - '.rar.exe'
+ - '.rar.exe'
filter:
TargetFilename|contains:
- '\AppData\Roaming\Microsoft\Office\Recent\'
@@ -45,7 +48,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.defense_evasion
- - attack.t1036.007
-
diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml
index 821c7ef0d..1889fa5a8 100644
--- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml
@@ -2,50 +2,50 @@ title: Creation of an Executable by an Executable
id: 297afac9-5d02-4138-8c58-b977bac60556
status: experimental
description: Detects the creation of an executable by another executable
-author: frack113
references:
- - Malware Sandbox
+ - Malware Sandbox
+author: frack113
date: 2022/03/09
modified: 2022/07/27
+tags:
+ - attack.resource_development
+ - attack.t1587.001
logsource:
- product: windows
- category: file_event
+ product: windows
+ category: file_event
detection:
- selection:
- Image|endswith: '.exe'
- TargetFilename|endswith: '.exe'
- filter_whitelist:
- Image:
- - 'C:\Windows\System32\msiexec.exe'
- - 'C:\Windows\system32\cleanmgr.exe'
- - 'C:\Windows\explorer.exe'
- - 'C:\WINDOWS\system32\dxgiadaptercache.exe'
- - 'C:\WINDOWS\system32\Dism.exe'
- - 'C:\Windows\System32\wuauclt.exe'
- filter_update:
- Image: 'C:\WINDOWS\system32\svchost.exe'
- TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\'
+ selection:
+ Image|endswith: '.exe'
+ TargetFilename|endswith: '.exe'
+ filter_whitelist:
+ Image:
+ - 'C:\Windows\System32\msiexec.exe'
+ - 'C:\Windows\system32\cleanmgr.exe'
+ - 'C:\Windows\explorer.exe'
+ - 'C:\WINDOWS\system32\dxgiadaptercache.exe'
+ - 'C:\WINDOWS\system32\Dism.exe'
+ - 'C:\Windows\System32\wuauclt.exe'
+ filter_update:
+ Image: 'C:\WINDOWS\system32\svchost.exe'
+ TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\'
# Security_UserID: S-1-5-18
- filter_tiworker:
- Image|startswith: 'C:\Windows\WinSxS\'
- Image|endswith: '\TiWorker.exe'
- filter_programfiles:
- - Image|startswith:
- - 'C:\Program Files\'
- - 'C:\Program Files (x86)\'
- - TargetFilename|startswith:
- - 'C:\Program Files\'
- - 'C:\Program Files (x86)\'
- filter_defender:
- Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
- filter_windows_apps:
- TargetFilename|contains: '\Microsoft\WindowsApps\'
- condition: selection and not 1 of filter_*
+ filter_tiworker:
+ Image|startswith: 'C:\Windows\WinSxS\'
+ Image|endswith: '\TiWorker.exe'
+ filter_programfiles:
+ - Image|startswith:
+ - 'C:\Program Files\'
+ - 'C:\Program Files (x86)\'
+ - TargetFilename|startswith:
+ - 'C:\Program Files\'
+ - 'C:\Program Files (x86)\'
+ filter_defender:
+ Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
+ filter_windows_apps:
+ TargetFilename|contains: '\Microsoft\WindowsApps\'
+ condition: selection and not 1 of filter_*
falsepositives:
- - Software installers
- - Update utilities
+ - Software installers
+ - Update utilities
#Please contribute to FP to go up the level
level: low
-tags:
- - attack.resource_development
- - attack.t1587.001
diff --git a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml
index 82ed285c9..644d6dba8 100644
--- a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml
@@ -17,7 +17,7 @@ logsource:
detection:
selection:
Image|endswith: '\MSExchangeMailboxReplication.exe'
- TargetFilename|endswith:
+ TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selection
diff --git a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml
index 3444fe185..b4b85c849 100644
--- a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml
@@ -2,30 +2,30 @@ title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: experimental
description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
-author: frack113
references:
- - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
+ - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
+ - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
+author: frack113
date: 2022/09/05
-logsource:
- product: windows
- category: file_event
-detection:
- selection_double:
- TargetFilename|endswith:
- - '.bat.exe'
- - '.sys.exe'
- selection_folder:
- TargetFilename:
- - 'C:\$Recycle.Bin.exe'
- - 'C:\Documents and Settings.exe'
- - 'C:\MSOCache.exe'
- - 'C:\Recovery.exe'
- - 'C:\PerfLogs.exe'
- condition: 1 of selection_*
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.t1564
+ - attack.defense_evasion
+ - attack.t1564
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection_double:
+ TargetFilename|endswith:
+ - '.bat.exe'
+ - '.sys.exe'
+ selection_folder:
+ TargetFilename:
+ - 'C:\$Recycle.Bin.exe'
+ - 'C:\Documents and Settings.exe'
+ - 'C:\MSOCache.exe'
+ - 'C:\Recovery.exe'
+ - 'C:\PerfLogs.exe'
+ condition: 1 of selection_*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml
index d5060e84e..de8768f42 100644
--- a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml
@@ -1,28 +1,27 @@
-title: Suspicious Get-Variable.exe Creation
+title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: experimental
description: |
- Get-Variable is a valid PowerShell cmdlet
- WindowsApps is by default in the path where PowerShell is executed.
- So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
-author: frack113
+ Get-Variable is a valid PowerShell cmdlet
+ WindowsApps is by default in the path where PowerShell is executed.
+ So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
- - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
- - https://www.joesandbox.com/analysis/465533/0/html
+ - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
+ - https://www.joesandbox.com/analysis/465533/0/html
+author: frack113
date: 2022/04/23
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.t1546
- - attack.defense_evasion
- - attack.t1027
-
+ - attack.persistence
+ - attack.t1546
+ - attack.defense_evasion
+ - attack.t1027
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml
index 925d1dbbd..e403199e5 100644
--- a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml
@@ -2,26 +2,26 @@ title: Suspicious PFX File Creation
id: dca1b3e8-e043-4ec8-85d7-867f334b5724
status: test
description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- - https://github.com/OTRF/detection-hackathon-apt29/issues/14
- - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/14
+ - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2022/07/07
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|endswith: '.pfx'
- filter:
- TargetFilename|contains|all:
- - '\Templates\Windows\Windows_TemporaryKey.pfx'
- - '\CMake\'
- condition: selection and not 1 of filter*
-falsepositives:
- - System administrators managing certififcates.
-level: medium
tags:
- - attack.credential_access
- - attack.t1552.004
+ - attack.credential_access
+ - attack.t1552.004
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|endswith: '.pfx'
+ filter:
+ TargetFilename|contains|all:
+ - '\Templates\Windows\Windows_TemporaryKey.pfx'
+ - '\CMake\'
+ condition: selection and not 1 of filter*
+falsepositives:
+ - System administrators managing certififcates.
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
index 737db2024..2a904a121 100644
--- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
@@ -2,12 +2,16 @@ title: PowerShell Profile Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-author: HieuTT35, Nasreddine Bencherchali
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://persistence-info.github.io/Data/powershellprofile.html
+author: HieuTT35, Nasreddine Bencherchali
date: 2019/10/24
modified: 2022/08/24
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1546.013
logsource:
product: windows
category: file_event
@@ -23,7 +27,3 @@ detection:
falsepositives:
- System administrator create Powershell profile manually
level: high
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1546.013
diff --git a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
index d32dd30da..3839b9148 100755
--- a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml
@@ -1,29 +1,31 @@
title: Suspicious PROCEXP152.sys File Created In TMP
id: 3da70954-0f2c-4103-adff-b7440368f50e
status: test
-description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
-author: xknow (@xknow_infosec), xorxes (@xor_xes)
+description: |
+ Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
+ This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
references:
- - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+ - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
modified: 2021/11/27
-logsource:
- product: windows
- category: file_event
-detection:
- selection_1:
- TargetFilename|contains: '\AppData\Local\Temp\'
- TargetFilename|endswith: 'PROCEXP152.sys'
- selection_2:
- Image|contains:
- - '\procexp64.exe'
- - '\procexp.exe'
- - '\procmon64.exe'
- - '\procmon.exe'
- condition: selection_1 and not selection_2
-falsepositives:
- - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
-level: medium
tags:
- - attack.t1562.001
- - attack.defense_evasion
+ - attack.t1562.001
+ - attack.defense_evasion
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection_1:
+ TargetFilename|contains: '\AppData\Local\Temp\'
+ TargetFilename|endswith: 'PROCEXP152.sys'
+ selection_2:
+ Image|contains:
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
+ condition: selection_1 and not selection_2
+falsepositives:
+ - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml
index bea1f1e60..5426d6bc5 100644
--- a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml
@@ -2,10 +2,12 @@ title: Drop Binaries Into Spool Drivers Color Folder
id: ce7066a6-508a-42d3-995b-2952c65dc2ce
status: experimental
description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
-author: Nasreddine Bencherchali
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
+author: Nasreddine Bencherchali
date: 2022/07/28
+tags:
+ - attack.defense_evasion
logsource:
product: windows
category: file_event
@@ -20,5 +22,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml
index 78280468e..4e7346ec3 100644
--- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml
@@ -1,14 +1,14 @@
title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
-description: Detects when a file with a suspicious extension is created in the startup folder
status: experimental
-author: Nasreddine Bencherchali
+description: Detects when a file with a suspicious extension is created in the startup folder
references:
- https://github.com/last-byte/PersistenceSniper
+author: Nasreddine Bencherchali
+date: 2022/08/10
tags:
- attack.persistence
- attack.t1547.001
-date: 2022/08/10
logsource:
product: windows
category: file_event
diff --git a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml
index fd68a54eb..08b533453 100644
--- a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml
@@ -2,9 +2,9 @@ title: Suspicious Interactive PowerShell as SYSTEM
id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
status: experimental
description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
-author: Florian Roth
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
+author: Florian Roth
date: 2021/12/07
modified: 2022/08/13
logsource:
diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml
index c2cee9c49..cf1572edd 100644
--- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml
@@ -10,14 +10,14 @@ modified: 2022/01/12
tags:
- attack.persistence
- attack.execution
- - attack.t1053
+ - attack.t1053
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\System32\Tasks'
- Image|contains:
+ Image|contains:
- '\AppData\'
- 'C:\PerfLogs'
- '\Windows\System32\config\systemprofile'
diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml
index f85738a13..9821a9b7d 100644
--- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml
@@ -5,10 +5,14 @@ related:
type: similar
status: experimental
description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
-author: Nasreddine Bencherchali
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
+author: Nasreddine Bencherchali
date: 2022/08/24
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1546.013
logsource:
product: windows
category: file_event
@@ -19,7 +23,3 @@ detection:
falsepositives:
- Legitimate use of the profile by developers or administrators
level: high
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1546.013
diff --git a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml b/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml
index 996f384f5..67cafa273 100644
--- a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml
+++ b/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml
@@ -2,30 +2,30 @@ title: Creation In User Word Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: experimental
description: Detects the creation of an file in user Word Startup
-author: frack113
references:
- - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
+ - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
+author: frack113
date: 2022/06/05
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|contains: '\AppData\Roaming\Microsoft\Word\STARTUP\'
- filter_ext:
- TargetFilename|endswith:
- - '.docx' # Word document
- - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- - '.dotx' # Word template
- - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- - '.docb' # Word binary document introduced in Microsoft Office 2007
- - '.pdf' # PDF documents
- - '.wll' # Word add-in
- - '.wwl' # Word add-in
- condition: selection and not filter_ext
-falsepositives:
- - Addition of legitimate plugins
-level: medium
tags:
- - attack.resource_development
- - attack.t1587.001
+ - attack.resource_development
+ - attack.t1587.001
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|contains: '\AppData\Roaming\Microsoft\Word\STARTUP\'
+ filter_ext:
+ TargetFilename|endswith:
+ - '.docx' # Word document
+ - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
+ - '.dotx' # Word template
+ - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
+ - '.docb' # Word binary document introduced in Microsoft Office 2007
+ - '.pdf' # PDF documents
+ - '.wll' # Word add-in
+ - '.wwl' # Word add-in
+ condition: selection and not filter_ext
+falsepositives:
+ - Addition of legitimate plugins
+level: medium
diff --git a/rules/windows/file/file_event/file_event_win_tool_psexec.yml b/rules/windows/file/file_event/file_event_win_tool_psexec.yml
index 2dc596b5f..10f71ef15 100644
--- a/rules/windows/file/file_event/file_event_win_tool_psexec.yml
+++ b/rules/windows/file/file_event/file_event_win_tool_psexec.yml
@@ -22,9 +22,6 @@ detection:
selection:
TargetFilename|endswith: '\PSEXESVC.exe'
condition: selection
-falsepositives:
- - Unknown
-level: low
fields:
- EventID
- CommandLine
@@ -33,3 +30,6 @@ fields:
- ServiceFileName
- TargetFilename
- PipeName
+falsepositives:
+ - Unknown
+level: low
diff --git a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml
index fe5396e87..27662b783 100755
--- a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml
+++ b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml
@@ -5,6 +5,9 @@ description: Detects the usage of tsclient share to place a backdoor on the RDP
author: Samir Bousseaden
date: 2019/02/21
modified: 2021/11/27
+tags:
+ - attack.command_and_control
+ - attack.t1219
logsource:
product: windows
category: file_event
@@ -16,6 +19,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.command_and_control
- - attack.t1219
diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
index 172b6ff44..9919a5fac 100644
--- a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
+++ b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml
@@ -1,13 +1,13 @@
title: UAC Bypass Using EventVwr
id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
-description: Detects the pattern of a UAC bypass using Windows Event Viewer
-author: Antonio Cocomazzi (idea), Florian Roth (rule)
-date: 2022/04/27
-modified: 2022/04/27
status: experimental
+description: Detects the pattern of a UAC bypass using Windows Event Viewer
references:
- https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
- https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
+author: Antonio Cocomazzi (idea), Florian Roth (rule)
+date: 2022/04/27
+modified: 2022/04/27
tags:
- attack.defense_evasion
- attack.privilege_escalation
diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml
index 2f255e227..ef4e93f2b 100644
--- a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml
+++ b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml
@@ -2,10 +2,15 @@ title: UAC Bypass Using IDiagnostic Profile - File
id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
status: experimental
description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
-author: Nasreddine Bencherchali
references:
- https://github.com/Wh04m1001/IDiagnosticProfileUAC
+author: Nasreddine Bencherchali
date: 2022/07/03
+tags:
+ - attack.execution
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
logsource:
product: windows
category: file_event
@@ -18,8 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
diff --git a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml
index 5d246108f..04382061c 100755
--- a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml
+++ b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml
@@ -2,41 +2,41 @@ title: Windows Webshell Creation
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Possible webshell file creation on a static web site
-author: Beyu Denis, oscd.community, Tim Shelton
references:
- - PT ESC rule and personal experience
+ - PT ESC rule and personal experience
+author: Beyu Denis, oscd.community, Tim Shelton
date: 2019/10/22
modified: 2022/09/18
-logsource:
- product: windows
- category: file_event
-detection:
- selection_wwwroot:
- TargetFilename|contains: '\inetpub\wwwroot\'
- selection_ext1:
- TargetFilename|contains:
- - '.asp'
- - '.ashx'
- - '.ph'
- selection_static:
- TargetFilename|contains:
- - '\www\'
- - '\htdocs\'
- - '\html\'
- selection_ext2:
- TargetFilename|contains: '.ph'
- false_positive1: # false positives when unpacking some executables in $TEMP
- TargetFilename|contains:
- - '\AppData\Local\Temp\'
- - '\Windows\Temp\'
- false_positive_system:
- Image: 'System' # fp : backup/restore from drivers
- false_positive_legitimate:
- TargetFilename|contains: '\xampp'
- condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive*
-falsepositives:
- - Legitimate administrator or developer creating legitimate executable files in a web application folder
-level: high
tags:
- - attack.persistence
- - attack.t1505.003
+ - attack.persistence
+ - attack.t1505.003
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection_wwwroot:
+ TargetFilename|contains: '\inetpub\wwwroot\'
+ selection_ext1:
+ TargetFilename|contains:
+ - '.asp'
+ - '.ashx'
+ - '.ph'
+ selection_static:
+ TargetFilename|contains:
+ - '\www\'
+ - '\htdocs\'
+ - '\html\'
+ selection_ext2:
+ TargetFilename|contains: '.ph'
+ false_positive1: # false positives when unpacking some executables in $TEMP
+ TargetFilename|contains:
+ - '\AppData\Local\Temp\'
+ - '\Windows\Temp\'
+ false_positive_system:
+ Image: 'System' # fp : backup/restore from drivers
+ false_positive_legitimate:
+ TargetFilename|contains: '\xampp'
+ condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive*
+falsepositives:
+ - Legitimate administrator or developer creating legitimate executable files in a web application folder
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml
index a089cd21e..7bc9aae54 100644
--- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml
+++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml
@@ -2,28 +2,28 @@ title: Creation of an WerFault.exe in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: experimental
description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking
-author: frack113
references:
- - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
+ - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
+author: frack113
date: 2022/05/09
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- TargetFilename|endswith:
- - '\WerFault.exe'
- - '\wer.dll'
- filter_whitelist:
- TargetFilename|contains:
- - '\System32\'
- - '\SysWOW64\'
- - '\WinSxS\'
- condition: selection and not filter_whitelist
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.defense_evasion
- - attack.t1574.001
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1574.001
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ TargetFilename|endswith:
+ - '\WerFault.exe'
+ - '\wer.dll'
+ filter_whitelist:
+ TargetFilename|contains:
+ - '\System32\'
+ - '\SysWOW64\'
+ - '\WinSxS\'
+ condition: selection and not filter_whitelist
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml
index b28196367..3f2a81958 100644
--- a/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml
+++ b/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml
@@ -1,10 +1,10 @@
title: WScript or CScript Dropper
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
-status: experimental
-description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
-related:
+related:
- id: cea72823-df4d-4567-950c-0b579eaf0846
type: derived
+status: experimental
+description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
references:
- WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
@@ -18,10 +18,10 @@ detection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
- TargetFilename|startswith:
+ TargetFilename|startswith:
- 'C:\Users\'
- 'C:\ProgramData'
- TargetFilename|endswith:
+ TargetFilename|endswith:
- '.jse'
- '.vbe'
- '.js'
diff --git a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml b/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml
index 4cf12df6c..314b3d8bb 100644
--- a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml
+++ b/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml
@@ -1,13 +1,16 @@
title: Suspicious Word Cab File Write CVE-2021-40444
id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
status: experimental
+description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
references:
- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
author: Florian Roth, Sittikorn S
date: 2021/09/10
modified: 2022/06/17
+tags:
+ - attack.resource_development
+ - attack.t1587
logsource:
product: windows
category: file_event
@@ -31,6 +34,3 @@ fields:
falsepositives:
- Unknown
level: high
-tags:
- - attack.resource_development
- - attack.t1587
diff --git a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml
index 4265bccba..a3bc9e875 100755
--- a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml
+++ b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml
@@ -2,21 +2,21 @@ title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: test
description: Detects file writes of WMI script event consumer
-author: Thomas Patzke
references:
- - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+ - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
date: 2018/03/07
modified: 2021/11/27
-logsource:
- product: windows
- category: file_event
-detection:
- selection:
- Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
- condition: selection
-falsepositives:
- - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
-level: high
tags:
- - attack.t1546.003
- - attack.persistence
+ - attack.t1546.003
+ - attack.persistence
+logsource:
+ product: windows
+ category: file_event
+detection:
+ selection:
+ Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
+ condition: selection
+falsepositives:
+ - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
+level: high
diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml
index daa4a4a85..1fdcb431b 100644
--- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml
+++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml
@@ -2,10 +2,10 @@ title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: experimental
description: Detects the creation of the default output filename used by the wmicexec tool
-author: Nasreddine Bencherchali
-date: 2022/06/02
references:
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
+author: Nasreddine Bencherchali
+date: 2022/06/02
tags:
- attack.lateral_movement
- attack.t1047
diff --git a/rules/windows/file/file_event/file_event_win_word_template_creation.yml b/rules/windows/file/file_event/file_event_win_word_template_creation.yml
index a94a226da..10fa79b03 100644
--- a/rules/windows/file/file_event/file_event_win_word_template_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_word_template_creation.yml
@@ -2,39 +2,39 @@ title: Office Template Creation
id: 0e20c89d-2264-44ae-8238-aeeaba609ece
status: experimental
description: Detects creation of template files for Microsoft Office from outside Office
+references:
+ - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
author: Max Altgelt
date: 2022/06/02
-references:
- - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
tags:
- - attack.persistence
- - attack.t1137
+ - attack.persistence
+ - attack.t1137
logsource:
- category: file_event
- product: windows
+ category: file_event
+ product: windows
detection:
- selection_word:
- TargetFilename|endswith:
- - .dot
- - .dotm
- - .doc
- - .docm
- - .docx
- - .rtf
- TargetFilename|contains: '\Microsoft\Word\Startup'
- selection_excel:
- TargetFilename|endswith:
- - .xlt
- - .xltm
- - .xls
- - .xlsm
- - .xlsx
- TargetFilename|contains: '\Microsoft\Excel\Startup'
- filter_office:
- Image|endswith:
- - \WINWORD.exe
- - \EXCEL.exe
- condition: 1 of selection* and not filter_office
+ selection_word:
+ TargetFilename|endswith:
+ - .dot
+ - .dotm
+ - .doc
+ - .docm
+ - .docx
+ - .rtf
+ TargetFilename|contains: '\Microsoft\Word\Startup'
+ selection_excel:
+ TargetFilename|endswith:
+ - .xlt
+ - .xltm
+ - .xls
+ - .xlsm
+ - .xlsx
+ TargetFilename|contains: '\Microsoft\Excel\Startup'
+ filter_office:
+ Image|endswith:
+ - \WINWORD.exe
+ - \EXCEL.exe
+ condition: 1 of selection* and not filter_office
falsepositives:
- Loading a user environment from a backup or a domain controller
- Synchronization of templates
diff --git a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml
index d8e44ab95..1ae74c2cf 100644
--- a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml
+++ b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml
@@ -2,11 +2,11 @@ title: UEFI Persistence Via Wpbbin - FileCreation
id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
status: experimental
description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
-author: Nasreddine Bencherchali
-date: 2022/07/18
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
+author: Nasreddine Bencherchali
+date: 2022/07/18
tags:
- attack.persistence
- attack.defense_evasion
diff --git a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml
index 70d5d569f..9e1ef1673 100644
--- a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml
+++ b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml
@@ -4,11 +4,14 @@ status: experimental
description: |
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
+author: frack113
date: 2022/01/01
modified: 2022/08/13
+tags:
+ - attack.lateral_movement
+ - attack.t1546.002
logsource:
product: windows
category: file_event
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.lateral_movement
- - attack.t1546.002
diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml
index f00cc7c3c..3ca0d7b34 100644
--- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml
+++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml
@@ -11,7 +11,7 @@ modified: 2022/10/15
logsource:
product: windows
category: file_rename
- definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source
+ definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source
detection:
to_dll:
TargetFilename|endswith: '.dll'
diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml
index 1d395bda8..92d986cdd 100644
--- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml
+++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml
@@ -14,7 +14,7 @@ tags:
logsource:
product: windows
category: file_rename
- definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source
+ definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source
detection:
selection:
OriginalFilename|endswith:
diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml
index af9ca8c56..d7c7b4b0c 100644
--- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml
+++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml
@@ -1,19 +1,22 @@
title: Abusing Azure Browser SSO
id: 50f852e6-af22-4c78-9ede-42ef36aa3453
-description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
-author: Den Iuzvyk
+status: test
+description: |
+ Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)
+ wanting to perform SSO authentication in the browser.
+ An attacker can use this to authenticate to Azure AD in a browser as that user.
references:
- https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
+author: Den Iuzvyk
date: 2020/07/15
modified: 2022/10/21
-logsource:
- category: image_load
- product: windows
-status: test
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574.002
+logsource:
+ category: image_load
+ product: windows
detection:
selection_dll:
ImageLoaded|endswith: 'MicrosoftAccountTokenProvider.dll'
diff --git a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
index ddd6e5490..457f311b0 100644
--- a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
+++ b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml
@@ -1,15 +1,15 @@
title: Alternate PowerShell Hosts
id: fe6e002f-f244-4278-9263-20e4b593827f
-description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
+description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
+references:
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019/09/12
modified: 2022/02/21
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.execution
- attack.t1059.001
-references:
- - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html
logsource:
product: windows
category: image_load
@@ -29,4 +29,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unknown
-level: low
\ No newline at end of file
+level: low
diff --git a/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml b/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml
index 874355424..ab39de622 100644
--- a/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml
+++ b/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml
@@ -2,11 +2,11 @@ title: Microsoft Defender Loading DLL from Nondefault Path
id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
status: experimental
description: Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL
+references:
+ - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022/08/02
modified: 2022/08/17
-references:
- - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
tags:
- attack.defense_evasion
- attack.t1574.002
@@ -16,14 +16,14 @@ logsource:
detection:
selection:
Image|endswith:
- - '\MpCmdRun.exe'
- - '\NisSrv.exe'
+ - '\MpCmdRun.exe'
+ - '\NisSrv.exe'
ImageLoaded|endswith: '\mpclient.dll'
filter:
ImageLoaded|startswith:
- - 'C:\Program Files\Windows Defender\'
- - 'C:\Program Files (x86)\Windows Defender\'
- - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+ - 'C:\Program Files\Windows Defender\'
+ - 'C:\Program Files (x86)\Windows Defender\'
+ - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
condition: selection and not filter
falsepositives:
- Very unlikely
diff --git a/rules/windows/image_load/image_load_in_memory_powershell.yml b/rules/windows/image_load/image_load_in_memory_powershell.yml
index 2eed58f5a..e6b359d2a 100755
--- a/rules/windows/image_load/image_load_in_memory_powershell.yml
+++ b/rules/windows/image_load/image_load_in_memory_powershell.yml
@@ -5,12 +5,12 @@ related:
type: obsoletes
status: experimental
description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
-author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
-date: 2019/11/14
-modified: 2022/10/10
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
+author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
+date: 2019/11/14
+modified: 2022/10/10
tags:
- attack.t1059.001
- attack.execution
diff --git a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml
index 0b70fe7d7..3989ccd8a 100755
--- a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml
+++ b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml
@@ -2,41 +2,41 @@ title: Mimikatz In-Memory
id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e
status: test
description: Detects certain DLL loads when Mimikatz gets executed
-author: sigma
references:
- - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
+ - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
+author: sigma
date: 2017/03/13
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selector:
- Image: 'C:\Windows\System32\rundll32.exe'
- dllload1:
- ImageLoaded|endswith: '\vaultcli.dll'
- dllload2:
- ImageLoaded|endswith: '\wlanapi.dll'
- exclusion:
- ImageLoaded:
- - 'ntdsapi.dll'
- - 'netapi32.dll'
- - 'imm32.dll'
- - 'samlib.dll'
- - 'combase.dll'
- - 'srvcli.dll'
- - 'shcore.dll'
- - 'ntasn1.dll'
- - 'cryptdll.dll'
- - 'logoncli.dll'
- timeframe: 30s
- condition: selector | near dllload1 and dllload2 and not exclusion
-falsepositives:
- - Unknown
-level: medium
tags:
- - attack.s0002
- - attack.t1003
- - attack.lateral_movement
- - attack.credential_access
- - car.2019-04-004
+ - attack.s0002
+ - attack.t1003
+ - attack.lateral_movement
+ - attack.credential_access
+ - car.2019-04-004
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selector:
+ Image: 'C:\Windows\System32\rundll32.exe'
+ dllload1:
+ ImageLoaded|endswith: '\vaultcli.dll'
+ dllload2:
+ ImageLoaded|endswith: '\wlanapi.dll'
+ exclusion:
+ ImageLoaded:
+ - 'ntdsapi.dll'
+ - 'netapi32.dll'
+ - 'imm32.dll'
+ - 'samlib.dll'
+ - 'combase.dll'
+ - 'srvcli.dll'
+ - 'shcore.dll'
+ - 'ntasn1.dll'
+ - 'cryptdll.dll'
+ - 'logoncli.dll'
+ timeframe: 30s
+ condition: selector | near dllload1 and dllload2 and not exclusion
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/image_load/image_load_msdt_sdiageng.yml b/rules/windows/image_load/image_load_msdt_sdiageng.yml
index dbcb49246..aa861e40a 100644
--- a/rules/windows/image_load/image_load_msdt_sdiageng.yml
+++ b/rules/windows/image_load/image_load_msdt_sdiageng.yml
@@ -1,11 +1,15 @@
title: MSDT.exe Loading Diagnostic Library
id: ec8c4047-fad9-416a-8c81-0f479353d7f6
status: experimental
-description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary
-author: Greg (rule)
+description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary
references:
- https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
+author: Greg (rule)
date: 2022/06/17
+tags:
+ - attack.defense_evasion
+ - attack.t1202
+ - cve.2022.30190
logsource:
category: image_load
product: windows
@@ -17,7 +21,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1202
- - cve.2022.30190
diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml
index 75f0206d0..7b8c90b68 100644
--- a/rules/windows/image_load/image_load_pingback_backdoor.yml
+++ b/rules/windows/image_load/image_load_pingback_backdoor.yml
@@ -2,12 +2,12 @@ title: Pingback Backdoor
id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
status: experimental
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
-author: Bhabesh Raj
-date: 2021/05/05
-modified: 2022/08/14
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
+author: Bhabesh Raj
+date: 2021/05/05
+modified: 2022/08/14
tags:
- attack.persistence
- attack.t1574.001
@@ -21,4 +21,4 @@ detection:
condition: selection
falsepositives:
- Very unlikely
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml
index 8c30f6338..80f0880dd 100644
--- a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml
+++ b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml
@@ -2,10 +2,10 @@ title: Rundll32 Loading Renamed Comsvcs DLL
id: 8cde342c-ba48-4b74-b615-172c330f2e93
status: experimental
description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
-author: Nasreddine Bencherchali
-date: 2022/08/14
references:
- https://twitter.com/sbousseaden/status/1555200155351228419
+author: Nasreddine Bencherchali
+date: 2022/08/14
tags:
- attack.credential_access
- attack.defense_evasion
diff --git a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml
index c6d8763f3..0449c7eb6 100644
--- a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml
+++ b/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml
@@ -2,13 +2,18 @@ title: WMI Script Host Process Image Loaded
id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
status: test
description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- https://twitter.com/HunterPlaybook/status/1301207718355759107
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/09/02
modified: 2022/10/11
+tags:
+ - attack.lateral_movement
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.t1546.003
logsource:
category: image_load
product: windows
@@ -25,8 +30,3 @@ falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
-tags:
- - attack.lateral_movement
- - attack.privilege_escalation
- - attack.persistence
- - attack.t1546.003
diff --git a/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/rules/windows/image_load/image_load_spoolsv_dll_load.yml
index 9d3a83290..be10dcbeb 100644
--- a/rules/windows/image_load/image_load_spoolsv_dll_load.yml
+++ b/rules/windows/image_load/image_load_spoolsv_dll_load.yml
@@ -8,6 +8,13 @@ references:
author: FPT.EagleEye, Thomas Patzke (improvements)
date: 2021/06/29
modified: 2022/06/02
+tags:
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1574
+ - cve.2021.1675
+ - cve.2021.34527
logsource:
category: image_load
product: windows
@@ -22,10 +29,3 @@ detection:
falsepositives:
- Loading of legitimate driver
level: informational
-tags:
- - attack.persistence
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1574
- - cve.2021.1675
- - cve.2021.34527
\ No newline at end of file
diff --git a/rules/windows/image_load/image_load_susp_advapi32_dll.yml b/rules/windows/image_load/image_load_susp_advapi32_dll.yml
index 4aafc2f71..861150931 100644
--- a/rules/windows/image_load/image_load_susp_advapi32_dll.yml
+++ b/rules/windows/image_load/image_load_susp_advapi32_dll.yml
@@ -2,33 +2,33 @@ title: Suspicious Load of Advapi31.dll
id: d813d662-785b-42ca-8b4a-f7457d78d5a9
status: experimental
description: Detects the load of advapi31.dll by a process running in an uncommon folder
-author: frack113
references:
- - https://github.com/hlldz/Phant0m
+ - https://github.com/hlldz/Phant0m
+author: frack113
date: 2022/02/03
modified: 2022/02/11
-logsource:
- product: windows
- category: image_load
-detection:
- selection:
- ImageLoaded|endswith: '\advapi32.dll'
- filter_common:
- Image|startswith:
- - 'C:\Windows\'
- - 'C:\Program Files (x86)\'
- - 'C:\Program Files\'
- filter_defender:
- Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\platform\'
- Image|endswith: '\MpCmdRun.exe'
- filter_onedrive:
- Image|startswith: 'C:\Users\'
- Image|contains: '\AppData\Local\Microsoft\OneDrive\'
- Image|endswith: 'FileCoAuth.exe'
- condition: selection and not 1 of filter_*
-falsepositives:
- - Unknown
-level: informational
tags:
- - attack.defense_evasion
- - attack.t1070
+ - attack.defense_evasion
+ - attack.t1070
+logsource:
+ product: windows
+ category: image_load
+detection:
+ selection:
+ ImageLoaded|endswith: '\advapi32.dll'
+ filter_common:
+ Image|startswith:
+ - 'C:\Windows\'
+ - 'C:\Program Files (x86)\'
+ - 'C:\Program Files\'
+ filter_defender:
+ Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\platform\'
+ Image|endswith: '\MpCmdRun.exe'
+ filter_onedrive:
+ Image|startswith: 'C:\Users\'
+ Image|contains: '\AppData\Local\Microsoft\OneDrive\'
+ Image|endswith: 'FileCoAuth.exe'
+ condition: selection and not 1 of filter_*
+falsepositives:
+ - Unknown
+level: informational
diff --git a/rules/windows/image_load/image_load_susp_cmstp.yml b/rules/windows/image_load/image_load_susp_cmstp.yml
index 6c5dea61b..b7784af32 100644
--- a/rules/windows/image_load/image_load_susp_cmstp.yml
+++ b/rules/windows/image_load/image_load_susp_cmstp.yml
@@ -2,13 +2,16 @@ title: Cmstp Suspicious DLL Load
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: experimental
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
-author: Nasreddine Bencherchali
references:
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
+author: Nasreddine Bencherchali
date: 2022/08/30
+tags:
+ - attack.defense_evasion
+ - attack.t1218.003
logsource:
- category: image_load
- product: windows
+ category: image_load
+ product: windows
detection:
selection:
ImageLoaded|contains:
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Unikely
level: high
-tags:
- - attack.defense_evasion
- - attack.t1218.003
diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml
index 2ff0422cc..bc7467c9c 100755
--- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml
+++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml
@@ -1,14 +1,20 @@
title: Load of dbghelp/dbgcore DLL from Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
status: test
-description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
-author: Perez Diego (@darkquassar), oscd.community, Ecco
+description: |
+ Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
+ Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
+ As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
+author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019/10/27
modified: 2022/09/15
+tags:
+ - attack.credential_access
+ - attack.t1003.001
logsource:
category: image_load
product: windows
@@ -66,6 +72,3 @@ fields:
falsepositives:
- Unknown
level: high
-tags:
- - attack.credential_access
- - attack.t1003.001
diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
index bd92a5672..38f4572c2 100644
--- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml
@@ -2,9 +2,9 @@ title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: experimental
description: Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%
-author: Nasreddine Bencherchali
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
+author: Nasreddine Bencherchali
date: 2022/07/17
modified: 2022/10/12
tags:
diff --git a/rules/windows/image_load/image_load_susp_fax_dll.yml b/rules/windows/image_load/image_load_susp_fax_dll.yml
index 02d9c099c..f5055f218 100644
--- a/rules/windows/image_load/image_load_susp_fax_dll.yml
+++ b/rules/windows/image_load/image_load_susp_fax_dll.yml
@@ -2,26 +2,26 @@ title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: test
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
-author: NVISO
references:
- - https://windows-internals.com/faxing-your-way-to-system/
+ - https://windows-internals.com/faxing-your-way-to-system/
+author: NVISO
date: 2020/05/04
modified: 2022/06/02
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith: '\fxssvc.exe'
- ImageLoaded|endswith: 'ualapi.dll'
- filter:
- ImageLoaded|startswith: 'C:\Windows\WinSxS\'
- condition: selection and not filter
-falsepositives:
- - Unlikely
-level: high
tags:
- - attack.persistence
- - attack.defense_evasion
- - attack.t1574.001
- - attack.t1574.002
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1574.001
+ - attack.t1574.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\fxssvc.exe'
+ ImageLoaded|endswith: 'ualapi.dll'
+ filter:
+ ImageLoaded|startswith: 'C:\Windows\WinSxS\'
+ condition: selection and not filter
+falsepositives:
+ - Unlikely
+level: high
diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml
index 39d6afed7..470a46f9a 100755
--- a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml
@@ -2,26 +2,26 @@ title: dotNET DLL Loaded Via Office Applications
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
-author: Antonlovesdnb
references:
- - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
date: 2020/02/19
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith:
- - '\winword.exe'
- - '\powerpnt.exe'
- - '\excel.exe'
- - '\outlook.exe'
- ImageLoaded|startswith: 'C:\Windows\assembly\'
- condition: selection
-falsepositives:
- - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
tags:
- - attack.execution
- - attack.t1204.002
+ - attack.execution
+ - attack.t1204.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|startswith: 'C:\Windows\assembly\'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml
index 6c721153a..94fae3bad 100755
--- a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml
@@ -2,26 +2,26 @@ title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: test
description: Detects CLR DLL being loaded by an Office Product
-author: Antonlovesdnb
references:
- - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
date: 2020/02/19
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith:
- - '\winword.exe'
- - '\powerpnt.exe'
- - '\excel.exe'
- - '\outlook.exe'
- ImageLoaded|contains: '\clr.dll'
- condition: selection
-falsepositives:
- - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
tags:
- - attack.execution
- - attack.t1204.002
+ - attack.execution
+ - attack.t1204.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|contains: '\clr.dll'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml
index 4fb4fd360..7e12c6c15 100755
--- a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml
@@ -2,26 +2,26 @@ title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
-author: Antonlovesdnb
references:
- - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
date: 2020/02/19
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith:
- - '\winword.exe'
- - '\powerpnt.exe'
- - '\excel.exe'
- - '\outlook.exe'
- ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
- condition: selection
-falsepositives:
- - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
tags:
- - attack.execution
- - attack.t1204.002
+ - attack.execution
+ - attack.t1204.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml
index adcd6b0ab..3d5053f90 100755
--- a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml
@@ -2,26 +2,26 @@ title: Active Directory Parsing DLL Loaded Via Office Applications
id: a2a3b925-7bb0-433b-b508-db9003263cc4
status: test
description: Detects DSParse DLL being loaded by an Office Product
-author: Antonlovesdnb
references:
- - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
date: 2020/02/19
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith:
- - '\winword.exe'
- - '\powerpnt.exe'
- - '\excel.exe'
- - '\outlook.exe'
- ImageLoaded|contains: '\dsparse.dll'
- condition: selection
-falsepositives:
- - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
tags:
- - attack.execution
- - attack.t1204.002
+ - attack.execution
+ - attack.t1204.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|contains: '\dsparse.dll'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml
index dd54239f2..96e87f71a 100755
--- a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml
@@ -2,26 +2,26 @@ title: Active Directory Kerberos DLL Loaded Via Office Applications
id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
status: test
description: Detects Kerberos DLL being loaded by an Office Product
-author: Antonlovesdnb
references:
- - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
date: 2020/02/19
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith:
- - '\winword.exe'
- - '\powerpnt.exe'
- - '\excel.exe'
- - '\outlook.exe'
- ImageLoaded|endswith: '\kerberos.dll'
- condition: selection
-falsepositives:
- - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
tags:
- - attack.execution
- - attack.t1204.002
+ - attack.execution
+ - attack.t1204.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith: '\kerberos.dll'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml
index 9b071a802..0636f0e5d 100644
--- a/rules/windows/image_load/image_load_susp_python_image_load.yml
+++ b/rules/windows/image_load/image_load_susp_python_image_load.yml
@@ -1,16 +1,16 @@
title: Python Py2Exe Image Load
id: cbb56d62-4060-40f7-9466-d8aaf3123f83
-description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
status: experimental
-date: 2020/05/03
-modified: 2022/09/21
-author: Patrick St. John, OTR (Open Threat Research)
-tags:
- - attack.defense_evasion
- - attack.t1027.002
+description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
references:
- https://www.py2exe.org/
- https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
+author: Patrick St. John, OTR (Open Threat Research)
+date: 2020/05/03
+modified: 2022/09/21
+tags:
+ - attack.defense_evasion
+ - attack.t1027.002
logsource:
product: windows
category: image_load
diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
index fb56bfbfd..1ed3bffe5 100644
--- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
+++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
@@ -2,31 +2,31 @@ title: CLR DLL Loaded Via Scripting Applications
id: 4508a70e-97ef-4300-b62b-ff27992990ea
status: test
description: Detects CLR DLL being loaded by an scripting applications
-author: omkar72, oscd.community
references:
- - https://github.com/tyranid/DotNetToJScript
- - https://thewover.github.io/Introducing-Donut/
- - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+ - https://github.com/tyranid/DotNetToJScript
+ - https://thewover.github.io/Introducing-Donut/
+ - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+author: omkar72, oscd.community
date: 2020/10/14
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith:
- - '\wscript.exe'
- - '\cscript.exe'
- - '\mshta.exe'
- ImageLoaded|endswith:
- - '\clr.dll'
- - '\mscoree.dll'
- - '\mscorlib.dll'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.execution
- - attack.privilege_escalation
- - attack.t1055
+ - attack.execution
+ - attack.privilege_escalation
+ - attack.t1055
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\wscript.exe'
+ - '\cscript.exe'
+ - '\mshta.exe'
+ ImageLoaded|endswith:
+ - '\clr.dll'
+ - '\mscoree.dll'
+ - '\mscorlib.dll'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml
index 01d5c3647..9120e4f7a 100644
--- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml
+++ b/rules/windows/image_load/image_load_susp_system_drawing_load.yml
@@ -1,16 +1,16 @@
title: Suspicious System.Drawing Load
id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
-description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
status: experimental
-date: 2020/05/02
-modified: 2022/08/13
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.collection
- - attack.t1113
+description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+modified: 2022/08/13
+tags:
+ - attack.collection
+ - attack.t1113
logsource:
product: windows
category: image_load
@@ -36,4 +36,4 @@ detection:
condition: selection and not 1 of filter*
falsepositives:
- Unknown
-level: low # too many false positives
\ No newline at end of file
+level: low
diff --git a/rules/windows/image_load/image_load_susp_uncommon_image_load.yml b/rules/windows/image_load/image_load_susp_uncommon_image_load.yml
index b2aa2e1e8..488c84bcd 100644
--- a/rules/windows/image_load/image_load_susp_uncommon_image_load.yml
+++ b/rules/windows/image_load/image_load_susp_uncommon_image_load.yml
@@ -2,11 +2,14 @@ title: Possible Process Hollowing Image Loading
id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
status: test
description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
-author: Markus Neis
references:
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+author: Markus Neis
date: 2018/01/07
modified: 2021/11/27
+tags:
+ - attack.defense_evasion
+ - attack.t1574.002
logsource:
category: image_load
product: windows
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Very likely, needs more tuning
level: high
-tags:
- - attack.defense_evasion
- - attack.t1574.002
diff --git a/rules/windows/image_load/image_load_susp_vss_ps_load.yml b/rules/windows/image_load/image_load_susp_vss_ps_load.yml
index 8642c1ca1..29019948c 100644
--- a/rules/windows/image_load/image_load_susp_vss_ps_load.yml
+++ b/rules/windows/image_load/image_load_susp_vss_ps_load.yml
@@ -2,12 +2,12 @@ title: Image Load of VSS_PS.dll by Uncommon Executable
id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
status: experimental
description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
-author: Markus Neis, @markus_neis
-date: 2021/07/07
-modified: 2022/07/27
references:
- 1bd85e1caa1415ebdc8852c91e37bbb7
- https://twitter.com/am0nsec/status/1412232114980982787
+author: Markus Neis, @markus_neis
+date: 2021/07/07
+modified: 2022/07/27
tags:
- attack.defense_evasion
- attack.impact
diff --git a/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml b/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml
index 5b31fa62a..7921423c7 100755
--- a/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml
+++ b/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml
@@ -2,29 +2,29 @@ title: VBA DLL Loaded Via Microsoft Word
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects DLL's Loaded Via Word Containing VBA Macros
-author: Antonlovesdnb
references:
- - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+ - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
date: 2020/02/19
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith:
- - '\winword.exe'
- - '\powerpnt.exe'
- - '\excel.exe'
- - '\outlook.exe'
- ImageLoaded|endswith:
- - '\VBE7.DLL'
- - '\VBEUI.DLL'
- - '\VBE7INTL.DLL'
- condition: selection
-falsepositives:
- - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: high
tags:
- - attack.execution
- - attack.t1204.002
+ - attack.execution
+ - attack.t1204.002
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith:
+ - '\winword.exe'
+ - '\powerpnt.exe'
+ - '\excel.exe'
+ - '\outlook.exe'
+ ImageLoaded|endswith:
+ - '\VBE7.DLL'
+ - '\VBEUI.DLL'
+ - '\VBE7INTL.DLL'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high
diff --git a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml
index 626eb21ae..f20d30c40 100755
--- a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml
+++ b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml
@@ -1,30 +1,32 @@
title: Svchost DLL Search Order Hijack
id: 602a1f13-c640-4d73-b053-be9a2fa58b77
status: test
-description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
-author: SBousseaden
+description: |
+ IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default.
+ An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
references:
- - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
+author: SBousseaden
date: 2019/10/28
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith: '\svchost.exe'
- ImageLoaded|endswith:
- - '\tsmsisrv.dll'
- - '\tsvipsrv.dll'
- - '\wlbsctrl.dll'
- filter:
- ImageLoaded|startswith: 'C:\Windows\WinSxS\'
- condition: selection and not filter
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.defense_evasion
- - attack.t1574.002
- - attack.t1574.001
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1574.002
+ - attack.t1574.001
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\svchost.exe'
+ ImageLoaded|endswith:
+ - '\tsmsisrv.dll'
+ - '\tsvipsrv.dll'
+ - '\wlbsctrl.dll'
+ filter:
+ ImageLoaded|startswith: 'C:\Windows\WinSxS\'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml
index e9f0a45d6..86f8dca1f 100644
--- a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml
+++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml
@@ -4,11 +4,11 @@ status: experimental
description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs
references:
- https://github.com/bats3c/EvtMute
-tags:
- - attack.defense_evasion
- - attack.t1562.002
author: Florian Roth
date: 2022/09/07
+tags:
+ - attack.defense_evasion
+ - attack.t1562.002
logsource:
category: image_load
product: windows
diff --git a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
index 0a263546e..067d4917e 100644
--- a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
+++ b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml
@@ -2,12 +2,16 @@ title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: experimental
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
-author: Nasreddine Bencherchali
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
- https://twitter.com/wdormann/status/1547583317410607110
+author: Nasreddine Bencherchali
date: 2022/07/17
modified: 2022/07/25
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
logsource:
product: windows
category: image_load
@@ -23,7 +27,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml
index 595d310d5..825906ff5 100644
--- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml
+++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml
@@ -4,15 +4,15 @@ status: experimental
description: Attempts to load dismcore.dll after dropping it
references:
- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
+author: oscd.community, Dmitry Uchakin
+date: 2020/10/06
+modified: 2021/11/23
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
- attack.t1574.002
-author: oscd.community, Dmitry Uchakin
-date: 2020/10/06
-modified: 2021/11/23
logsource:
category: image_load
product: windows
diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
index 35bdbe170..5c636e5d3 100644
--- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
+++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
@@ -1,18 +1,18 @@
title: UIPromptForCredentials DLLs
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
-description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
status: experimental
-date: 2020/10/20
-modified: 2022/10/07
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.credential_access
- - attack.collection
- - attack.t1056.002
+description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
references:
- https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/10/20
+modified: 2022/10/24
+tags:
+ - attack.credential_access
+ - attack.collection
+ - attack.t1056.002
logsource:
category: image_load
product: windows
@@ -50,6 +50,9 @@ detection:
filter_regedit:
# This FP is triggered for example when choosing the "Connect Network Registry" from the menu
Image: 'C:\Windows\regedit.exe'
+ filter_spotify_aurora:
+ Provider_Name: 'Microsoft-Windows-Kernel-Process'
+ CommandLine|contains: 'C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_'
condition: selection and not 1 of filter_*
falsepositives:
- Other legitimate processes loading those DLLs in your environment.
diff --git a/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml
index 831d31022..41e5508b0 100755
--- a/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml
+++ b/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml
@@ -2,22 +2,22 @@ title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
status: test
description: Loading unsigned image (DLL, EXE) into LSASS process
-author: Teymur Kheirkhabarov, oscd.community
references:
- - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+ - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+author: Teymur Kheirkhabarov, oscd.community
date: 2019/10/22
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image|endswith: '\lsass.exe'
- Signed: 'false'
- condition: selection
-falsepositives:
- - Valid user connecting using RDP
-level: medium
tags:
- - attack.credential_access
- - attack.t1003.001
+ - attack.credential_access
+ - attack.t1003.001
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\lsass.exe'
+ Signed: 'false'
+ condition: selection
+falsepositives:
+ - Valid user connecting using RDP
+level: medium
diff --git a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml
index ad050897f..ce9aae974 100644
--- a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml
+++ b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml
@@ -2,10 +2,10 @@ title: VMware Xfer Loading DLL from Nondefault Path
id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
status: experimental
description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
-author: Nasreddine Bencherchali
-date: 2022/08/02
references:
- https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
+author: Nasreddine Bencherchali
+date: 2022/08/02
tags:
- attack.defense_evasion
- attack.t1574.002
diff --git a/rules/windows/image_load/image_load_wmi_module_load.yml b/rules/windows/image_load/image_load_wmi_module_load.yml
index 971fdb340..c2023cc84 100755
--- a/rules/windows/image_load/image_load_wmi_module_load.yml
+++ b/rules/windows/image_load/image_load_wmi_module_load.yml
@@ -1,12 +1,12 @@
title: WMI Modules Loaded
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
-description: Detects non wmiprvse loading WMI modules
status: experimental
-date: 2019/08/10
-modified: 2022/01/12
-author: Roberto Rodriguez @Cyb3rWard0g
+description: Detects non wmiprvse loading WMI modules
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+modified: 2022/01/12
tags:
- attack.execution
- attack.t1047
@@ -14,7 +14,7 @@ logsource:
category: image_load
product: windows
detection:
- selection:
+ selection:
ImageLoaded|endswith:
- '\wmiclnt.dll'
- '\WmiApRpl.dll'
@@ -62,5 +62,4 @@ fields:
- ImageLoaded
falsepositives:
- Unknown
-level: informational # too many false positives
-
+level: informational
diff --git a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml
index f0a9711a8..112e85ffe 100755
--- a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml
+++ b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml
@@ -2,22 +2,22 @@ title: WMI Persistence - Command Line Event Consumer
id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
status: test
description: Detects WMI command line event consumers
-author: Thomas Patzke
references:
- - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+ - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
+author: Thomas Patzke
date: 2018/03/07
modified: 2021/11/27
-logsource:
- category: image_load
- product: windows
-detection:
- selection:
- Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- ImageLoaded|endswith: '\wbemcons.dll'
- condition: selection
-falsepositives:
- - Unknown (data set is too small; further testing needed)
-level: high
tags:
- - attack.t1546.003
- - attack.persistence
+ - attack.t1546.003
+ - attack.persistence
+logsource:
+ category: image_load
+ product: windows
+detection:
+ selection:
+ Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
+ ImageLoaded|endswith: '\wbemcons.dll'
+ condition: selection
+falsepositives:
+ - Unknown (data set is too small; further testing needed)
+level: high
diff --git a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
index fdb4d5c9a..dc780560f 100644
--- a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
+++ b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
@@ -2,13 +2,16 @@ title: WMIC Loading Scripting Libraries
id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
status: test
description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
- https://twitter.com/dez_/status/986614411711442944
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/17
modified: 2022/10/13
+tags:
+ - attack.defense_evasion
+ - attack.t1220
logsource:
category: image_load
product: windows
@@ -24,6 +27,3 @@ falsepositives:
- The command wmic os get locale loads vbscript.dll
- Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1220
diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml
index f7401507d..c70918dc6 100644
--- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml
+++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml
@@ -1,20 +1,20 @@
title: Suspicious WSMAN Provider Image Loads
id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
-description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
status: experimental
-date: 2020/06/24
-modified: 2022/10/07
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.lateral_movement
- - attack.t1021.003
+description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
- https://github.com/bohops/WSMan-WinRM
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/06/24
+modified: 2022/10/07
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.lateral_movement
+ - attack.t1021.003
logsource:
category: image_load
product: windows
@@ -32,23 +32,23 @@ detection:
Image|endswith: '\svchost.exe'
OriginalFileName: 'WsmWmiPl.dll'
filter_general:
- Image|endswith:
+ Image|endswith:
- '\powershell.exe'
- 'C:\Windows\System32\sdiagnhost.exe'
- 'C:\Windows\System32\services.exe'
filter_svchost: # not available in Sysmon data, but Aurora logs
- CommandLine|contains:
+ CommandLine|contains:
- 'svchost.exe -k netsvcs -p -s BITS'
- 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
- 'svchost.exe -k NetworkService -p -s Wecsvc'
- 'svchost.exe -k netsvcs'
filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
- Image|startswith:
+ Image|startswith:
- 'C:\Windows\Microsoft.NET\Framework64\v'
- 'C:\Windows\Microsoft.NET\Framework\v'
Image|endswith: '\mscorsvw.exe'
filter_svr_2019:
- Image:
+ Image:
- 'C:\Windows\System32\Configure-SMRemoting.exe'
- 'C:\Windows\System32\ServerManager.exe'
filter_nextron:
diff --git a/rules/windows/network_connection/net_connection_win_binary_github_com.yml b/rules/windows/network_connection/net_connection_win_binary_github_com.yml
index 25cb76e05..4014699fc 100755
--- a/rules/windows/network_connection/net_connection_win_binary_github_com.yml
+++ b/rules/windows/network_connection/net_connection_win_binary_github_com.yml
@@ -2,30 +2,30 @@ title: Microsoft Binary Github Communication
id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
status: test
description: Detects an executable in the Windows folder accessing github.com
-author: Michael Haag (idea), Florian Roth (rule)
references:
- - https://twitter.com/M_haggis/status/900741347035889665
- - https://twitter.com/M_haggis/status/1032799638213066752
- - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
+ - https://twitter.com/M_haggis/status/900741347035889665
+ - https://twitter.com/M_haggis/status/1032799638213066752
+ - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
+author: Michael Haag (idea), Florian Roth (rule)
date: 2017/08/24
modified: 2021/11/27
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- Initiated: 'true'
- DestinationHostname|endswith:
- - '.github.com'
- - '.githubusercontent.com'
- Image|startswith: 'C:\Windows\'
- condition: selection
-falsepositives:
- - Unknown
- - '@subTee in your network'
-level: high
tags:
- - attack.lateral_movement
- - attack.t1105
- - attack.exfiltration
- - attack.t1567.001
+ - attack.lateral_movement
+ - attack.t1105
+ - attack.exfiltration
+ - attack.t1567.001
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Initiated: 'true'
+ DestinationHostname|endswith:
+ - '.github.com'
+ - '.githubusercontent.com'
+ Image|startswith: 'C:\Windows\'
+ condition: selection
+falsepositives:
+ - Unknown
+ - '@subTee in your network'
+level: high
diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml
index a2fe99fe6..0a98c4d82 100755
--- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml
+++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml
@@ -2,13 +2,16 @@ title: Microsoft Binary Suspicious Communication Endpoint
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
status: test
description: Detects an executable in the Windows folder accessing suspicious domains
-author: Florian Roth
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
+author: Florian Roth
date: 2018/08/30
modified: 2022/08/09
+tags:
+ - attack.lateral_movement
+ - attack.t1105
logsource:
category: network_connection
product: windows
@@ -37,6 +40,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.lateral_movement
- - attack.t1105
diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml
index e27328c5d..ac97ef262 100644
--- a/rules/windows/network_connection/net_connection_win_certutil.yml
+++ b/rules/windows/network_connection/net_connection_win_certutil.yml
@@ -2,9 +2,9 @@ title: Certutil Initiated Connection
id: 0dba975d-a193-4ed1-a067-424df57570d1
status: experimental
description: Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.
-author: frack113, Florian Roth
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
+author: frack113, Florian Roth
date: 2022/09/02
modified: 2022/10/04
tags:
diff --git a/rules/windows/network_connection/net_connection_win_crypto_mining.yml b/rules/windows/network_connection/net_connection_win_crypto_mining.yml
index 10fbd6fe1..e45637de6 100644
--- a/rules/windows/network_connection/net_connection_win_crypto_mining.yml
+++ b/rules/windows/network_connection/net_connection_win_crypto_mining.yml
@@ -3,15 +3,18 @@ id: fa5b1358-b040-4403-9868-15f7d9ab6329
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- - https://www.poolwatch.io/coin/monero
-date: 2021/10/26
+ - https://www.poolwatch.io/coin/monero
author: Florian Roth
+date: 2021/10/26
+tags:
+ - attack.impact
+ - attack.t1496
logsource:
category: network_connection
product: windows
detection:
selection:
- DestinationHostname:
+ DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
@@ -38,6 +41,3 @@ detection:
falsepositives:
- Legitimate use of crypto miners
level: high
-tags:
- - attack.impact
- - attack.t1496
\ No newline at end of file
diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml
index a8e74f319..12e20a6d3 100644
--- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml
+++ b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml
@@ -2,58 +2,58 @@ title: Dead Drop Resolvers
id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
status: test
description: Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
-author: Sorina Ionescu
references:
- - https://content.fireeye.com/apt-41/rpt-apt41
- - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
- - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
+ - https://content.fireeye.com/apt-41/rpt-apt41
+ - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
+ - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
+author: Sorina Ionescu
date: 2022/08/17
modified: 2022/08/29
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- Initiated: 'true'
- DestinationHostname|endswith:
- - 'cdn.discordapp.com'
- - 'pastebin.com'
- - 'youtube.com'
- - 'technet.microsoft.com'
- - 'facebook.com'
- - '.cloudflare.com'
- - 'docs.google.com'
- - 'steamcommunity.com'
- - 'reddit.com'
- - 'fotolog.com'
- - 'twitter.com'
- - 'imgur.com'
- - 'feeds.rapidfeeds.com'
- - 'livejournal.com'
- - '.githubusercontent.com'
- filter_browsers:
- Image|endswith:
- - '\iexplore.exe'
- - '\msedge.exe'
- - '\edge.exe'
- - '\opera.exe'
- - '\brave.exe'
- - '\vivaldi.exe'
- - '\whale.exe'
- - '\chrome.exe'
- - '\firefox.exe'
- filter_others:
- Image|endswith:
- - '\MsMpEng.exe' #Microsoft Defender executable
- - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable
- - '\PRTG Probe.exe' #Paessler's PRTG Network Monitor
- - '\Engine.exe' #Process from qlik.com app
- - '\msedgewebview2.exe' # related to Edge browser
- condition: selection and not 1 of filter*
-falsepositives:
- - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
-level: high
tags:
- - attack.command_and_control
- - attack.t1102
- - attack.t1102.001
+ - attack.command_and_control
+ - attack.t1102
+ - attack.t1102.001
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Initiated: 'true'
+ DestinationHostname|endswith:
+ - 'cdn.discordapp.com'
+ - 'pastebin.com'
+ - 'youtube.com'
+ - 'technet.microsoft.com'
+ - 'facebook.com'
+ - '.cloudflare.com'
+ - 'docs.google.com'
+ - 'steamcommunity.com'
+ - 'reddit.com'
+ - 'fotolog.com'
+ - 'twitter.com'
+ - 'imgur.com'
+ - 'feeds.rapidfeeds.com'
+ - 'livejournal.com'
+ - '.githubusercontent.com'
+ filter_browsers:
+ Image|endswith:
+ - '\iexplore.exe'
+ - '\msedge.exe'
+ - '\edge.exe'
+ - '\opera.exe'
+ - '\brave.exe'
+ - '\vivaldi.exe'
+ - '\whale.exe'
+ - '\chrome.exe'
+ - '\firefox.exe'
+ filter_others:
+ Image|endswith:
+ - '\MsMpEng.exe' #Microsoft Defender executable
+ - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable
+ - '\PRTG Probe.exe' #Paessler's PRTG Network Monitor
+ - '\Engine.exe' #Process from qlik.com app
+ - '\msedgewebview2.exe' # related to Edge browser
+ condition: selection and not 1 of filter*
+falsepositives:
+ - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
+level: high
diff --git a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
index 87cd877d2..ad26de359 100644
--- a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
+++ b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
@@ -2,12 +2,17 @@ title: Dllhost Internet Connection
id: cfed2f44-16df-4bf3-833a-79405198b277
status: test
description: Detects Dllhost that communicates with public IP addresses
-author: bartblaze
references:
- https://redcanary.com/blog/child-processes/
- https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
+author: bartblaze
date: 2020/07/13
modified: 2022/04/21
+tags:
+ - attack.defense_evasion
+ - attack.t1218
+ - attack.execution
+ - attack.t1559.001
logsource:
category: network_connection
product: windows
@@ -48,8 +53,3 @@ detection:
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1218
- - attack.execution
- - attack.t1559.001
diff --git a/rules/windows/network_connection/net_connection_win_eqnedt.yml b/rules/windows/network_connection/net_connection_win_eqnedt.yml
index 6d835a98d..12ae5491e 100755
--- a/rules/windows/network_connection/net_connection_win_eqnedt.yml
+++ b/rules/windows/network_connection/net_connection_win_eqnedt.yml
@@ -2,21 +2,21 @@ title: Equation Editor Network Connection
id: a66bc059-c370-472c-a0d7-f8fd1bf9d583
status: experimental
description: Detects network connections from Equation Editor
-author: Max Altgelt
references:
- - https://twitter.com/forensicitguy/status/1513538712986079238
- - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
+ - https://twitter.com/forensicitguy/status/1513538712986079238
+ - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
+author: Max Altgelt
date: 2022/04/14
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- Image|endswith: '\eqnedt32.exe'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.execution
- - attack.t1203
+ - attack.execution
+ - attack.t1203
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\eqnedt32.exe'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml b/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml
index 42e932531..bd9b901e7 100644
--- a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml
@@ -1,12 +1,14 @@
title: Excel Network Connections
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
status: experimental
-description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.
+description: |
+ Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.
+ You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.
+references:
+ - https://corelight.com/blog/detecting-cve-2021-42292
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton
date: 2021/11/10
modified: 2022/06/27
-references:
- - https://corelight.com/blog/detecting-cve-2021-42292
tags:
- attack.execution
- attack.t1203
diff --git a/rules/windows/network_connection/net_connection_win_hh.yml b/rules/windows/network_connection/net_connection_win_hh.yml
index bde58609e..8c2734bcc 100644
--- a/rules/windows/network_connection/net_connection_win_hh.yml
+++ b/rules/windows/network_connection/net_connection_win_hh.yml
@@ -5,11 +5,11 @@ related:
type: derived
status: experimental
description: Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files
-author: Nasreddine Bencherchali
-date: 2022/10/05
references:
- https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
- https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
+author: Nasreddine Bencherchali
+date: 2022/10/05
tags:
- attack.defense_evasion
- attack.t1218.001
diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml
index a40c00a16..ebd073af8 100644
--- a/rules/windows/network_connection/net_connection_win_imewdbld.yml
+++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml
@@ -2,11 +2,14 @@ title: Download a File with IMEWDBLD.exe
id: 8d7e392e-9b28-49e1-831d-5949c6281228
status: experimental
description: Use IMEWDBLD.exe (built-in to windows) to download a file
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
- https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
+author: frack113
date: 2022/01/22
+tags:
+ - attack.command_and_control
+ - attack.t1105
logsource:
category: network_connection
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitimate script
level: high
-tags:
- - attack.command_and_control
- - attack.t1105
diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml
index 5bbb8cd17..b52f0ede2 100755
--- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml
+++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml
@@ -2,11 +2,14 @@ title: Suspicious Typical Malware Back Connect Ports
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
status: test
description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases
-author: Florian Roth
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+author: Florian Roth
date: 2017/03/19
modified: 2022/10/05
+tags:
+ - attack.command_and_control
+ - attack.t1571
logsource:
category: network_connection
product: windows
@@ -15,56 +18,56 @@ detection:
selection:
Initiated: 'true'
DestinationPort:
- - 4443
- - 2448
- - 8143
- - 1777
- - 1443
- - 243
- - 65535
- - 13506
- - 3360
- - 200
- - 198
- - 49180
- - 13507
- - 6625
- - 4444
- - 4438
- - 1904
- - 13505
- - 13504
- - 12102
- - 9631
- - 5445
- - 2443
- - 777
- - 13394
- - 13145
- - 12103
- - 5552
- - 3939
- - 3675
- - 666
- - 473
- - 5649
- - 4455
- - 4433
- - 1817
- - 100
- - 65520
- - 1960
- - 1515
- - 743
- - 700
- - 14154
- - 14103
- - 14102
- - 12322
- - 10101
- - 7210
- - 4040
- - 9943
+ - 4443
+ - 2448
+ - 8143
+ - 1777
+ - 1443
+ - 243
+ - 65535
+ - 13506
+ - 3360
+ - 200
+ - 198
+ - 49180
+ - 13507
+ - 6625
+ - 4444
+ - 4438
+ - 1904
+ - 13505
+ - 13504
+ - 12102
+ - 9631
+ - 5445
+ - 2443
+ - 777
+ - 13394
+ - 13145
+ - 12103
+ - 5552
+ - 3939
+ - 3675
+ - 666
+ - 473
+ - 5649
+ - 4455
+ - 4433
+ - 1817
+ - 100
+ - 65520
+ - 1960
+ - 1515
+ - 743
+ - 700
+ - 14154
+ - 14103
+ - 14102
+ - 12322
+ - 10101
+ - 7210
+ - 4040
+ - 9943
filter1:
Image|contains: '\Program Files'
filter2:
@@ -92,6 +95,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.command_and_control
- - attack.t1571
diff --git a/rules/windows/network_connection/net_connection_win_mega_nz.yml b/rules/windows/network_connection/net_connection_win_mega_nz.yml
index 445d7c388..fc85be686 100644
--- a/rules/windows/network_connection/net_connection_win_mega_nz.yml
+++ b/rules/windows/network_connection/net_connection_win_mega_nz.yml
@@ -2,22 +2,22 @@ title: Communication To Mega.nz
id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4
status: experimental
description: Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors
-author: Florian Roth
references:
- - https://megatools.megous.com/
- - https://www.mandiant.com/resources/russian-targeting-gov-business
+ - https://megatools.megous.com/
+ - https://www.mandiant.com/resources/russian-targeting-gov-business
+author: Florian Roth
date: 2021/12/06
tags:
- - attack.exfiltration
- - attack.t1567.001
+ - attack.exfiltration
+ - attack.t1567.001
logsource:
- category: network_connection
- product: windows
+ category: network_connection
+ product: windows
detection:
- selection:
- Initiated: 'true'
- DestinationHostname|endswith: 'api.mega.co.nz'
- condition: selection
+ selection:
+ Initiated: 'true'
+ DestinationHostname|endswith: 'api.mega.co.nz'
+ condition: selection
falsepositives:
- - Legitimate use of mega.nz uploaders and tools
+ - Legitimate use of mega.nz uploaders and tools
level: high
diff --git a/rules/windows/network_connection/net_connection_win_msiexec.yml b/rules/windows/network_connection/net_connection_win_msiexec.yml
index c6aaa7279..00bf5ae15 100644
--- a/rules/windows/network_connection/net_connection_win_msiexec.yml
+++ b/rules/windows/network_connection/net_connection_win_msiexec.yml
@@ -2,13 +2,16 @@ title: Msiexec Initiated Connection
id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
status: experimental
description: |
- Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
- Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
-author: frack113
+ Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
+ Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
+author: frack113
date: 2022/01/16
+tags:
+ - attack.defense_evasion
+ - attack.t1218.007
logsource:
category: network_connection
product: windows
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Legitimate msiexec over networks
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1218.007
diff --git a/rules/windows/network_connection/net_connection_win_ngrok_io.yml b/rules/windows/network_connection/net_connection_win_ngrok_io.yml
index ac28daf97..3db0d9864 100644
--- a/rules/windows/network_connection/net_connection_win_ngrok_io.yml
+++ b/rules/windows/network_connection/net_connection_win_ngrok_io.yml
@@ -2,22 +2,22 @@ title: Communication To Ngrok.Io
id: 18249279-932f-45e2-b37a-8925f2597670
status: experimental
description: Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
-author: Florian Roth
references:
- - https://ngrok.com/
- - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
+ - https://ngrok.com/
+ - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
+author: Florian Roth
date: 2022/07/16
tags:
- - attack.exfiltration
- - attack.t1567.001
+ - attack.exfiltration
+ - attack.t1567.001
logsource:
- category: network_connection
- product: windows
+ category: network_connection
+ product: windows
detection:
- selection:
- Initiated: 'true'
- DestinationHostname|endswith: '.ngrok.io'
- condition: selection
+ selection:
+ Initiated: 'true'
+ DestinationHostname|endswith: '.ngrok.io'
+ condition: selection
falsepositives:
- - Legitimate use of ngrok.io
+ - Legitimate use of ngrok.io
level: high
diff --git a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml
index 3a6041a3e..3ab1760c8 100755
--- a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml
@@ -2,12 +2,17 @@ title: Notepad Making Network Connection
id: e81528db-fc02-45e8-8e98-4e84aba1f10b
status: test
description: Detects suspicious network connection by Notepad
-author: EagleEye Team
references:
- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
- https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/
+author: EagleEye Team
date: 2020/05/14
modified: 2022/10/05
+tags:
+ - attack.command_and_control
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1055
logsource:
category: network_connection
product: windows
@@ -20,8 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.command_and_control
- - attack.execution
- - attack.defense_evasion
- - attack.t1055
diff --git a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml
index 8715cf93b..669fc41cc 100755
--- a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml
@@ -2,11 +2,11 @@ title: PowerShell Network Connections
id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
status: experimental
description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')
+references:
+ - https://www.youtube.com/watch?v=DLtJTxMWZ2o
author: Florian Roth
date: 2017/03/13
modified: 2022/07/14
-references:
- - https://www.youtube.com/watch?v=DLtJTxMWZ2o
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml
index bebc55259..f65ffdc19 100644
--- a/rules/windows/network_connection/net_connection_win_python.yml
+++ b/rules/windows/network_connection/net_connection_win_python.yml
@@ -2,12 +2,15 @@ title: Python Initiated Connection
id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
status: experimental
description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
- https://pypi.org/project/scapy/
+author: frack113
date: 2021/12/10
modified: 2022/09/20
+tags:
+ - attack.discovery
+ - attack.t1046
logsource:
category: network_connection
product: windows
@@ -35,6 +38,3 @@ detection:
falsepositives:
- Legitimate python script
level: medium
-tags:
- - attack.discovery
- - attack.t1046
\ No newline at end of file
diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
index e81321141..77e5a3eae 100644
--- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
+++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml
@@ -20,12 +20,12 @@ detection:
selection:
Image|endswith: '\regsvr32.exe'
condition: selection
-falsepositives:
- - Unknown
-level: high
fields:
- ComputerName
- User
- Image
- DestinationIp
- DestinationPort
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
index 0b2e6f4f2..12dbdd7ba 100755
--- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
+++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
@@ -2,43 +2,43 @@ title: Remote PowerShell Session (Network)
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
status: test
description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.
-author: Roberto Rodriguez @Cyb3rWard0g
references:
- - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+ - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
modified: 2022/08/24
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- DestinationPort:
- - 5985
- - 5986
- Initiated: 'true' # only matches of the initiating system can be evaluated
- filter:
- - User|contains: # covers many language settings for Network Service, please expand
- - 'NETWORK SERVICE'
- - 'NETZWERKDIENST'
- - 'SERVIZIO DI RETE'
- - 'SERVICIO DE RED'
- - User|contains|all:
- - 'SERVICE R'
- - 'SEAU'
- - SourceIp|startswith: '0:0:'
- - Image:
- - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
- filter_localhost:
- SourceIp: '::1'
- DestinationIp: '::1'
- condition: selection and not 1 of filter*
-falsepositives:
- - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
- - Network Service user name of a not-covered localization
-level: high
tags:
- - attack.execution
- - attack.t1059.001
- - attack.lateral_movement
- - attack.t1021.006
+ - attack.execution
+ - attack.t1059.001
+ - attack.lateral_movement
+ - attack.t1021.006
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ DestinationPort:
+ - 5985
+ - 5986
+ Initiated: 'true' # only matches of the initiating system can be evaluated
+ filter:
+ - User|contains: # covers many language settings for Network Service, please expand
+ - 'NETWORK SERVICE'
+ - 'NETZWERKDIENST'
+ - 'SERVIZIO DI RETE'
+ - 'SERVICIO DE RED'
+ - User|contains|all:
+ - 'SERVICE R'
+ - 'SEAU'
+ - SourceIp|startswith: '0:0:'
+ - Image:
+ - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
+ - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
+ filter_localhost:
+ SourceIp: '::1'
+ DestinationIp: '::1'
+ condition: selection and not 1 of filter*
+falsepositives:
+ - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
+ - Network Service user name of a not-covered localization
+level: high
diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
index c0db1e55f..72440a3e0 100755
--- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
+++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml
@@ -2,53 +2,53 @@ title: Rundll32 Internet Connection
id: cdc8da7d-c303-42f8-b08c-b4ab47230263
status: test
description: Detects a rundll32 that communicates with public IP addresses
-author: Florian Roth
references:
- - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
+ - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
+author: Florian Roth
date: 2017/11/04
modified: 2022/10/04
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- Image|endswith: '\rundll32.exe'
- Initiated: 'true'
- filter:
- - DestinationIp|startswith:
- - '10.'
- - '192.168.'
- - '172.16.'
- - '172.17.'
- - '172.18.'
- - '172.19.'
- - '172.20.'
- - '172.21.'
- - '172.22.'
- - '172.23.'
- - '172.24.'
- - '172.25.'
- - '172.26.'
- - '172.27.'
- - '172.28.'
- - '172.29.'
- - '172.30.'
- - '172.31.'
- - '127.'
- - '20.' # Microsoft range, caused some FPs
- - '51.103.' # Microsoft range, caused some FPs
- - '51.104.' # Microsoft range, caused some FPs
- - '51.105.' # Microsoft range, caused some FPs
- - CommandLine|contains:
- - 'PcaSvc.dll,PcaPatchSdbTask'
- filter_update_processes:
- ParentImage: 'C:\Windows\System32\svchost.exe'
- RemoteAddress|endswith: ':443'
- condition: selection and not 1 of filter*
-falsepositives:
- - Communication to other corporate systems that use IP addresses from public address spaces
-level: medium
tags:
- - attack.defense_evasion
- - attack.t1218.011
- - attack.execution
+ - attack.defense_evasion
+ - attack.t1218.011
+ - attack.execution
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Image|endswith: '\rundll32.exe'
+ Initiated: 'true'
+ filter:
+ - DestinationIp|startswith:
+ - '10.'
+ - '192.168.'
+ - '172.16.'
+ - '172.17.'
+ - '172.18.'
+ - '172.19.'
+ - '172.20.'
+ - '172.21.'
+ - '172.22.'
+ - '172.23.'
+ - '172.24.'
+ - '172.25.'
+ - '172.26.'
+ - '172.27.'
+ - '172.28.'
+ - '172.29.'
+ - '172.30.'
+ - '172.31.'
+ - '127.'
+ - '20.' # Microsoft range, caused some FPs
+ - '51.103.' # Microsoft range, caused some FPs
+ - '51.104.' # Microsoft range, caused some FPs
+ - '51.105.' # Microsoft range, caused some FPs
+ - CommandLine|contains:
+ - 'PcaSvc.dll,PcaPatchSdbTask'
+ filter_update_processes:
+ ParentImage: 'C:\Windows\System32\svchost.exe'
+ RemoteAddress|endswith: ':443'
+ condition: selection and not 1 of filter*
+falsepositives:
+ - Communication to other corporate systems that use IP addresses from public address spaces
+level: medium
diff --git a/rules/windows/network_connection/net_connection_win_script.yml b/rules/windows/network_connection/net_connection_win_script.yml
index a5043c04d..ef3b7eb2e 100644
--- a/rules/windows/network_connection/net_connection_win_script.yml
+++ b/rules/windows/network_connection/net_connection_win_script.yml
@@ -2,23 +2,23 @@ title: Script Initiated Connection
id: 08249dc0-a28d-4555-8ba5-9255a198e08c
status: experimental
description: Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
+author: frack113
date: 2022/08/28
+tags:
+ - attack.command_and_control
+ - attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
- Image|endswith:
+ Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate scripts
level: medium
-tags:
- - attack.command_and_control
- - attack.t1105
diff --git a/rules/windows/network_connection/net_connection_win_script_wan.yml b/rules/windows/network_connection/net_connection_win_script_wan.yml
index 4820282c7..2db420ed6 100644
--- a/rules/windows/network_connection/net_connection_win_script_wan.yml
+++ b/rules/windows/network_connection/net_connection_win_script_wan.yml
@@ -2,10 +2,13 @@ title: Script Initiated Connection to Non-Local Network
id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
status: experimental
description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
-author: frack113, Florian Roth
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
+author: frack113, Florian Roth
date: 2022/08/28
+tags:
+ - attack.command_and_control
+ - attack.t1105
logsource:
category: network_connection
product: windows
@@ -40,6 +43,3 @@ detection:
falsepositives:
- Legitimate scripts
level: high
-tags:
- - attack.command_and_control
- - attack.t1105
diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
index 31eccd053..6e69126ad 100644
--- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
+++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
@@ -2,11 +2,14 @@ title: Silenttrinity Stager Msbuild Activity
id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
status: test
description: Detects a possible remote connections to Silenttrinity c2
-author: Kiran kumar s, oscd.community
references:
- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
+author: Kiran kumar s, oscd.community
date: 2020/10/11
modified: 2022/10/05
+tags:
+ - attack.execution
+ - attack.t1127.001
logsource:
category: network_connection
product: windows
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1127.001
diff --git a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml
index 3070ecd6c..6845fe88a 100644
--- a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml
@@ -2,31 +2,31 @@ title: Suspicious Network Connection Binary No CommandLine
id: 20384606-a124-4fec-acbb-8bd373728613
status: experimental
description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
-author: Florian Roth
references:
- https://redcanary.com/blog/raspberry-robin/
+author: Florian Roth
date: 2022/07/03
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- Initiated: 'true'
- Image|endswith:
- - '\regsvr32.exe'
- - '\rundll32.exe'
- - '\dllhost.exe'
- CommandLine|endswith:
- - '\regsvr32.exe'
- - '\rundll32.exe'
- - '\dllhost.exe'
- filter_no_cmdline:
- CommandLine: ''
- filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3
- CommandLine: null
- condition: selection and not 1 of filter*
-falsepositives:
- - Unknown
-level: high
tags:
- attack.defense_evasion
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Initiated: 'true'
+ Image|endswith:
+ - '\regsvr32.exe'
+ - '\rundll32.exe'
+ - '\dllhost.exe'
+ CommandLine|endswith:
+ - '\regsvr32.exe'
+ - '\rundll32.exe'
+ - '\dllhost.exe'
+ filter_no_cmdline:
+ CommandLine: ''
+ filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3
+ CommandLine: null
+ condition: selection and not 1 of filter*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml
index 2b0927bb0..48daf9a9c 100644
--- a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml
@@ -2,10 +2,13 @@ title: Cmstp Making Network Connection
id: efafe0bf-4238-479e-af8f-797bd3490d2d
status: experimental
description: Detects suspicious network connection by Cmstp
-author: Nasreddine Bencherchali
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+author: Nasreddine Bencherchali
date: 2022/08/30
+tags:
+ - attack.defense_evasion
+ - attack.t1218.003
logsource:
category: network_connection
product: windows
@@ -17,6 +20,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1218.003
diff --git a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml
index a683212c0..1c7822845 100644
--- a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml
@@ -2,23 +2,23 @@ title: Suspicious Dropbox API Usage
id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
status: experimental
description: Detects an executable that isn't dropbox but communicates with the Dropbox API
-author: Florian Roth
references:
- - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
- - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
+ - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
+ - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
+author: Florian Roth
date: 2022/04/20
logsource:
- category: network_connection
- product: windows
+ category: network_connection
+ product: windows
detection:
- selection:
- Initiated: 'true'
- DestinationHostname|endswith:
- - 'api.dropboxapi.com'
- - 'content.dropboxapi.com'
- filter:
- Image|contains: '\Dropbox'
- condition: selection and not filter
+ selection:
+ Initiated: 'true'
+ DestinationHostname|endswith:
+ - 'api.dropboxapi.com'
+ - 'content.dropboxapi.com'
+ filter:
+ Image|contains: '\Dropbox'
+ condition: selection and not filter
falsepositives:
- - Legitimate use of the API with a tool that the author wasn't aware of
+ - Legitimate use of the API with a tool that the author wasn't aware of
level: high
diff --git a/rules/windows/network_connection/net_connection_win_susp_epmap.yml b/rules/windows/network_connection/net_connection_win_susp_epmap.yml
index cb8eca222..2a0164d74 100644
--- a/rules/windows/network_connection/net_connection_win_susp_epmap.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_epmap.yml
@@ -7,6 +7,8 @@ references:
author: frack113, Tim Shelton (fps)
date: 2022/07/14
modified: 2022/07/18
+tags:
+ - attack.lateral_movement
logsource:
category: network_connection
product: windows
@@ -17,12 +19,10 @@ detection:
DestinationPort: 135
#DestinationPortName: epmap
filter:
- Image|startswith:
+ Image|startswith:
- C:\Windows\
- C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater
condition: selection and not filter
falsepositives:
- Unknown
level: high
-tags:
- - attack.lateral_movement
diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml
index fd7cba0ab..a70248780 100755
--- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml
@@ -2,31 +2,31 @@ title: Suspicious Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
status: test
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
-author: Ilyas Ochkov, oscd.community
references:
- - https://github.com/GhostPack/Rubeus
+ - https://github.com/GhostPack/Rubeus
+author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2021/12/02
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- DestinationPort: 88
- Initiated: 'true'
- filter:
- Image|endswith:
- - '\lsass.exe'
- - '\opera.exe'
- - '\chrome.exe'
- - '\firefox.exe'
- - '\tomcat\bin\tomcat8.exe'
- condition: selection and not filter
-falsepositives:
- - Other browsers
-level: high
tags:
- - attack.credential_access
- - attack.t1558
- - attack.lateral_movement
- - attack.t1550.003
+ - attack.credential_access
+ - attack.t1558
+ - attack.lateral_movement
+ - attack.t1550.003
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ DestinationPort: 88
+ Initiated: 'true'
+ filter:
+ Image|endswith:
+ - '\lsass.exe'
+ - '\opera.exe'
+ - '\chrome.exe'
+ - '\firefox.exe'
+ - '\tomcat\bin\tomcat8.exe'
+ condition: selection and not filter
+falsepositives:
+ - Other browsers
+level: high
diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml
index 72f4d8d45..41b815a90 100644
--- a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml
@@ -1,13 +1,17 @@
title: Microsoft Sync Center Suspicious Network Connections
id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
status: experimental
-level: medium
description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022/04/28
modified: 2022/06/02
+tags:
+ - attack.t1055
+ - attack.t1218
+ - attack.execution
+ - attack.defense_evasion
logsource:
product: windows
category: network_connection
@@ -38,8 +42,4 @@ detection:
condition: selection_mobsync and not filter
falsepositives:
- Unknown
-tags:
- - attack.t1055
- - attack.t1218
- - attack.execution
- - attack.defense_evasion
+level: medium
diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
index 7612f4a7b..bced9cae1 100644
--- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml
@@ -2,14 +2,17 @@ title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: experimental
description: |
- Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
- The data may also be sent to an alternate network location from the main command and control server.
+ Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+ The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022/01/07
modified: 2022/09/21
+tags:
+ - attack.exfiltration
+ - attack.t1048.003
logsource:
category: network_connection
product: windows
@@ -34,6 +37,3 @@ detection:
falsepositives:
- Other SMTP tools
level: medium
-tags:
- - attack.exfiltration
- - attack.t1048.003
diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml
index 0df871e90..0c1c0c605 100755
--- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml
@@ -2,11 +2,14 @@ title: Suspicious Program Location with Network Connections
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
status: test
description: Detects programs with network connections running in suspicious files system locations
-author: Florian Roth, Tim Shelton
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
+author: Florian Roth, Tim Shelton
date: 2017/03/19
modified: 2022/05/26
+tags:
+ - attack.command_and_control
+ - attack.t1105
logsource:
category: network_connection
product: windows
@@ -34,6 +37,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.command_and_control
- - attack.t1105
diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_susp_rdp.yml
index fd89cf440..b33a326da 100755
--- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml
+++ b/rules/windows/network_connection/net_connection_win_susp_rdp.yml
@@ -2,53 +2,53 @@ title: Suspicious Outbound RDP Connections
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
-author: Markus Neis
references:
- - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
+ - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
+author: Markus Neis
date: 2019/05/15
modified: 2022/09/02
tags:
- - attack.lateral_movement
- - attack.t1021.001
- - car.2013-07-002
+ - attack.lateral_movement
+ - attack.t1021.001
+ - car.2013-07-002
logsource:
- category: network_connection
- product: windows
+ category: network_connection
+ product: windows
detection:
- selection:
- DestinationPort: 3389
- Initiated: 'true'
- filter:
- - Image|endswith:
- - '\mstsc.exe'
- - '\RTSApp.exe'
- - '\RTS2App.exe'
- - '\RDCMan.exe'
- - '\ws_TunnelService.exe'
- - '\RSSensor.exe'
- - '\RemoteDesktopManagerFree.exe'
- - '\RemoteDesktopManager.exe'
- - '\RemoteDesktopManager64.exe'
- - '\mRemoteNG.exe'
- - '\mRemote.exe'
- - '\Terminals.exe'
- - '\spiceworks-finder.exe'
- - '\FSDiscovery.exe'
- - '\FSAssessment.exe'
- - '\MobaRTE.exe'
- - '\chrome.exe'
- - '\System32\dns.exe'
- - '\thor.exe'
- - '\thor64.exe'
- - '\Passwordstate.exe'
- - '\Avast Software\Avast\AvastSvc.exe'
- - '\Ranger\SentinelRanger.exe' # sentinel one
- - '\Avast\AvastSvc.exe'
- - Image|startswith:
- - 'C:\Program Files\SplunkUniversalForwarder\bin\'
- - 'C:\Program Files\Mozilla Firefox\firefox.exe'
- condition: selection and not filter
+ selection:
+ DestinationPort: 3389
+ Initiated: 'true'
+ filter:
+ - Image|endswith:
+ - '\mstsc.exe'
+ - '\RTSApp.exe'
+ - '\RTS2App.exe'
+ - '\RDCMan.exe'
+ - '\ws_TunnelService.exe'
+ - '\RSSensor.exe'
+ - '\RemoteDesktopManagerFree.exe'
+ - '\RemoteDesktopManager.exe'
+ - '\RemoteDesktopManager64.exe'
+ - '\mRemoteNG.exe'
+ - '\mRemote.exe'
+ - '\Terminals.exe'
+ - '\spiceworks-finder.exe'
+ - '\FSDiscovery.exe'
+ - '\FSAssessment.exe'
+ - '\MobaRTE.exe'
+ - '\chrome.exe'
+ - '\System32\dns.exe'
+ - '\thor.exe'
+ - '\thor64.exe'
+ - '\Passwordstate.exe'
+ - '\Avast Software\Avast\AvastSvc.exe'
+ - '\Ranger\SentinelRanger.exe' # sentinel one
+ - '\Avast\AvastSvc.exe'
+ - Image|startswith:
+ - 'C:\Program Files\SplunkUniversalForwarder\bin\'
+ - 'C:\Program Files\Mozilla Firefox\firefox.exe'
+ condition: selection and not filter
falsepositives:
- - Other Remote Desktop RDP tools
- - Domain controller using dns.exe
+ - Other Remote Desktop RDP tools
+ - Domain controller using dns.exe
level: high
diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
index b52dceebf..772359d25 100644
--- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
+++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml
@@ -1,22 +1,24 @@
title: Wuauclt Network Connection
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
status: test
-description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+description: |
+ Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.
+ One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
references:
- - https://dtm.uk/wuauclt/
+ - https://dtm.uk/wuauclt/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/12
modified: 2021/11/27
-logsource:
- category: network_connection
- product: windows
-detection:
- selection:
- Image|contains: wuauclt
- condition: selection
-falsepositives:
- - Legitimate use of wuauclt.exe over the network.
-level: medium
tags:
- - attack.defense_evasion
- - attack.t1218
+ - attack.defense_evasion
+ - attack.t1218
+logsource:
+ category: network_connection
+ product: windows
+detection:
+ selection:
+ Image|contains: wuauclt
+ condition: selection
+falsepositives:
+ - Legitimate use of wuauclt.exe over the network.
+level: medium
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
index 7fcc5fb71..79c370e09 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml
@@ -3,13 +3,13 @@ id: d7326048-328b-4d5e-98af-86e84b17c765
related:
- id: 64e8e417-c19a-475a-8d19-98ea705394cc
type: derived
-description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
-date: 2019/08/11
-modified: 2022/10/05
-author: Roberto Rodriguez @Cyb3rWard0g
+description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+modified: 2022/10/05
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml
index e8e4b05a3..f21afa52c 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml
@@ -2,15 +2,15 @@ title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
status: stable
description: Shadow Copies deletion using operating systems utilities via PowerShell
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
+author: frack113
+date: 2021/06/03
+modified: 2021/10/16
tags:
- attack.impact
- attack.t1490
-date: 2021/06/03
-modified: 2021/10/16
logsource:
product: windows
category: ps_classic_start
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml
index a0fdf44b4..9ce7332e3 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml
@@ -4,13 +4,13 @@ status: experimental
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
+date: 2017/03/22
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
-author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)
-date: 2017/03/22
-modified: 2021/10/16
logsource:
product: windows
category: ps_classic_start
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml
index ec3b137b4..0335aa189 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml
@@ -4,13 +4,13 @@ status: experimental
description: Detects PowerShell called from an executable by the version mismatch method
references:
- https://adsecurity.org/?p=2921
+author: Sean Metcalf (source), Florian Roth (rule)
+date: 2017/03/05
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
-author: Sean Metcalf (source), Florian Roth (rule)
-date: 2017/03/05
-modified: 2021/10/16
logsource:
product: windows
category: ps_classic_start
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml
index 3d91e0cff..4c8f16620 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml
@@ -1,17 +1,17 @@
title: Netcat The Powershell Version
id: c5b20776-639a-49bf-94c7-84f912b91c15
related:
- - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
- type: derived
+ - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
+ type: derived
status: experimental
-author: frack113
-date: 2021/07/21
-modified: 2021/10/16
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
+author: frack113
+date: 2021/07/21
+modified: 2021/10/16
tags:
- attack.command_and_control
- attack.t1095
@@ -27,4 +27,4 @@ detection:
condition: selection
falsepositives:
- Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
index 4ce2aad71..c3294c708 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml
@@ -3,13 +3,13 @@ id: 60167e5c-84b2-4c95-a7ac-86281f27c445
related:
- id: 96b9f619-aa91-478f-bacb-c3e50f8df575
type: derived
-description: Detects remote PowerShell sessions
status: test
-date: 2019/08/10
-modified: 2022/06/20
-author: Roberto Rodriguez @Cyb3rWard0g
+description: Detects remote PowerShell sessions
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/10
+modified: 2022/06/20
tags:
- attack.execution
- attack.t1059.001
@@ -26,4 +26,4 @@ detection:
condition: selection
falsepositives:
- Legitimate use remote PowerShell sessions
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
index 23a33a84c..2a6adeb25 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml
@@ -1,7 +1,7 @@
title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
-description: Detects renamed powershell
status: test
+description: Detects renamed powershell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
index af8e94cf9..d81b9e4e6 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml
@@ -28,11 +28,11 @@ detection:
- '-ScriptBlock '
- '-RemoteFXvGPUDisablementFilePath'
condition: all of selection_*
-falsepositives:
- - Unknown
-level: medium
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
index 183154501..21d647ee3 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml
@@ -5,12 +5,12 @@ related:
type: derived
status: experimental
description: Detects suspicious PowerShell download command
-tags:
- - attack.execution
- - attack.t1059.001
author: Florian Roth
date: 2017/03/05
modified: 2021/10/16
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_classic_start
@@ -27,4 +27,4 @@ detection:
condition: downloadfile or downloadstring
falsepositives:
- PowerShell scripts that download content from the Internet
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml
index 39ed23976..c7824c7ec 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml
@@ -6,6 +6,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021/12/10
+tags:
+ - attack.discovery
+ - attack.t1049
logsource:
product: windows
category: ps_classic_start
@@ -17,6 +20,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1049
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml
index b9eeec34b..5d193835b 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml
@@ -3,8 +3,8 @@ id: ec19ebab-72dc-40e1-9728-4c0b805d722c
related:
- id: ec19ebab-72dc-40e1-9728-4c0b805d722c
type: similar
-description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.
status: experimental
+description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml
index acb208b83..ccb752a5d 100644
--- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml
+++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml
@@ -1,7 +1,7 @@
title: Suspicious XOR Encoded PowerShell Command Line
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
-description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
status: experimental
+description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
author: Teymur Kheirkhabarov, Harish Segar (rule)
diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
index 5a8f7764d..89ebf709e 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
@@ -1,12 +1,12 @@
title: Alternate PowerShell Hosts
id: 64e8e417-c19a-475a-8d19-98ea705394cc
-description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
-date: 2019/08/11
-modified: 2022/10/10
-author: Roberto Rodriguez @Cyb3rWard0g
+description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
+author: Roberto Rodriguez @Cyb3rWard0g
+date: 2019/08/11
+modified: 2022/10/10
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml
index fb48751d4..3739517c7 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml
@@ -3,8 +3,11 @@ id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
-description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
status: experimental
+description: |
+ focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
+ Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
+ that often undergo minimal changes by attackers due to bad opsec.
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml
index 0d36117af..08affa1ba 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml
@@ -5,11 +5,11 @@ related:
type: derived
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
-date: 2019/10/25
-modified: 2022/05/10
-author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/25
+modified: 2022/05/10
tags:
- attack.defense_evasion
- attack.t1070.003
diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
index af98c89a7..d6d0186cb 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
@@ -3,17 +3,17 @@ id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5
related:
- id: 81fbdce6-ee49-485a-908d-1a728c5dcb09
type: derived
-description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
status: experimental
-date: 2020/05/02
-modified: 2021/10/16
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.defense_evasion
- - attack.t1140
+description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/8
- https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+modified: 2021/10/16
+tags:
+ - attack.defense_evasion
+ - attack.t1140
logsource:
product: windows
category: ps_module
@@ -24,4 +24,4 @@ detection:
condition: selection_4103
falsepositives:
- Unknown
-level: informational
\ No newline at end of file
+level: informational
diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml
index 6305b90d1..fd3a425c0 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml
@@ -1,12 +1,12 @@
title: Suspicious Get-ADDBAccount Usage
id: b140afd9-474b-4072-958e-2ebb435abd68
-description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
status: experimental
-author: Florian Roth
-date: 2022/03/16
+description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
references:
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
+author: Florian Roth
+date: 2022/03/16
tags:
- attack.credential_access
- attack.t1003.003
diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
index baf228bd5..5ba8781e7 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
@@ -1,16 +1,16 @@
title: PowerShell Get Clipboard
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
-description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
status: experimental
-date: 2020/05/02
-modified: 2022/06/20
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
-tags:
- - attack.collection
- - attack.t1115
+description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+modified: 2022/06/20
+tags:
+ - attack.collection
+ - attack.t1115
logsource:
product: windows
category: ps_module
@@ -21,4 +21,4 @@ detection:
condition: selection_4103
falsepositives:
- Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
index 73f8b09f4..20e4882de 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml
@@ -3,13 +3,13 @@ id: a136cde0-61ad-4a61-9b82-8dc490e60dd2
related:
- id: 73e67340-0d25-11eb-adc1-0242ac120002
type: derived
-description: Detects Obfuscated use of Clip.exe to execute PowerShell
status: experimental
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
author: Jonathan Cheong, oscd.community
date: 2020/10/13
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
tags:
- attack.defense_evasion
- attack.t1027
@@ -25,4 +25,4 @@ detection:
condition: selection_4103
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml
index 9a4848faf..40e3d5feb 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml
@@ -3,10 +3,10 @@ id: 2f211361-7dce-442d-b78a-c04039677378
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
+status: experimental
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
-status: experimental
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019/11/08
modified: 2021/10/16
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
index 483b4c343..7c6480e6a 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml
@@ -2,14 +2,14 @@ title: Invoke-Obfuscation STDIN+ Launcher
id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3
related:
- id: 779c8c12-0eb1-11eb-adc1-0242ac120002
- type: derived
-description: Detects Obfuscated use of stdin to execute PowerShell
+ type: derived
status: experimental
+description: Detects Obfuscated use of stdin to execute PowerShell
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
tags:
- attack.defense_evasion
- attack.t1027
@@ -25,4 +25,4 @@ detection:
condition: selection_4103
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
index 91aec4b61..1c4f947d8 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml
@@ -3,13 +3,13 @@ id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
related:
- id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
type: derived
-description: Detects Obfuscated use of Environment Variables to execute PowerShell
status: experimental
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
tags:
- attack.defense_evasion
- attack.t1027
@@ -25,4 +25,4 @@ detection:
condition: selection_4103
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
index 36fb17672..efece32de 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
@@ -3,13 +3,13 @@ id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
- id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
type: derived
-description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: experimental
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
index a8ad4066e..1b3a08617 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml
@@ -3,20 +3,25 @@ id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
- id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
type: derived
-description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
status: experimental
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2022/03/08
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_module
definition: PowerShell Module Logging must be enabled
detection:
selection_4103:
- Payload|contains|all:
+ Payload|contains|all:
- 'rundll32.exe'
- 'shell32.dll'
- 'shellexec_rundll'
@@ -25,8 +30,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
index 1bd27a934..264ebea41 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml
@@ -3,13 +3,13 @@ id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
related:
- id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
type: derived
-description: Detects Obfuscated Powershell via Stdin in Scripts
status: experimental
+description: Detects Obfuscated Powershell via Stdin in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
author: Nikita Nazarov, oscd.community
date: 2020/10/12
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml
index ddfa4f24f..2f9dc757e 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml
@@ -3,13 +3,13 @@ id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
- id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
type: derived
-description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: experimental
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
index e92b64016..26d7188af 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml
@@ -3,13 +3,18 @@ id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
related:
- id: e55a5195-4724-480e-a77e-3ebe64bd3759
type: derived
-description: Detects Obfuscated Powershell via use MSHTA in Scripts
status: experimental
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
author: Nikita Nazarov, oscd.community
date: 2020/10/08
modified: 2022/03/07
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_module
@@ -27,8 +32,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
index a7861292b..a9fa7122f 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml
@@ -3,13 +3,18 @@ id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
- id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
type: derived
-description: Detects Obfuscated Powershell via use Rundll32 in Scripts
status: experimental
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019/10/08
modified: 2022/03/08
-references:
- - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_module
@@ -21,7 +26,7 @@ detection:
- 'rundll32'
- 'shell32.dll'
- 'shellexec_rundll'
- Payload|contains:
+ Payload|contains:
- 'value'
- 'invoke'
- 'comspec'
@@ -30,8 +35,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
index 04936a2e0..e76e8230b 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml
@@ -3,13 +3,13 @@ id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
related:
- id: e54f5149-6ba3-49cf-b153-070d24679126
type: derived
-description: Detects Obfuscated Powershell via VAR++ LAUNCHER
status: experimental
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
index fbfba628d..d0e211da3 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml
@@ -1,14 +1,14 @@
title: Netcat The Powershell Version
id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
status: experimental
-author: frack113
-date: 2021/07/21
-modified: 2021/10/16
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
+author: frack113
+date: 2021/07/21
+modified: 2021/10/16
tags:
- attack.command_and_control
- attack.t1095
diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
index 606af813f..6f9d204c1 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml
@@ -1,12 +1,12 @@
title: Remote PowerShell Session (PS Module)
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
-description: Detects remote PowerShell sessions
status: test
-date: 2019/08/10
-modified: 2022/06/20
-author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
+description: Detects remote PowerShell sessions
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
+author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
+date: 2019/08/10
+modified: 2022/06/20
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
index c1b2673e6..28a91baf6 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
@@ -1,14 +1,17 @@
title: AD Groups Or Users Enumeration Using PowerShell - PoshModule
id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4
+status: experimental
description: |
- Adversaries may attempt to find domain-level groups and permission settings.
- The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
- Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
+ Adversaries may attempt to find domain-level groups and permission settings.
+ The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
+ Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
-status: experimental
author: frack113
date: 2021/12/15
+tags:
+ - attack.discovery
+ - attack.t1069.001
logsource:
product: windows
category: ps_module
@@ -32,6 +35,3 @@ detection:
falsepositives:
- Administrator script
level: low
-tags:
- - attack.discovery
- - attack.t1069.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
index 4ad279399..d7bd34858 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml
@@ -1,13 +1,13 @@
title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
status: experimental
-author: frack113
-date: 2021/07/13
-modified: 2021/10/16
description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+author: frack113
+date: 2021/07/13
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.t1218
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml
index 598a3549e..5f36c7b73 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml
@@ -5,12 +5,12 @@ related:
type: derived
status: experimental
description: Detects suspicious PowerShell download command
-tags:
- - attack.execution
- - attack.t1059.001
author: Florian Roth
date: 2017/03/05
modified: 2021/10/18
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_module
@@ -24,4 +24,4 @@ detection:
condition: webclient and download
falsepositives:
- PowerShell scripts that download content from the Internet
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
index f32822bbd..0be65ca51 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml
@@ -6,6 +6,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021/12/10
+tags:
+ - attack.discovery
+ - attack.t1049
logsource:
product: windows
category: ps_module
@@ -17,6 +20,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1049
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml
index 68532a09c..58ab9a87c 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml
@@ -5,12 +5,12 @@ related:
type: derived
status: experimental
description: Detects suspicious PowerShell invocation command parameters
-tags:
- - attack.execution
- - attack.t1059.001
author: Florian Roth (rule)
date: 2017/03/12
modified: 2021/12/02
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_module
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml
index d429a97b7..0a8f13c05 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml
@@ -5,12 +5,12 @@ related:
type: derived
status: experimental
description: Detects suspicious PowerShell invocation command parameters
-tags:
- - attack.execution
- - attack.t1059.001
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2022/02/21
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_module
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
index f41058316..506f6baa4 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml
@@ -1,14 +1,17 @@
title: Suspicious Get Local Groups Information
id: cef24b90-dddc-4ae1-a09a-8764872f69fc
+status: experimental
description: |
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
-status: experimental
author: frack113
date: 2021/12/12
+tags:
+ - attack.discovery
+ - attack.t1069.001
logsource:
product: windows
category: ps_module
@@ -32,6 +35,3 @@ detection:
falsepositives:
- Administrator script
level: low
-tags:
- - attack.discovery
- - attack.t1069.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
index ad78a9bde..7985de802 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml
@@ -1,12 +1,17 @@
title: Suspicious Computer Machine Password by PowerShell
id: e3818659-5016-4811-a73c-dde4679169d2
status: experimental
-description: The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
+description: |
+ The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
+ You can use it to reset the password of the local computer.
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: frack113
date: 2022/02/21
+tags:
+ - attack.initial_access
+ - attack.t1078
logsource:
product: windows
category: ps_module
@@ -18,6 +23,3 @@ detection:
falsepositives:
- Administrator PowerShell scripts
level: medium
-tags:
- - attack.initial_access
- - attack.t1078
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
index 5c1f99b96..fed54bbf6 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
@@ -1,13 +1,17 @@
title: Suspicious Get Information for SMB Share
id: 6942bd25-5970-40ab-af49-944247103358
+status: experimental
description: |
- Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
+ Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
+ to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
-status: experimental
author: frack113
date: 2021/12/15
+tags:
+ - attack.discovery
+ - attack.t1069.001
logsource:
product: windows
category: ps_module
@@ -20,6 +24,3 @@ detection:
falsepositives:
- Administrator script
level: low
-tags:
- - attack.discovery
- - attack.t1069.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
index 9cc35cb3e..1cd4292c4 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
@@ -4,12 +4,12 @@ related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
status: experimental
-author: frack113
-date: 2021/07/20
-modified: 2021/10/16
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
+author: frack113
+date: 2021/07/20
+modified: 2021/10/16
tags:
- attack.collection
- attack.t1074.001
diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
index f5d5cff74..ec7d8c72a 100644
--- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
+++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml
@@ -5,8 +5,8 @@ related:
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
-description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
status: experimental
+description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
@@ -25,4 +25,4 @@ detection:
condition: selection
falsepositives:
- App-V clients
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
index 56a47176f..ccdb8e75d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml
@@ -4,14 +4,17 @@ related:
- id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
type: obsoletes
status: experimental
-author: frack113
-date: 2022/01/30
description: |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
+author: frack113
+date: 2022/01/30
+tags:
+ - attack.credential_access
+ - attack.t1555.003
logsource:
product: windows
category: ps_script
@@ -32,6 +35,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.credential_access
- - attack.t1555.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
index 558746b04..df4639d7e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
@@ -2,11 +2,11 @@ title: Accessing WinAPI in PowerShell
id: 03d83090-8cba-44a0-b02f-0b756a050306
status: experimental
description: Detecting use WinAPI Functions in PowerShell
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community, Tim Shelton
date: 2020/10/06
modified: 2022/09/29
-references:
- - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
index dddb6e625..23b3341b7 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
@@ -1,7 +1,9 @@
title: Powershell Add Name Resolution Policy Table Rule
id: 4368354e-1797-463c-bc39-a309effbe8d7
status: test
-description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
+description: |
+ Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
+ This will bypass the default DNS server and uses a specified server for answering the query.
references:
- https://twitter.com/NathanMcNulty/status/1569497348841287681
- https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
index ef08b024f..8482c2316 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml
@@ -5,13 +5,13 @@ description: Detects execution of ADRecon.ps1 for AD reconnaissance which has be
references:
- https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
+author: Bhabesh Raj
+date: 2021/07/16
+modified: 2022/09/06
tags:
- attack.discovery
- attack.execution
- attack.t1059.001
-author: Bhabesh Raj
-date: 2021/07/16
-modified: 2022/09/06
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml
index e623df577..f2b73179c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml
@@ -2,11 +2,21 @@ title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
+references:
+ - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019/11/01
modified: 2022/10/05
-references:
- - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
+tags:
+ - attack.execution
+ - attack.t1059.001
+ - attack.command_and_control
+ - attack.t1071.004
+ - attack.t1572
+ - attack.impact
+ - attack.t1529
+ - attack.g0091
+ - attack.s0363
logsource:
product: windows
service: powershell
@@ -33,13 +43,3 @@ detection:
falsepositives:
- Unknown
level: critical
-tags:
- - attack.execution
- - attack.t1059.001
- - attack.command_and_control
- - attack.t1071.004
- - attack.t1572
- - attack.impact
- - attack.t1529
- - attack.g0091
- - attack.s0363
diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
index 54cdd93a0..54e8f51e4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
@@ -2,11 +2,14 @@ title: Get-ADUser Enumeration Using UserAccountControl Flags
id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
status: experimental
description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
-date: 2022/03/17
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
- https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
+author: frack113
+date: 2022/03/17
+tags:
+ - attack.discovery
+ - attack.t1033
logsource:
product: windows
category: ps_script
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.discovery
- - attack.t1033
diff --git a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml
index f85d12599..7e391ab90 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml
@@ -1,12 +1,12 @@
title: Automated Collection Command PowerShell
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
status: experimental
-author: frack113
-date: 2021/07/28
-modified: 2021/12/02
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
+author: frack113
+date: 2021/07/28
+modified: 2021/12/02
tags:
- attack.collection
- attack.t1119
diff --git a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml
index b006328ae..96a2831f0 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml
@@ -8,14 +8,6 @@ references:
author: Austin Songer (@austinsonger)
date: 2021/10/23
modified: 2022/01/12
-logsource:
- product: windows
- category: ps_script
- definition: Script Block Logging must be enabled
-detection:
- selection:
- ScriptBlockText|contains: Invoke-AzureHound
- condition: selection
tags:
- attack.discovery
- attack.t1482
@@ -25,6 +17,14 @@ tags:
- attack.t1069.001
- attack.t1069.002
- attack.t1069
+logsource:
+ product: windows
+ category: ps_script
+ definition: Script Block Logging must be enabled
+detection:
+ selection:
+ ScriptBlockText|contains: Invoke-AzureHound
+ condition: selection
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml
index ddae8a494..7f0bf381f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml
@@ -9,6 +9,9 @@ references:
author: frack113
date: 2021/12/28
modified: 2022/07/07
+tags:
+ - attack.collection
+ - attack.t1113
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.collection
- - attack.t1113
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml
index 75b81b735..3c739eb68 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml
@@ -1,13 +1,13 @@
title: Execution via CL_Invocation.ps1
id: 4cd29327-685a-460e-9dac-c3ab96e549dc
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.t1216
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml
index cae4b871e..ca4c8c67e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml
@@ -1,13 +1,13 @@
title: Execution via CL_Invocation.ps1 (2 Lines)
id: f588e69b-0750-46bb-8f87-0e9320d57536
-description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.t1216
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
index 44f7610e5..7a9904163 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml
@@ -1,13 +1,13 @@
title: Execution via CL_Mutexverifiers.ps1
id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
references:
- https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
- https://twitter.com/pabraeken/status/995111125447577600
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.t1216
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml
index 53b50941d..f32263af7 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml
@@ -1,13 +1,13 @@
title: Execution via CL_Mutexverifiers.ps1 (2 Lines)
id: 6609c444-9670-4eab-9636-fe4755a851ce
-description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
status: experimental
-author: oscd.community, Natalia Shornikova
-date: 2020/10/14
-modified: 2021/10/16
+description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
references:
- https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
- https://twitter.com/pabraeken/status/995111125447577600
+author: oscd.community, Natalia Shornikova
+date: 2020/10/14
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.t1216
diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml
index d9b2bdb47..6793baf4e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml
@@ -5,11 +5,14 @@ related:
type: derived
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
-author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
+author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2022/01/25
modified: 2022/05/10
+tags:
+ - attack.defense_evasion
+ - attack.t1070.003
logsource:
product: windows
category: ps_script
@@ -36,6 +39,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1070.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml
index c2741d7aa..1dfc80f96 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml
@@ -1,13 +1,17 @@
title: Clearing Windows Console History
id: bde47d4b-9987-405c-94c7-b080410e8ea7
-description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
status: experimental
-author: Austin Songer @austinsonger
-date: 2021/11/25
+description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
references:
- https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/
- https://www.shellhacks.com/clear-history-powershell/
- https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
+author: Austin Songer @austinsonger
+date: 2021/11/25
+tags:
+ - attack.defense_evasion
+ - attack.t1070
+ - attack.t1070.003
logsource:
product: windows
category: ps_script
@@ -24,10 +28,6 @@ detection:
- ConsoleHost_history.txt
- (Get-PSReadlineOption).HistorySavePath
condition: selection1 or selection2a and selection2b
-tags:
- - attack.defense_evasion
- - attack.t1070
- - attack.t1070.003
-level: high
falsepositives:
- Unknown
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
index 050837322..c1c7fb77f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml
@@ -7,6 +7,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
author: frack113
date: 2021/12/28
+tags:
+ - attack.persistence
+ - attack.t1053.005
logsource:
product: windows
category: ps_script
@@ -29,8 +32,5 @@ detection:
- 'Root\Microsoft\Windows\TaskScheduler'
condition: 1 of selection_*
falsepositives:
- - Unknown
+ - Unknown
level: medium
-tags:
- - attack.persistence
- - attack.t1053.005
diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml
index 666fef3bb..03c915c60 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml
@@ -7,6 +7,9 @@ references:
author: frack113, Nasreddine Bencherchali
date: 2021/12/27
modified: 2022/10/20
+tags:
+ - attack.credential_access
+ - attack.t1556.002
logsource:
product: windows
category: ps_script
@@ -14,16 +17,13 @@ logsource:
detection:
selection_copy:
ScriptBlockText|contains|all:
- - 'Copy-Item '
- - '-Destination '
+ - 'Copy-Item '
+ - '-Destination '
selection_paths:
ScriptBlockText|contains:
- - '\Windows\System32'
- - '\Windows\SysWOW64'
+ - '\Windows\System32'
+ - '\Windows\SysWOW64'
condition: all of selection*
falsepositives:
- Unknown
level: high
-tags:
- - attack.credential_access
- - attack.t1556.002
diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
index 1c92773af..c14435c36 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml
@@ -7,10 +7,13 @@ description: |
These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
(Citation: Microsoft Profiling Mar 2017)
(Citation: Microsoft COR_PROFILER Feb 2013)
-author: frack113
-date: 2021/12/30
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
+author: frack113
+date: 2021/12/30
+tags:
+ - attack.persistence
+ - attack.t1574.012
logsource:
product: windows
category: ps_script
@@ -23,8 +26,5 @@ detection:
- '$env:COR_PROFILER_PATH'
condition: selection
falsepositives:
- - Legitimate administrative script
+ - Legitimate administrative script
level: medium
-tags:
- - attack.persistence
- - attack.t1574.012
diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
index 8b4983cbf..4661466f1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml
@@ -4,14 +4,14 @@ status: experimental
description: Detects creation of a local user via PowerShell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
+author: '@ROxPinTeddy'
+date: 2020/04/11
+modified: 2021/10/16
tags:
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1136.001
-author: '@ROxPinTeddy'
-date: 2020/04/11
-modified: 2021/10/16
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
index 6c098c110..aaa8fb639 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml
@@ -2,11 +2,14 @@ title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: experimental
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
-date: 2022/01/12
-author: frack113
references:
- https://attack.mitre.org/datasources/DS0005/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+author: frack113
+date: 2022/01/12
+tags:
+ - attack.credential_access
+ - attack.t1003.003
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: high
-tags:
- - attack.credential_access
- - attack.t1003.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml
index 02098dfae..e7691dcea 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml
@@ -2,11 +2,14 @@ title: Data Compressed - PowerShell
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2021/10/16
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
+tags:
+ - attack.exfiltration
+ - attack.t1560
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Highly likely if archive operations are done via PowerShell.
level: low
-tags:
- - attack.exfiltration
- - attack.t1560
diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
index 3a7d39ced..0462aaa64 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml
@@ -1,13 +1,15 @@
title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: experimental
-author: frack113, Duc.Le-GTSC
-date: 2021/08/03
-modified: 2022/03/03
-description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
+description: |
+ Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
+ This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
+author: frack113, Duc.Le-GTSC
+date: 2021/08/03
+modified: 2022/03/03
tags:
- attack.defense_evasion
- attack.t1497.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml
index 72b5b9b37..d6e71c8bc 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml
@@ -2,10 +2,13 @@ title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: experimental
description: Enumerates Active Directory to determine computers that are joined to the domain
-date: 2022/02/12
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
+date: 2022/02/12
+tags:
+ - attack.discovery
+ - attack.t1018
logsource:
product: windows
category: ps_script
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.discovery
- - attack.t1018
diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml
index 65bcc357a..6538dcd50 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml
@@ -9,6 +9,9 @@ references:
- https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0
author: frack113
date: 2021/12/28
+tags:
+ - attack.persistence
+ - attack.t1136.002
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Legitimate administrative script
level: medium
-tags:
- - attack.persistence
- - attack.t1136.002
diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml
index 0fd446068..ca73990c6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml
@@ -6,6 +6,9 @@ references:
- https://twitter.com/DissectMalware/status/1062879286749773824
author: Ali Alwashali
date: 2022/08/21
+tags:
+ - attack.defense_evasion
+ - attack.t1070.003
logsource:
product: windows
category: ps_script
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Legitimate script that disables the command history
level: high
-tags:
- - attack.defense_evasion
- - attack.t1070.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml
index df3121e56..51f323566 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml
@@ -1,14 +1,14 @@
title: Disable-WindowsOptionalFeature Command PowerShell
id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
status: experimental
-author: frack113
-date: 2022/09/10
description: |
- Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
- Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+ Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+ Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
- https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
+author: frack113
+date: 2022/09/10
tags:
- attack.defense_evasion
- attack.t1562.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml
index ea3a7d0a7..79ac972e0 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml
@@ -1,7 +1,7 @@
title: Dnscat Execution
id: a6d67db4-6220-436d-8afc-f3842fe05d43
-description: Dnscat exfiltration tool execution
status: experimental
+description: Dnscat exfiltration tool execution
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
modified: 2021/10/16
diff --git a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
index 596705cf0..d389bfedb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml
@@ -1,13 +1,16 @@
title: Dump Credentials from Windows Credential Manager With PowerShell
id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
status: experimental
-author: frack113
-date: 2021/12/20
description: |
- Adversaries may search for common password storage locations to obtain user credentials.
- Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
+ Adversaries may search for common password storage locations to obtain user credentials.
+ Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
+author: frack113
+date: 2021/12/20
+tags:
+ - attack.credential_access
+ - attack.t1555
logsource:
product: windows
category: ps_script
@@ -32,6 +35,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.credential_access
- - attack.t1555
diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
index b1134519d..a91231944 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml
@@ -7,6 +7,9 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
author: frack113
date: 2022/01/07
+tags:
+ - attack.lateral_movement
+ - attack.t1021.006
logsource:
product: windows
category: ps_script
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitimate script
level: medium
-tags:
- - attack.lateral_movement
- - attack.t1021.006
diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml
index c37b1dd75..67c4d231f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml
@@ -1,13 +1,13 @@
title: Enable-WindowsOptionalFeature Command PowerShell
id: 55c925c1-7195-426b-a136-a9396800e29b
status: experimental
-author: frack113
-date: 2022/09/10
description: |
- Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
- Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
+ Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
+ Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
+author: frack113
+date: 2022/09/10
tags:
- attack.defense_evasion
logsource:
diff --git a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
index cd35eba18..da88ea021 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml
@@ -1,13 +1,16 @@
title: Enumerate Credentials from Windows Credential Manager With PowerShell
id: 603c6630-5225-49c1-8047-26c964553e0e
status: experimental
-author: frack113
-date: 2021/12/20
description: |
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
+author: frack113
+date: 2021/12/20
+tags:
+ - attack.credential_access
+ - attack.t1555
logsource:
product: windows
category: ps_script
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.credential_access
- - attack.t1555
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml
index 55e61a589..f41738e05 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml
@@ -5,10 +5,15 @@ related:
type: derived
status: experimental
description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
-author: Nasreddine Bencherchali
references:
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
+author: Nasreddine Bencherchali
date: 2022/06/28
+tags:
+ - attack.defense_evasion
+ - attack.t1070
+ - attack.t1562.006
+ - car.2016-04-002
logsource:
product: windows
category: ps_script
@@ -24,8 +29,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1070
- - attack.t1562.006
- - car.2016-04-002
diff --git a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
index 413246730..1cd5b1aca 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
@@ -1,13 +1,17 @@
title: Powershell File and Directory Discovery
id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
+status: experimental
description: |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
- Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+ Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
+ including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
-status: experimental
author: frack113
date: 2021/12/15
+tags:
+ - attack.discovery
+ - attack.t1083
logsource:
product: windows
category: ps_script
@@ -24,6 +28,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1083
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
index 6602dc891..9fb1db082 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml
@@ -10,6 +10,9 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2
author: frack113
date: 2021/12/30
+tags:
+ - attack.persistence
+ - attack.t1574.011
logsource:
product: windows
category: ps_script
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Legitimate administrative script
level: medium
-tags:
- - attack.persistence
- - attack.t1574.011
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
index d4f4563f7..6b95f660a 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
@@ -4,11 +4,14 @@ status: experimental
description: |
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
-date: 2022/02/06
-author: frack113
references:
- https://www.powershellgallery.com/packages/DSInternals
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
+author: frack113
+date: 2022/02/06
+tags:
+ - attack.credential_access
+ - attack.t1003.006
logsource:
product: windows
category: ps_script
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.credential_access
- - attack.t1003.006
diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
index e236b8802..490360c65 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml
@@ -1,14 +1,17 @@
title: Automated Collection Bookmarks Using Get-ChildItem PowerShell
id: e0565f5d-d420-4e02-8a68-ac00d864f9cf
status: experimental
-author: frack113
-date: 2021/12/13
description: |
Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
internal network resources such as servers, tools/dashboards, or other related infrastructure.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
+author: frack113
+date: 2021/12/13
+tags:
+ - attack.discovery
+ - attack.t1217
logsource:
product: windows
category: ps_script
@@ -26,6 +29,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1217
diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml
index 544a4d5ce..88aee21b4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml
@@ -2,10 +2,12 @@ title: PowerShell Hotfix Enumeration
id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c
status: experimental
description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
-author: Nasreddine Bencherchali
references:
- https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
+author: Nasreddine Bencherchali
date: 2022/06/21
+tags:
+ - attack.discovery
logsource:
product: windows
category: ps_script
@@ -19,5 +21,3 @@ detection:
falsepositives:
- Legitimate administration scripts
level: medium
-tags:
- - attack.discovery
diff --git a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml
index ef385981a..a27a51485 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml
@@ -17,9 +17,9 @@ logsource:
detection:
selection:
ScriptBlockText|contains|all:
- - 'New-Object'
- - 'System.Net.NetworkInformation.Ping'
- - '.Send('
+ - 'New-Object'
+ - 'System.Net.NetworkInformation.Ping'
+ - '.Send('
condition: selection
falsepositives:
- Legitimate usage of System.Net.NetworkInformation.Ping class
diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
index f73b2a6f8..dee35db0e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
@@ -6,6 +6,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali
date: 2022/07/07
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -32,6 +35,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
index e29bcb6af..8de575e07 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml
@@ -7,6 +7,9 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
author: frack113
date: 2022/01/07
+tags:
+ - attack.lateral_movement
+ - attack.t1021.006
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Legitimate script
level: medium
-tags:
- - attack.lateral_movement
- - attack.t1021.006
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml
index a6c5c5911..f1ec39f84 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml
@@ -7,6 +7,9 @@ references:
- https://github.com/Arno0x/DNSExfiltrator
author: frack113
date: 2022/01/07
+tags:
+ - attack.exfiltration
+ - attack.t1048
logsource:
product: windows
category: ps_script
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Legitimate script
level: high
-tags:
- - attack.exfiltration
- - attack.t1048
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
index 133b02854..dc88b8395 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml
@@ -2,22 +2,22 @@ title: PrintNightmare Powershell Exploitation
id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
status: test
description: Detects Commandlet name for PrintNightmare exploitation.
-date: 2021/08/09
-modified: 2021/10/16
references:
- https://github.com/calebstewart/CVE-2021-1675
author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+modified: 2021/10/16
+tags:
+ - attack.privilege_escalation
+ - attack.t1548
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
- selection:
- ScriptBlockText|contains: Invoke-Nightmare
- condition: selection
+ selection:
+ ScriptBlockText|contains: Invoke-Nightmare
+ condition: selection
falsepositives:
- Unknown
level: high
-tags:
- - attack.privilege_escalation
- - attack.t1548
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
index b4aa1b056..96704f6e1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml
@@ -1,12 +1,12 @@
title: Invoke-Obfuscation CLIP+ Launcher
id: 73e67340-0d25-11eb-adc1-0242ac120002
-description: Detects Obfuscated use of Clip.exe to execute PowerShell
status: experimental
+description: Detects Obfuscated use of Clip.exe to execute PowerShell
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
author: Jonathan Cheong, oscd.community
date: 2020/10/13
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26)
tags:
- attack.defense_evasion
- attack.t1027
@@ -22,4 +22,4 @@ detection:
condition: selection_4104
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml
index 57792288e..1b5f9451f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml
@@ -1,9 +1,9 @@
title: Invoke-Obfuscation Obfuscated IEX Invocation
id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
+status: experimental
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
-status: experimental
author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
date: 2019/11/08
modified: 2022/01/27
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
index 334e424a2..1b6852542 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml
@@ -1,12 +1,12 @@
title: Invoke-Obfuscation STDIN+ Launcher
id: 779c8c12-0eb1-11eb-adc1-0242ac120002
-description: Detects Obfuscated use of stdin to execute PowerShell
status: experimental
+description: Detects Obfuscated use of stdin to execute PowerShell
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25)
tags:
- attack.defense_evasion
- attack.t1027
@@ -22,4 +22,4 @@ detection:
condition: selection_4104
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
index ae25eadb5..14acfefd5 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml
@@ -1,12 +1,12 @@
title: Invoke-Obfuscation VAR+ Launcher
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
-description: Detects Obfuscated use of Environment Variables to execute PowerShell
status: experimental
+description: Detects Obfuscated use of Environment Variables to execute PowerShell
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
author: Jonathan Cheong, oscd.community
date: 2020/10/15
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24)
tags:
- attack.defense_evasion
- attack.t1027
@@ -22,4 +22,4 @@ detection:
condition: selection_4104
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
index e855b695c..5fcc15619 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml
@@ -1,22 +1,27 @@
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
-description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status: experimental
+description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2022/03/08
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection_4104:
- ScriptBlockText|contains|all:
+ ScriptBlockText|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
- ScriptBlockText|contains:
+ ScriptBlockText|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
ScriptBlockText|endswith: 'readtoend'
@@ -24,8 +29,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml
index b28d35358..c6b949baf 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml
@@ -1,12 +1,17 @@
title: Invoke-Obfuscation RUNDLL LAUNCHER
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
-description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
status: experimental
+description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020/10/18
modified: 2022/03/08
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -22,8 +27,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
index 73cfb7ba5..43e172219 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml
@@ -1,12 +1,12 @@
title: Invoke-Obfuscation Via Stdin
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
-description: Detects Obfuscated Powershell via Stdin in Scripts
status: experimental
+description: Detects Obfuscated Powershell via Stdin in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
author: Nikita Nazarov, oscd.community
date: 2020/10/12
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task28)
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml
index d2898f76c..f5d1c7c90 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml
@@ -1,12 +1,12 @@
title: Invoke-Obfuscation Via Use Clip
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
-description: Detects Obfuscated Powershell via use Clip.exe in Scripts
status: experimental
+description: Detects Obfuscated Powershell via use Clip.exe in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
author: Nikita Nazarov, oscd.community
date: 2020/10/09
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task29)
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml
index 2a4bc5673..a92f74421 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml
@@ -1,12 +1,17 @@
title: Invoke-Obfuscation Via Use MSHTA
id: e55a5195-4724-480e-a77e-3ebe64bd3759
-description: Detects Obfuscated Powershell via use MSHTA in Scripts
status: experimental
+description: Detects Obfuscated Powershell via use MSHTA in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
author: Nikita Nazarov, oscd.community
date: 2020/10/08
modified: 2022/03/07
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -24,8 +29,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml
index 9b89392ce..5cde95d40 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml
@@ -1,12 +1,17 @@
title: Invoke-Obfuscation Via Use Rundll32
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
-description: Detects Obfuscated Powershell via use Rundll32 in Scripts
status: experimental
+description: Detects Obfuscated Powershell via use Rundll32 in Scripts
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019/10/08
modified: 2022/03/08
-references:
- - https://github.com/Neo23x0/sigma/issues/1009
+tags:
+ - attack.defense_evasion
+ - attack.t1027
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -27,8 +32,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1027
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
index b81f4aa08..08d14edf4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml
@@ -1,12 +1,12 @@
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: e54f5149-6ba3-49cf-b153-070d24679126
-description: Detects Obfuscated Powershell via VAR++ LAUNCHER
status: experimental
+description: Detects Obfuscated Powershell via VAR++ LAUNCHER
+references:
+ - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
author: Timur Zinniatullin, oscd.community
date: 2020/10/13
modified: 2021/10/16
-references:
- - https://github.com/Neo23x0/sigma/issues/1009 #(Task27)
tags:
- attack.defense_evasion
- attack.t1027
diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
index 70a46b929..6a3a73bf6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml
@@ -1,13 +1,13 @@
title: Powershell Keylogging
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
status: experimental
-author: frack113
-date: 2021/07/30
-modified: 2022/07/11
description: Adversaries may log user keystrokes to intercept credentials as the user types them.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
+author: frack113
+date: 2021/07/30
+modified: 2022/07/11
tags:
- attack.collection
- attack.t1056.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml
index e92892dbe..501c3c0eb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml
@@ -9,6 +9,9 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
author: frack113
date: 2021/12/28
+tags:
+ - attack.persistence
+ - attack.t1098
logsource:
product: windows
category: ps_script
@@ -27,6 +30,3 @@ detection:
falsepositives:
- Legitimate administrative script
level: medium
-tags:
- - attack.persistence
- - attack.t1098
diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
index 809a49f41..c53603950 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
@@ -2,15 +2,18 @@ title: Malicious PowerShell Commandlets
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
-author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp)
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
+author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp)
date: 2017/03/05
modified: 2022/10/25
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -201,6 +204,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
index 9381bd94b..86c6f7263 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml
@@ -4,12 +4,12 @@ status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
-tags:
- - attack.execution
- - attack.t1059.001
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
modified: 2021/10/16
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml
index 4f328ea28..eb51997d6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml
@@ -2,13 +2,13 @@ title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: experimental
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
-date: 2021/09/21
-modified: 2021/10/16
references:
- https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo
+author: Max Altgelt
+date: 2021/09/21
+modified: 2021/10/16
tags:
- attack.t1003
-author: Max Altgelt
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml
index e3c4c9bec..56be9cb6c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml
@@ -1,14 +1,18 @@
title: Modify Group Policy Settings - ScriptBlockLogging
id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
related:
- - id: ada4b0c4-758b-46ac-9033-9004613a150d
- type: similar
+ - id: ada4b0c4-758b-46ac-9033-9004613a150d
+ type: similar
status: experimental
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022/08/19
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1484.001
logsource:
product: windows
category: ps_script
@@ -28,7 +32,3 @@ detection:
falsepositives:
- Legitimate use
level: medium
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1484.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
index 91cd0993b..bc7de16b3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml
@@ -5,13 +5,16 @@ description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
-author: frack113, MatilJ
-date: 2022/01/19
-modified: 2022/05/19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
- https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
- https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
+author: frack113, MatilJ
+date: 2022/01/19
+modified: 2022/05/19
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -27,6 +30,3 @@ detection:
falsepositives:
- Legitimate administrative script
level: medium
-tags:
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
index e0aabdbb1..bb2e5aecd 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
@@ -2,14 +2,14 @@ title: Malicious Nishang PowerShell Commandlets
id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
status: experimental
description: Detects Commandlet names and arguments from the Nishang exploitation framework
-date: 2019/05/16
-modified: 2022/08/29
references:
- https://github.com/samratashok/nishang
+author: Alec Costello
+date: 2019/05/16
+modified: 2022/08/29
tags:
- attack.execution
- attack.t1059.001
-author: Alec Costello
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml
index 34a83c4b6..f8867e5dd 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml
@@ -5,14 +5,14 @@ description: Detects writing data into NTFS alternate data streams from powershe
references:
- http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
+author: Sami Ruohonen
+date: 2018/07/24
+modified: 2021/12/02
tags:
- attack.defense_evasion
- attack.t1564.004
- attack.execution
- attack.t1059.001
-author: Sami Ruohonen
-date: 2018/07/24
-modified: 2021/12/02
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml
index 25a38346d..f94cb548b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml
@@ -8,6 +8,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
author: frack113
date: 2021/12/28
+tags:
+ - attack.persistence
+ - attack.t1137.006
logsource:
product: windows
category: ps_script
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1137.006
diff --git a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml
index 734f03f2c..c654b077e 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml
@@ -1,17 +1,17 @@
title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: experimental
-author: Tim Rauch
-date: 2022/09/28
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
- https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
-logsource:
- category: ps_script
- product: windows
+author: Tim Rauch
+date: 2022/09/28
tags:
- attack.credential_access
- attack.t1003
+logsource:
+ category: ps_script
+ product: windows
detection:
selection_1:
ScriptBlockText|contains|all:
@@ -26,4 +26,4 @@ detection:
condition: 1 of selection*
falsepositives:
- Mimikatz can be useful for testing the security of networks
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
index 12701d630..728c0738b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
@@ -2,17 +2,17 @@ title: Malicious PowerView PowerShell Commandlets
id: dcd74b95-3f36-4ed9-9598-0490951643aa
status: experimental
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
-date: 2021/05/18
-modified: 2021/10/16
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
+author: Bhabesh Raj
+date: 2021/05/18
+modified: 2021/10/16
tags:
- attack.execution
- attack.t1059.001
-author: Bhabesh Raj
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
index 7c532498b..0317ce8eb 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml
@@ -5,13 +5,13 @@ description: Detects PowerShell calling a credential prompt
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
+author: John Lambert (idea), Florian Roth (rule)
+date: 2017/04/09
+modified: 2021/10/16
tags:
- attack.credential_access
- attack.execution
- attack.t1059.001
-author: John Lambert (idea), Florian Roth (rule)
-date: 2017/04/09
-modified: 2021/10/16
logsource:
product: windows
category: ps_script
@@ -20,6 +20,6 @@ detection:
selection:
ScriptBlockText|contains: 'PromptForCredential'
condition: selection
-falsepositives:
+falsepositives:
- Unknown
level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml
index 1473ce81f..544d746b6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml
@@ -4,12 +4,12 @@ status: experimental
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
-tags:
- - attack.execution
- - attack.t1059.001
author: Sean Metcalf (source), Florian Roth (rule)
date: 2017/03/05
modified: 2021/10/16
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
index 372b0507d..3dd62bff8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml
@@ -2,13 +2,16 @@ title: PowerShell Remote Session Creation
id: a0edd39f-a0c6-4c17-8141-261f958e8d8f
status: experimental
description: |
- Adversaries may abuse PowerShell commands and scripts for execution.
- PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
+ Adversaries may abuse PowerShell commands and scripts for execution.
+ PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2
author: frack113
date: 2022/01/06
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Legitimate administrative script
level: medium
-tags:
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
index bed1490c0..c75aee72c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
@@ -2,12 +2,15 @@ title: Use Remove-Item to Delete File
id: b8af5f36-1361-4ebe-9e76-e36128d947bf
status: experimental
description: Powershell Remove-Item with -Path to delete a file or a folder with "-Recurse"
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
+author: frack113
date: 2022/01/15
modified: 2022/03/17
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
logsource:
product: windows
category: ps_script
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: low
-tags:
- - attack.defense_evasion
- - attack.t1070.004
diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
index c8bc85002..51d67294f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
@@ -2,13 +2,16 @@ title: Request A Single Ticket via PowerShell
id: a861d835-af37-4930-bcd6-5b178bfb54df
status: experimental
description: |
- utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
- This behavior is typically used during a kerberos or silver ticket attack.
- A successful execution will output the SPNs for the endpoint in question.
+ utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
+ This behavior is typically used during a kerberos or silver ticket attack.
+ A successful execution will output the SPNs for the endpoint in question.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
author: frack113
date: 2021/12/28
+tags:
+ - attack.credential_access
+ - attack.t1558.003
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.credential_access
- - attack.t1558.003
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml
index e70ff16ab..1d2663ef6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml
@@ -2,11 +2,14 @@ title: Suspicious Invoke-Item From Mount-DiskImage
id: 902cedee-0398-4e3a-8183-6f3a89773a96
status: experimental
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
-date: 2022/02/01
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
- https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
+author: frack113
+date: 2022/02/01
+tags:
+ - attack.defense_evasion
+ - attack.t1553.005
logsource:
product: windows
category: ps_script
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1553.005
diff --git a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
index ab36d888e..6b93371a2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml
@@ -1,13 +1,16 @@
title: Security Software Discovery by Powershell
id: 904e8e61-8edf-4350-b59c-b905fc8e810c
status: experimental
-author: frack113
-date: 2021/12/16
description: |
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.
This may include things such as firewall rules and anti-viru
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
+author: frack113
+date: 2021/12/16
+tags:
+ - attack.discovery
+ - attack.t1518.001
logsource:
product: windows
category: ps_script
@@ -28,6 +31,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1518.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
index d7f20b484..db41fc30d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml
@@ -10,6 +10,9 @@ references:
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022/09/26
+tags:
+ - attack.exfiltration
+ - attack.t1048.003
logsource:
product: windows
category: ps_script
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Legitimate script
level: medium
-tags:
- - attack.exfiltration
- - attack.t1048.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
index 5815a0ca6..cb99de2e3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml
@@ -3,12 +3,15 @@ id: 7d416556-6502-45b2-9bad-9d2f05f38997
related:
- id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
type: derived
+status: experimental
description: Detect adversaries enumerate sensitive files
references:
- https://twitter.com/malmoeb/status/1570814999370801158
-status: experimental
author: frack113
date: 2022/09/16
+tags:
+ - attack.discovery
+ - attack.t1083
logsource:
product: windows
category: ps_script
@@ -30,6 +33,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.discovery
- - attack.t1083
diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
index cc8cd7dd7..48c6e97fe 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
@@ -1,17 +1,17 @@
title: Change PowerShell Policies to an Insecure Level
id: 61d0475c-173f-4844-86f7-f3eebae1c66b
-description: Detects use of Set-ExecutionPolicy to set insecure policies
status: experimental
+description: Detects use of Set-ExecutionPolicy to set insecure policies
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
- https://adsecurity.org/?p=2604
-tags:
- - attack.execution
- - attack.t1059.001
author: frack113
date: 2021/10/20
modified: 2022/09/10
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
index 105e1a82f..37abac32d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml
@@ -4,15 +4,15 @@ status: experimental
description: Detects Base64 encoded Shellcode
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
+author: David Ledbetter (shellcode), Florian Roth (rule)
+date: 2018/11/17
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055
- attack.execution
- attack.t1059.001
-author: David Ledbetter (shellcode), Florian Roth (rule)
-date: 2018/11/17
-modified: 2021/10/16
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
index 06c0c193e..046a93cbc 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml
@@ -2,26 +2,26 @@ title: Malicious ShellIntel PowerShell Commandlets
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
status: experimental
description: Detects Commandlet names from ShellIntel exploitation scripts.
-date: 2021/08/09
-modified: 2021/10/16
references:
- https://github.com/Shellntel/scripts/
+author: Max Altgelt, Tobias Michalski
+date: 2021/08/09
+modified: 2021/10/16
tags:
- attack.execution
- attack.t1059.001
-author: Max Altgelt, Tobias Michalski
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enabled
detection:
- selection:
- ScriptBlockText|contains:
- - Invoke-SMBAutoBrute
- - Invoke-GPOLinks
- - Out-Minidump
- - Invoke-Potato
- condition: selection
+ selection:
+ ScriptBlockText|contains:
+ - Invoke-SMBAutoBrute
+ - Invoke-GPOLinks
+ - Out-Minidump
+ - Invoke-Potato
+ condition: selection
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
index 6fe4638b5..5e3bb6aec 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
@@ -1,13 +1,13 @@
title: Detected Windows Software Discovery
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
-description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
status: experimental
-author: Nikita Nazarov, oscd.community
-date: 2020/10/16
-modified: 2021/11/12
+description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
+author: Nikita Nazarov, oscd.community
+date: 2020/10/16
+modified: 2021/11/12
tags:
- attack.discovery
- attack.t1518
@@ -24,6 +24,6 @@ detection:
- 'select-object'
- 'format-table'
condition: selection
-level: medium
falsepositives:
- Legitimate administration activities
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
index f55767d6e..fe6b8c0a2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml
@@ -1,12 +1,12 @@
title: Powershell Store File In Alternate Data Stream
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
status: experimental
-author: frack113
-date: 2021/09/02
-modified: 2021/10/16
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
+author: frack113
+date: 2021/09/02
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.t1564.004
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
index a974e13d5..8163e8a32 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml
@@ -1,14 +1,17 @@
title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
id: 88f0884b-331d-403d-a3a1-b668cf035603
+status: experimental
description: |
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
-status: experimental
author: frack113
date: 2021/12/15
+tags:
+ - attack.discovery
+ - attack.t1069.001
logsource:
product: windows
category: ps_script
@@ -26,6 +29,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1069.001
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
index 49a838e80..e3484e805 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
@@ -3,14 +3,17 @@ id: 0f017df3-8f5a-414f-ad6b-24aff1128278
related:
- id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
type: derived
+status: experimental
description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs
references:
- https://twitter.com/oroneequalsone/status/1568432028361830402
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
-status: experimental
author: Nasreddine Bencherchali
date: 2022/09/12
+tags:
+ - attack.defense_evasion
+ - attack.t1070.001
logsource:
product: windows
category: ps_script
@@ -26,6 +29,3 @@ detection:
falsepositives:
- Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1070.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
index a6a8eb1b7..67b6b25a5 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml
@@ -2,11 +2,14 @@ title: Powershell Directory Enumeration
id: 162e69a7-7981-4344-84a9-0f1c9a217a52
status: experimental
description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
-date: 2022/03/17
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
- https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+author: frack113
+date: 2022/03/17
+tags:
+ - attack.discovery
+ - attack.t1083
logsource:
product: windows
category: ps_script
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.discovery
- - attack.t1083
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
index ed29bdbf0..a216f6416 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml
@@ -5,12 +5,12 @@ related:
type: derived
status: experimental
description: Detects suspicious PowerShell download command
-tags:
- - attack.execution
- - attack.t1059.001
author: Florian Roth
date: 2017/03/05
modified: 2021/10/18
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -25,4 +25,4 @@ detection:
condition: webclient and download
falsepositives:
- PowerShell scripts that download content from the Internet
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
index f952b3ae5..b814f9f23 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml
@@ -1,5 +1,6 @@
title: Powershell Execute Batch Script
id: b5522a23-82da-44e5-9c8b-e10ed8955f88
+status: experimental
description: |
Adversaries may abuse the Windows command shell for execution.
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
@@ -8,9 +9,11 @@ description: |
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
-status: experimental
author: frack113
date: 2022/01/02
+tags:
+ - attack.execution
+ - attack.t1059.003
logsource:
product: windows
category: ps_script
@@ -26,6 +29,3 @@ detection:
falsepositives:
- Legitimate administration script
level: medium
-tags:
- - attack.execution
- - attack.t1059.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
index 578591967..f19e9202f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml
@@ -1,14 +1,17 @@
title: Extracting Information with PowerShell
id: bd5971a7-626d-46ab-8176-ed643f694f68
status: experimental
-author: frack113
-date: 2021/12/19
description: |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
+author: frack113
+date: 2021/12/19
+tags:
+ - attack.credential_access
+ - attack.t1552.001
logsource:
product: windows
category: ps_script
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.credential_access
- - attack.t1552.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
index 19b337b9a..6404067b4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml
@@ -1,12 +1,15 @@
title: Troubleshooting Pack Cmdlet Execution
id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
status: experimental
-author: Nasreddine Bencherchali
-date: 2022/06/21
description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
references:
- https://twitter.com/nas_bench/status/1537919885031772161
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
+author: Nasreddine Bencherchali
+date: 2022/06/21
+tags:
+ - attack.defense_evasion
+ - attack.t1202
logsource:
product: windows
category: ps_script
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1202
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml
index 2d1fdcd42..32cfd4e79 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml
@@ -1,11 +1,14 @@
title: Suspicious Enumerate Active Directory Computers with Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: experimental
-author: frack113
-date: 2022/03/17
description: utilize Get-AdComputer to enumerate Computers within Active Directory.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
+author: frack113
+date: 2022/03/17
+tags:
+ - attack.discovery
+ - attack.t1018
logsource:
product: windows
category: ps_script
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1018
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
index 8c02d658c..eed1d381f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml
@@ -2,11 +2,14 @@ title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82
status: experimental
description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
-date: 2022/03/17
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
- https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy
+author: frack113
+date: 2022/03/17
+tags:
+ - attack.discovery
+ - attack.t1201
logsource:
product: windows
category: ps_script
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: low
-tags:
- - attack.discovery
- - attack.t1201
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml
index 8828e3bd0..1a512d560 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml
@@ -1,11 +1,14 @@
title: Suspicious Enumerate Active Directory Groups with Get-AdComputer
id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
status: experimental
-author: frack113
-date: 2022/03/17
description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
+author: frack113
+date: 2022/03/17
+tags:
+ - attack.discovery
+ - attack.t1069.002
logsource:
product: windows
category: ps_script
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1069.002
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml
index 8c94df484..306f99d50 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml
@@ -2,11 +2,14 @@ title: Suspicious PowerShell Get Current User
id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a
status: experimental
description: Detects the use of PowerShell to identify the current logged user.
-date: 2022/04/04
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
+author: frack113
+date: 2022/04/04
+tags:
+ - attack.discovery
+ - attack.t1033
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: low
-tags:
- - attack.discovery
- - attack.t1033
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml
index 8ec5f3608..8fce8cea8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml
@@ -2,11 +2,14 @@ title: Suspicious GPO Discovery With Get-GPO
id: eb2fd349-ec67-4caa-9143-d79c7fb34441
status: experimental
description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
-date: 2022/06/04
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
- https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
+author: frack113
+date: 2022/06/04
+tags:
+ - attack.discovery
+ - attack.t1615
logsource:
product: windows
category: ps_script
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: low
-tags:
- - attack.discovery
- - attack.t1615
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml
index 2dc9e85f1..3e4ed607a 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml
@@ -2,11 +2,14 @@ title: Suspicious Process Discovery With Get-Process
id: af4c87ce-bdda-4215-b998-15220772e993
status: experimental
description: Get the processes that are running on the local computer.
-date: 2022/03/17
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7
+author: frack113
+date: 2022/03/17
+tags:
+ - attack.discovery
+ - attack.t1057
logsource:
product: windows
category: ps_script
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: low
-tags:
- - attack.discovery
- - attack.t1057
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
index 53b9343b1..797125188 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml
@@ -4,12 +4,12 @@ status: experimental
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://twitter.com/PythonResponder/status/1385064506049630211
-tags:
- - attack.credential_access
- - attack.t1003.001
author: Florian Roth
date: 2021/04/23
modified: 2021/10/16
+tags:
+ - attack.credential_access
+ - attack.t1003.001
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml
index 8f8c0b1d6..016637ff1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml
@@ -2,10 +2,14 @@ title: Suspicious GetTypeFromCLSID ShellExecute
id: 8bc063d5-3a3a-4f01-a140-bc15e55e8437
status: experimental
description: Detects suspicious Powershell code that execute COM Objects
-date: 2022/04/02
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
+author: frack113
+date: 2022/04/02
+tags:
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.t1546.015
logsource:
product: windows
category: ps_script
@@ -19,7 +23,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.privilege_escalation
- - attack.persistence
- - attack.t1546.015
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
index de0c276a4..e3e8c2397 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
@@ -2,11 +2,14 @@ title: Suspicious Get-WmiObject
id: 0332a266-b584-47b4-933d-a00b103e1b37
status: experimental
description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
-date: 2022/01/12
-author: frack113
references:
- https://attack.mitre.org/datasources/DS0005/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
+author: frack113
+date: 2022/01/12
+tags:
+ - attack.persistence
+ - attack.t1546
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: low
-tags:
- - attack.persistence
- - attack.t1546
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml
index 1f8c91ff0..3e88f4542 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml
@@ -2,11 +2,14 @@ title: Suspicious Hyper-V Cmdlets
id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd
status: experimental
description: Adversaries may carry out malicious operations using a virtual instance to avoid detection
-date: 2022/04/09
-author: frack113
references:
- https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
+author: frack113
+date: 2022/04/09
+tags:
+ - attack.defense_evasion
+ - attack.t1564.006
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1564.006
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml
index f854a4fdf..5ea94ecfc 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml
@@ -5,12 +5,12 @@ related:
type: derived
status: experimental
description: Detects suspicious PowerShell invocation command parameters
-tags:
- - attack.execution
- - attack.t1059.001
author: Florian Roth (rule)
date: 2017/03/12
modified: 2021/12/02
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml
index e629c9615..d98028c9a 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml
@@ -5,12 +5,12 @@ related:
type: derived
status: experimental
description: Detects suspicious PowerShell invocation command parameters
-tags:
- - attack.execution
- - attack.t1059.001
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
modified: 2022/02/21
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
index 0c6876386..38840bf2a 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml
@@ -1,13 +1,16 @@
title: Change User Agents with WebRequest
id: d4488827-73af-4f8d-9244-7b7662ef046e
status: experimental
-author: frack113
-date: 2022/01/23
description: |
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
+author: frack113
+date: 2022/01/23
+tags:
+ - attack.command_and_control
+ - attack.t1071.001
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.command_and_control
- - attack.t1071.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
index 157bceab7..c595f7474 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml
@@ -2,11 +2,14 @@ title: Suspicious IO.FileStream
id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
status: experimental
description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
-date: 2022/01/09
-modified: 2022/03/05
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
+author: frack113
+date: 2022/01/09
+modified: 2022/03/05
+tags:
+ - attack.defense_evasion
+ - attack.t1070.003
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1070.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
index 7a58955c1..e5cb398a8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml
@@ -2,14 +2,14 @@ title: Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: experimental
description: Detects keywords that could indicate the use of some PowerShell exploitation framework
-date: 2019/02/11
-modified: 2021/10/16
-author: Florian Roth, Perez Diego (@darkquassar)
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
+author: Florian Roth, Perez Diego (@darkquassar)
+date: 2019/02/11
+modified: 2021/10/16
tags:
- attack.execution
- attack.t1059.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
index d995e57ac..28dd6e838 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml
@@ -9,6 +9,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021/12/12
+tags:
+ - attack.discovery
+ - attack.t1069.001
logsource:
product: windows
category: ps_script
@@ -26,6 +29,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1069.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
index b12d37d83..45c632eb1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml
@@ -1,12 +1,14 @@
title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: experimental
+description: |
+ Adversaries may target user email on local systems to collect sensitive information.
+ Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
author: frack113
date: 2021/07/21
modified: 2021/10/16
-description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
tags:
- attack.collection
- attack.t1114.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml
index 85475c278..5dbc2f1ac 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml
@@ -2,11 +2,14 @@ title: Suspicious Mount-DiskImage
id: 29e1c216-6408-489d-8a06-ee9d151ef819
status: experimental
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
-date: 2022/02/01
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
- https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
+author: frack113
+date: 2022/02/01
+tags:
+ - attack.defense_evasion
+ - attack.t1553.005
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: low
-tags:
- - attack.defense_evasion
- - attack.t1553.005
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
index 0d1262dd8..e0e381e37 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml
@@ -8,6 +8,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
author: frack113
date: 2021/12/27
+tags:
+ - attack.credential_access
+ - attack.t1110.001
logsource:
product: windows
category: ps_script
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.credential_access
- - attack.t1110.001
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
index 046048072..61737d379 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
@@ -1,12 +1,15 @@
title: Suspicious New-PSDrive to Admin Share
id: 1c563233-030e-4a07-af8c-ee0490a66d3a
+status: experimental
description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
-status: experimental
author: frack113
date: 2022/08/13
+tags:
+ - attack.lateral_movement
+ - attack.t1021.002
logsource:
product: windows
category: ps_script
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.lateral_movement
- - attack.t1021.002
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml
index db689fc05..392f497b8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml
@@ -6,6 +6,9 @@ references:
- https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1
author: Nasreddine Bencherchali
date: 2022/07/08
+tags:
+ - attack.command_and_control
+ - attack.t1090
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.command_and_control
- - attack.t1090
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml
index 3e21c39d4..211a61506 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml
@@ -1,12 +1,12 @@
title: Recon Information for Export with PowerShell
id: a9723fcc-881c-424c-8709-fd61442ab3c3
status: experimental
-author: frack113
-date: 2021/07/30
-modified: 2021/12/02
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
+author: frack113
+date: 2021/07/30
+modified: 2021/12/02
tags:
- attack.collection
- attack.t1119
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
index 927ae77c8..9966e7b8a 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml
@@ -1,13 +1,16 @@
title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: experimental
-author: frack113
-date: 2021/12/26
description: |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
+author: frack113
+date: 2021/12/26
+tags:
+ - attack.impact
+ - attack.t1531
logsource:
product: windows
category: ps_script
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.impact
- - attack.t1531
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
index f3befb832..7a8ae67f6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml
@@ -1,13 +1,17 @@
title: Suspicious Get Information for SMB Share
id: 95f0643a-ed40-467c-806b-aac9542ec5ab
+status: experimental
description: |
- Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
+ Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
+ a precursor for Collection and to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
-status: experimental
author: frack113
date: 2021/12/15
+tags:
+ - attack.discovery
+ - attack.t1069.001
logsource:
product: windows
category: ps_script
@@ -19,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.discovery
- - attack.t1069.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
index 9663b80e5..b840d8d3f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml
@@ -7,6 +7,9 @@ references:
- https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
author: frack113
date: 2022/01/23
+tags:
+ - attack.command_and_control
+ - attack.t1573
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Legitimate administrative script
level: low
-tags:
- - attack.command_and_control
- - attack.t1573
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
index a44817bba..1ae9f611a 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml
@@ -2,11 +2,14 @@ title: Suspicious Start-Process PassThru
id: 0718cd72-f316-4aa2-988f-838ea8533277
status: experimental
description: Powershell use PassThru option to start in background
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
+author: frack113
date: 2022/01/15
+tags:
+ - attack.defense_evasion
+ - attack.t1036.003
logsource:
product: windows
category: ps_script
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1036.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml
index 324e94a36..5dfe70bc1 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml
@@ -2,11 +2,14 @@ title: Suspicious Unblock-File
id: 5947497f-1aa4-41dd-9693-c9848d58727d
status: experimental
description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
-date: 2022/02/01
-author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
+author: frack113
+date: 2022/02/01
+tags:
+ - attack.defense_evasion
+ - attack.t1553.005
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1553.005
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
index 61d59550f..5d5615af3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml
@@ -1,13 +1,16 @@
title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: experimental
-author: frack113
-date: 2021/12/26
description: |
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
+author: frack113
+date: 2021/12/26
+tags:
+ - attack.impact
+ - attack.t1491.001
logsource:
product: windows
category: ps_script
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Unknown
level: low
-tags:
- - attack.impact
- - attack.t1491.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
index 4e0728998..da31d6ef4 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml
@@ -1,12 +1,12 @@
title: Powershell Suspicious Win32_PnPEntity
id: b26647de-4feb-4283-af6b-6117661283c5
status: experimental
-author: frack113
-date: 2021/08/23
-modified: 2021/10/16
description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
+author: frack113
+date: 2021/08/23
+modified: 2021/10/16
tags:
- attack.discovery
- attack.t1120
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
index e63f2ede9..c3c9de7a3 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml
@@ -1,11 +1,14 @@
title: Delete Volume Shadow Copies via WMI with PowerShell
id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
status: test
-author: frack113
-date: 2021/12/26
description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
+author: frack113
+date: 2021/12/26
+tags:
+ - attack.impact
+ - attack.t1490
logsource:
product: windows
category: ps_script
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.impact
- - attack.t1490
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml
index acfbb78e5..97e19d2b6 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml
@@ -6,18 +6,18 @@ related:
- id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
type: similar
status: experimental
-author: Tim Rauch
-date: 2022/09/20
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
-logsource:
- category: ps_script
- product: windows
+author: Tim Rauch
+date: 2022/09/20
tags:
- attack.impact
- attack.t1490
+logsource:
+ category: ps_script
+ product: windows
detection:
selection_get:
ScriptBlockText|contains:
@@ -37,4 +37,4 @@ detection:
condition: all of selection*
falsepositives:
- Unknown
-level: high
\ No newline at end of file
+level: high
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
index b17c227c1..7ae82de7f 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml
@@ -1,14 +1,16 @@
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: experimental
-description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
+description: |
+ Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
+ In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
+author: frack113
+date: 2021/10/20
tags:
- attack.defense_evasion
- attack.t1564.003
-author: frack113
-date: 2021/10/20
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml
index cbd7befed..3bf43e462 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml
@@ -4,10 +4,10 @@ status: experimental
description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
references:
- https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
-tags:
- - attack.defense_evasion
author: Nasreddine Bencherchali
date: 2022/08/16
+tags:
+ - attack.defense_evasion
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
index 88651cd46..e8f63ef62 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
@@ -1,12 +1,12 @@
title: Zip A Folder With PowerShell For Staging In Temp
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
status: experimental
-author: frack113
-date: 2021/07/20
-modified: 2021/10/16
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
+author: frack113
+date: 2021/07/20
+modified: 2021/10/16
tags:
- attack.collection
- attack.t1074.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
index 64aae14b5..1ab1fd7e9 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml
@@ -5,8 +5,8 @@ related:
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
-description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
status: experimental
+description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
@@ -25,4 +25,4 @@ detection:
condition: selection
falsepositives:
- App-V clients
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml
index e5a7840ed..8d2a5aa0d 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.
-author: frack113, elhoim
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
+author: frack113, elhoim
date: 2022/01/16
modified: 2022/08/05
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: ps_script
@@ -53,6 +56,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
index dc5a6bedb..878e181a2 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml
@@ -5,10 +5,13 @@ related:
type: similar
status: experimental
description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet
-author: Nasreddine Bencherchali
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
+author: Nasreddine Bencherchali
date: 2022/08/05
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: ps_script
@@ -26,6 +29,3 @@ detection:
falsepositives:
- Legitimate PowerShell scripts
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
index fca3e1fb2..447eb452c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml
@@ -2,13 +2,16 @@ title: Testing Usage of Uncommonly Used Port
id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
status: experimental
description: |
- Adversaries may communicate using a protocol and port paring that are typically not associated.
- For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
+ Adversaries may communicate using a protocol and port paring that are typically not associated.
+ For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
- https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
author: frack113
date: 2022/01/23
+tags:
+ - attack.command_and_control
+ - attack.t1571
logsource:
product: windows
category: ps_script
@@ -27,6 +30,3 @@ detection:
falsepositives:
- Legitimate administrative script
level: medium
-tags:
- - attack.command_and_control
- - attack.t1571
diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
index e605ad891..987567239 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml
@@ -1,13 +1,15 @@
title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: experimental
-author: frack113
-date: 2021/08/03
-modified: 2021/10/16
-description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
+description: |
+ Adversaries may modify file time attributes to hide new or changes to existing files.
+ Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
+author: frack113
+date: 2021/08/03
+modified: 2021/10/16
tags:
- attack.defense_evasion
- attack.t1070.006
diff --git a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
index f5e7a3213..0f38eb408 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml
@@ -1,12 +1,12 @@
title: Powershell Trigger Profiles by Add_Content
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
status: experimental
-author: frack113
-date: 2021/08/18
-modified: 2021/10/16
description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
+author: frack113
+date: 2021/08/18
+modified: 2021/10/16
tags:
- attack.privilege_escalation
- attack.t1546.013
diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml
index c10fa78bc..766c40007 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_upload.yml
@@ -8,6 +8,9 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
author: frack113
date: 2022/01/07
+tags:
+ - attack.exfiltration
+ - attack.t1020
logsource:
product: windows
category: ps_script
@@ -20,12 +23,9 @@ detection:
selection_method:
ScriptBlockText|contains: '-Method '
selection_verb:
- - ' Put '
- - ' Post '
+ - ' Put '
+ - ' Post '
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium
-tags:
- - attack.exfiltration
- - attack.t1020
diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml
index 84ea5df37..fad3f7007 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml
@@ -5,10 +5,10 @@ related:
type: similar
status: experimental
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
-author: Nasreddine Bencherchali
references:
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
+author: Nasreddine Bencherchali
date: 2022/10/17
tags:
- attack.persistence
diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
index f38527907..54c54c962 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml
@@ -2,10 +2,13 @@ title: PowerShell WMI Win32_Product Install MSI
id: 91109523-17f0-4248-a800-f81d9e7c081d
status: experimental
description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
-author: frack113
-date: 2022/04/24
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
+author: frack113
+date: 2022/04/24
+tags:
+ - attack.defense_evasion
+ - attack.t1218.007
logsource:
product: windows
category: ps_script
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1218.007
diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
index 90bb6116f..07b8ab10c 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml
@@ -9,17 +9,17 @@ references:
- https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
author: Tim Rauch
date: 2022/09/16
-logsource:
- category: ps_script
- product: windows
tags:
- attack.defense_evasion
- attack.t1562
- attack.execution
- attack.t1059
+logsource:
+ category: ps_script
+ product: windows
detection:
selection_args_exc:
- ScriptBlockText|contains:
+ ScriptBlockText|contains:
- ' -ExclusionPath '
- ' -ExclusionExtension '
- ' -ExclusionProcess '
@@ -31,4 +31,4 @@ detection:
condition: all of selection*
falsepositives:
- Unknown
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
index 2342e0ea6..9dcd17630 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml
@@ -3,17 +3,20 @@ id: 488b44e7-3781-4a71-888d-c95abfacf44d
related:
- id: 12f6b752-042d-483e-bf9c-915a6d06ad75
type: similar
-description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
status: experimental
-author: Austin Songer @austinsonger
-date: 2021/10/12
-modified: 2022/10/11
+description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
references:
- https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
- https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell
- http://powershellhelp.space/commands/set-netfirewallrule-psv5.php
- http://woshub.com/manage-windows-firewall-powershell/
- https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
+author: Austin Songer @austinsonger
+date: 2021/10/12
+modified: 2022/10/11
+tags:
+ - attack.defense_evasion
+ - attack.t1562.004
logsource:
product: windows
category: ps_script
@@ -31,9 +34,6 @@ detection:
- 'Domain'
- 'Private'
condition: all of selection*
-tags:
- - attack.defense_evasion
- - attack.t1562.004
-level: medium
falsepositives:
- - Unknown
\ No newline at end of file
+ - Unknown
+level: medium
diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
index 7d46def56..3ce685531 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml
@@ -1,12 +1,19 @@
title: Winlogon Helper DLL
id: 851c506b-6b7c-4ce2-8802-c703009d03c0
status: experimental
-description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
+description: |
+ Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
+ Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
+ used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to
+ load and execute malicious DLLs and/or executables.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2022/07/07
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
+tags:
+ - attack.persistence
+ - attack.t1547.004
logsource:
product: windows
category: ps_script
@@ -22,6 +29,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
- - attack.t1547.004
\ No newline at end of file
diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
index 3185d93ed..3ce752051 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml
@@ -1,13 +1,13 @@
title: Powershell WMI Persistence
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
status: experimental
-author: frack113
-date: 2021/08/19
-modified: 2021/10/16
description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
+author: frack113
+date: 2021/08/19
+modified: 2021/10/16
tags:
- attack.privilege_escalation
- attack.t1546.003
diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml
index 35daf9536..6339315bd 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml
@@ -5,11 +5,11 @@ related:
type: similar
status: experimental
description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
-author: Nasreddine Bencherchali
references:
- https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
- https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
+author: Nasreddine Bencherchali
date: 2022/06/20
tags:
- attack.execution
diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml
index 1bc607c4e..29b7fbc93 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml
@@ -4,13 +4,13 @@ status: experimental
description: Detects parameters used by WMImplant
references:
- https://github.com/FortyNorthSecurity/WMImplant
+author: NVISO
+date: 2020/03/26
+modified: 2021/10/16
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
-author: NVISO
-date: 2020/03/26
-modified: 2021/10/16
logsource:
product: windows
category: ps_script
diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
index c0ff702f1..20239ddca 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml
@@ -2,13 +2,16 @@ title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: experimental
description: |
- Adversaries may abuse PowerShell commands and scripts for execution.
- PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
- Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
-author: frack113
-date: 2022/01/19
+ Adversaries may abuse PowerShell commands and scripts for execution.
+ PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
+ Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
+author: frack113
+date: 2022/01/19
+tags:
+ - attack.execution
+ - attack.t1059.001
logsource:
product: windows
category: ps_script
@@ -20,12 +23,9 @@ detection:
- System.Xml.XmlDocument
- .Load
selection_exec:
- - IEX
- - Invoke-Expression
+ - IEX
+ - Invoke-Expression
condition: all of selection_*
falsepositives:
- Legitimate administrative script
level: medium
-tags:
- - attack.execution
- - attack.t1059.001
diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
index c16f73005..2b8d96bfe 100755
--- a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
+++ b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml
@@ -2,6 +2,11 @@ title: CMSTP Execution Process Access
id: 3b4b232a-af90-427c-a22f-30b0c0837b95
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+references:
+ - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
+author: Nik Seetharaman
+date: 2018/07/16
+modified: 2021/06/27
tags:
- attack.defense_evasion
- attack.t1218.003
@@ -10,18 +15,6 @@ tags:
- attack.g0069
- attack.g0080
- car.2019-04-001
-author: Nik Seetharaman
-date: 2018/07/16
-modified: 2021/06/27
-references:
- - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-fields:
- - CommandLine
- - ParentCommandLine
- - Details
-falsepositives:
- - Legitimate CMSTP use (unlikely in modern enterprise environments)
-level: high
logsource:
product: windows
category: process_access
@@ -30,3 +23,10 @@ detection:
selection:
CallTrace|contains: 'cmlua.dll'
condition: selection
+fields:
+ - CommandLine
+ - ParentCommandLine
+ - Details
+falsepositives:
+ - Legitimate CMSTP use (unlikely in modern enterprise environments)
+level: high
diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml
index 3e6adfd2c..6940a8162 100755
--- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml
@@ -2,15 +2,14 @@ title: Credentials Dumping Tools Accessing LSASS Memory
id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
status: experimental
description: Detects process access LSASS memory which is typical for credentials dumping tools
-author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov,
- oscd.community (update)
-date: 2017/02/16
-modified: 2022/10/20
references:
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)
+date: 2017/02/16
+modified: 2022/10/20
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
index 6927b4a22..594109d69 100755
--- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
+++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
@@ -1,12 +1,15 @@
title: Direct Syscall of NtOpenProcess
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
+status: experimental
description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.
references:
- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
-status: experimental
author: Christian Burkard, Tim Shelton
date: 2021/07/28
modified: 2022/10/05
+tags:
+ - attack.execution
+ - attack.t1106
logsource:
category: process_access
product: windows
@@ -58,6 +61,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1106
diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml
index 9b3776bcc..b09a8aeef 100644
--- a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml
+++ b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml
@@ -2,33 +2,33 @@ title: SysmonEnte Usage
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
status: experimental
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
-author: Florian Roth
references:
- - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
- - https://github.com/codewhitesec/SysmonEnte/
- - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
+ - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
+ - https://github.com/codewhitesec/SysmonEnte/
+ - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
+author: Florian Roth
date: 2022/09/07
modified: 2022/09/09
tags:
- - attack.defense_evasion
- - attack.t1562.002
+ - attack.defense_evasion
+ - attack.t1562.002
logsource:
- category: process_access
- product: windows
+ category: process_access
+ product: windows
detection:
- selection_1:
- TargetImage: 'C:\Windows\Sysmon64.exe'
- GrantedAccess: '0x1400'
- filter_1:
- SourceImage|startswith:
- - 'C:\Program Files'
- - 'C:\Windows\System32\'
- filter_msdefender:
- SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- SourceImage|endswith: '\MsMpEng.exe'
- selection_calltrace:
- CallTrace: 'Ente'
- condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace
+ selection_1:
+ TargetImage: 'C:\Windows\Sysmon64.exe'
+ GrantedAccess: '0x1400'
+ filter_1:
+ SourceImage|startswith:
+ - 'C:\Program Files'
+ - 'C:\Windows\System32\'
+ filter_msdefender:
+ SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
+ SourceImage|endswith: '\MsMpEng.exe'
+ selection_calltrace:
+ CallTrace: 'Ente'
+ condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace
falsepositives:
- - Unknown
+ - Unknown
level: high
diff --git a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
index a4e1b36f7..825b7aee5 100644
--- a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
+++ b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml
@@ -1,11 +1,16 @@
title: HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
+status: experimental
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
- https://github.com/codewhitesec/HandleKatz
-status: experimental
author: Bhabesh Raj (rule), @thefLinkk
date: 2022/06/27
+tags:
+ - attack.execution
+ - attack.t1106
+ - attack.defense_evasion
+ - attack.t1003.001
logsource:
category: process_access
product: windows
@@ -21,8 +26,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1106
- - attack.defense_evasion
- - attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml
index 3e02c246a..c9b159c94 100644
--- a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml
@@ -1,12 +1,18 @@
title: Suspicious In-Memory Module Execution
id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39
-description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
status: experimental
-date: 2019/10/27
-modified: 2022/03/16
-author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+description: |
+ Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space.
+ An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way),
+ it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory.
+ Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that
+ most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries.
+ The latter should also be considered suspicious.
references:
- https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
+author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro
+date: 2019/10/27
+modified: 2022/03/16
tags:
- attack.privilege_escalation
- attack.defense_evasion
@@ -18,14 +24,14 @@ logsource:
detection:
selection1:
CallTrace|contains|all:
- - 'C:\WINDOWS\SYSTEM32\ntdll.dll+'
- - '|C:\WINDOWS\System32\KERNELBASE.dll+'
- - '|UNKNOWN('
- - ')'
+ - 'C:\WINDOWS\SYSTEM32\ntdll.dll+'
+ - '|C:\WINDOWS\System32\KERNELBASE.dll+'
+ - '|UNKNOWN('
+ - ')'
selection2:
CallTrace|contains|all:
- - 'UNKNOWN('
- - ')|UNKNOWN('
+ - 'UNKNOWN('
+ - ')|UNKNOWN('
CallTrace|endswith: ')'
selection3:
CallTrace|contains: 'UNKNOWN'
@@ -95,6 +101,6 @@ fields:
- SourceImage
- TargetImage
- CallTrace
-level: low # too many false positives, really sad, but the amount of false positives with all kinds of software is just too high
falsepositives:
- SysInternals Process Explorer
+level: low
diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml
index 79a21ccf6..0dbb54f4e 100755
--- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml
+++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml
@@ -2,12 +2,12 @@ title: Suspect Svchost Memory Asccess
id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
status: experimental
description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
-author: Tim Burrell
-date: 2020/01/02
-modified: 2021/10/21
references:
- https://github.com/hlldz/Invoke-Phant0m
- https://twitter.com/timbmsft/status/900724491076214784
+author: Tim Burrell
+date: 2020/01/02
+modified: 2021/10/21
tags:
- attack.defense_evasion
- attack.t1562.002
diff --git a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
index 2ee526a84..0e7884374 100644
--- a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
+++ b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
@@ -1,12 +1,12 @@
title: Credential Dumping by LaZagne
id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
-description: Detects LSASS process access by LaZagne for credential dumping.
status: stable
-date: 2020/09/09
-modified: 2022/08/13
-author: Bhabesh Raj, Jonhnathan Ribeiro
+description: Detects LSASS process access by LaZagne for credential dumping.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
+author: Bhabesh Raj, Jonhnathan Ribeiro
+date: 2020/09/09
+modified: 2022/08/13
tags:
- attack.credential_access
- attack.t1003.001
@@ -15,15 +15,15 @@ logsource:
category: process_access
product: windows
detection:
- selection:
+ selection:
TargetImage|endswith: '\lsass.exe'
- CallTrace|contains|all:
+ CallTrace|contains|all:
- 'C:\Windows\SYSTEM32\ntdll.dll+'
- '|C:\Windows\System32\KERNELBASE.dll+'
- '_ctypes.pyd+'
- 'python27.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
-level: critical
falsepositives:
- Unknown
+level: critical
diff --git a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml
index fe95401c7..3b6b39d63 100644
--- a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml
+++ b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml
@@ -1,12 +1,16 @@
title: LittleCorporal Generated Maldoc Injection
id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
+status: experimental
description: Detects the process injection of a LittleCorporal generated Maldoc.
references:
- https://github.com/connormcgarr/LittleCorporal
-status: experimental
author: Christian Burkard
date: 2021/08/09
modified: 2022/06/02
+tags:
+ - attack.execution
+ - attack.t1204.002
+ - attack.t1055.003
logsource:
category: process_access
product: windows
@@ -20,7 +24,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1204.002
- - attack.t1055.003
diff --git a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml
index e288ae455..dfc7bf951 100644
--- a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml
+++ b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml
@@ -2,29 +2,29 @@ title: Load Undocumented Autoelevated COM Interface
id: fb3722e4-1a06-46b6-b772-253e2e7db933
status: test
description: COM interface (EditionUpgradeManager) that is not used by standard executables.
-author: oscd.community, Dmitry Uchakin
references:
- - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
- - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+ - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/
+ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
+author: oscd.community, Dmitry Uchakin
date: 2020/10/07
modified: 2021/11/27
-logsource:
- category: process_access
- product: windows
-detection:
- selection:
- CallTrace|contains: 'editionupgrademanagerobj.dll'
- condition: selection
-fields:
- - ComputerName
- - User
- - SourceImage
- - TargetImage
- - CallTrace
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ category: process_access
+ product: windows
+detection:
+ selection:
+ CallTrace|contains: 'editionupgrademanagerobj.dll'
+ condition: selection
+fields:
+ - ComputerName
+ - User
+ - SourceImage
+ - TargetImage
+ - CallTrace
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
index 0f20ccca4..21fc5e414 100755
--- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
@@ -2,14 +2,14 @@ title: LSASS Memory Dump
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: experimental
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
-author: Samir Bousseaden, Michael Haag
-date: 2019/04/03
-modified: 2022/09/29
references:
- https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
+author: Samir Bousseaden, Michael Haag
+date: 2019/04/03
+modified: 2022/09/29
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
index 1a3377113..3e06a84f2 100644
--- a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml
@@ -2,11 +2,11 @@ title: LSASS Access from White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: experimental
description: Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference
-author: Florian Roth
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
- https://twitter.com/mrd0x/status/1460597833917251595
+author: Florian Roth
date: 2022/02/10
tags:
- attack.credential_access
diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
index 3942dce45..bfc38e152 100644
--- a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
+++ b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml
@@ -2,10 +2,10 @@ title: LSASS Memory Access by Tool Named Dump
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: experimental
description: Detects a possible process memory dump based on a keyword in the file name of the accessing process
-author: Florian Roth
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
+author: Florian Roth
date: 2022/02/10
tags:
- attack.credential_access
diff --git a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml
index 4d574d34f..c53dedfbb 100755
--- a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml
+++ b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml
@@ -2,31 +2,31 @@ title: Malware Shellcode in Verclsid Target Process
id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
status: test
description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
-author: John Lambert (tech), Florian Roth (rule)
references:
- - https://twitter.com/JohnLaTwC/status/837743453039534080
+ - https://twitter.com/JohnLaTwC/status/837743453039534080
+author: John Lambert (tech), Florian Roth (rule)
date: 2017/03/04
modified: 2021/11/27
-logsource:
- category: process_access
- product: windows
- definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
-detection:
- selection:
- TargetImage|endswith: '\verclsid.exe'
- GrantedAccess: '0x1FFFFF'
- combination1:
- CallTrace|contains|all:
- - '|UNKNOWN('
- - 'VBE7.DLL'
- combination2:
- SourceImage|contains: '\Microsoft Office\'
- CallTrace|contains: '|UNKNOWN'
- condition: selection and 1 of combination*
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1055
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1055
+logsource:
+ category: process_access
+ product: windows
+ definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN'
+detection:
+ selection:
+ TargetImage|endswith: '\verclsid.exe'
+ GrantedAccess: '0x1FFFFF'
+ combination1:
+ CallTrace|contains|all:
+ - '|UNKNOWN('
+ - 'VBE7.DLL'
+ combination2:
+ SourceImage|contains: '\Microsoft Office\'
+ CallTrace|contains: '|UNKNOWN'
+ condition: selection and 1 of combination*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml
index d87221f9d..b323d50c9 100755
--- a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml
+++ b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml
@@ -1,12 +1,20 @@
title: Mimikatz through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
+status: stable
description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
-status: stable
author: Patryk Prauze - ING Tech
date: 2019/05/20
modified: 2021/06/21
+tags:
+ - attack.credential_access
+ - attack.execution
+ - attack.t1003.001
+ - attack.t1059.001
+ - attack.lateral_movement
+ - attack.t1021.006
+ - attack.s0002
logsource:
category: process_access
product: windows
@@ -17,14 +25,6 @@ detection:
filter:
GrantedAccess: '0x80000000'
condition: selection and not filter
-tags:
- - attack.credential_access
- - attack.execution
- - attack.t1003.001
- - attack.t1059.001
- - attack.lateral_movement
- - attack.t1021.006
- - attack.s0002
falsepositives:
- Unlikely
level: high
diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
index bac055325..5b6884bf3 100644
--- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
+++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
@@ -1,19 +1,19 @@
title: Rare GrantedAccess Flags on LSASS Access
id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
related:
- - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
- type: obsoletes
+ - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+ type: obsoletes
status: experimental
description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)
-author: Florian Roth
-date: 2022/03/13
-modified: 2022/10/19
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+author: Florian Roth
+date: 2022/03/13
+modified: 2022/10/25
tags:
- attack.credential_access
- attack.t1003.001
@@ -68,6 +68,8 @@ detection:
SourceImage|endswith:
- '\thor64.exe'
- '\thor.exe'
+ - '\aurora-agent-64.exe'
+ - '\aurora-agent.exe'
filter_ms_products:
SourceImage|contains|all:
- '\AppData\Local\Temp\'
diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml
index 244424d94..c6fe87bfa 100644
--- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml
+++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml
@@ -1,19 +1,19 @@
title: Suspicious GrantedAccess Flags on LSASS Access
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
- - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
- type: obsoletes
+ - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
+ type: obsoletes
status: experimental
description: Detects process access to LSASS memory with suspicious access flags
-author: Florian Roth
-date: 2021/11/22
-modified: 2022/06/20
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+author: Florian Roth
+date: 2021/11/22
+modified: 2022/06/20
tags:
- attack.credential_access
- attack.t1003.001
diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
index cdfea0bc7..95bd162f3 100644
--- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
+++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
@@ -2,15 +2,15 @@ title: LSASS Access from Program in Suspicious Folder
id: fa34b441-961a-42fa-a100-ecc28c886725
status: experimental
description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder
-author: Florian Roth
-date: 2021/11/27
-modified: 2022/10/20
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
+author: Florian Roth
+date: 2021/11/27
+modified: 2022/10/25
tags:
- attack.credential_access
- attack.t1003.001
@@ -82,9 +82,12 @@ detection:
SourceImage|endswith:
- '\thor64.exe'
- '\thor.exe'
+ - '\aurora-agent-64.exe'
+ - '\aurora-agent.exe'
GrantedAccess:
- '0x1fffff'
- '0x1010'
+ - '0x101010'
filter_ms_products:
SourceImage|contains|all:
- '\AppData\Local\Temp\'
diff --git a/rules/windows/process_access/process_access_win_susp_seclogon.yml b/rules/windows/process_access/process_access_win_susp_seclogon.yml
index 48afada97..efd557420 100644
--- a/rules/windows/process_access/process_access_win_susp_seclogon.yml
+++ b/rules/windows/process_access/process_access_win_susp_seclogon.yml
@@ -2,12 +2,15 @@ title: Suspicious LSASS Access Via MalSecLogon
id: 472159c5-31b9-4f56-b794-b766faa8b0a7
status: experimental
description: Detects suspicious access to Lsass handle via a call trace to "seclogon.dll"
-author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)
references:
- https://twitter.com/SBousseaden/status/1541920424635912196
- https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml
- https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
+author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)
date: 2022/06/29
+tags:
+ - attack.credential_access
+ - attack.t1003.001
logsource:
category: process_access
product: windows
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.credential_access
- - attack.t1003.001
diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
index 911c0d961..c7458db1b 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml
@@ -11,7 +11,7 @@ tags:
- attack.t1218
author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2019/11/12
-modified: 2022/09/20
+modified: 2022/10/25
logsource:
category: process_creation
product: windows
@@ -24,21 +24,29 @@ detection:
- '--processStart'
- '--processStartAndWait'
- '--createShortcut'
- filter1:
- - CommandLine|contains|all:
+ filter_discord:
+ CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\Discord\Update.exe'
- - ' --processStart Discord.exe'
- - CommandLine|contains|all:
+ - ' --processStart'
+ - 'Discord.exe'
+ filter_github_desktop:
+ CommandLine|contains|all:
- 'C:\Users\'
- - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe'
- - CommandLine|contains|all:
+ - '\AppData\Local\GitHubDesktop\Update.exe'
+ - 'GitHubDesktop.exe'
+ CommandLine|contains:
+ - '--createShortcut'
+ - '--processStartAndWait'
+ filter_teams:
+ CommandLine|contains|all:
- 'C:\Users\'
- - '\AppData\Local\GitHubDesktop\Update.exe --processStartAndWait GitHubDesktop.exe'
- - CommandLine|contains|all:
- - 'C:\Users\'
- - '\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe"'
- condition: all of selection* and not 1 of filter*
+ - '\AppData\Local\Microsoft\Teams\Update.exe'
+ - 'Teams.exe'
+ CommandLine|contains:
+ - '--processStart'
+ - '--createShortcut'
+ condition: all of selection* and not 1 of filter_*
falsepositives:
- 1Clipboard
- Beaker Browser
@@ -72,4 +80,4 @@ falsepositives:
- Gitkraken
- Slack
- Teams
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml
index 44e62d088..20c31d6f8 100644
--- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml
+++ b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml
@@ -2,11 +2,13 @@ title: Persistence Via New AMSI Providers
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
status: experimental
description: Detects when an attacker registers a new AMSI provider in order to achieve persistence
-author: Nasreddine Bencherchali
references:
- https://persistence-info.github.io/Data/amsi.html
- https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
+author: Nasreddine Bencherchali
date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_add
product: windows
@@ -22,5 +24,3 @@ detection:
falsepositives:
- Legitimate security products adding their own AMSI providers
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml
index 2d2669d26..5d914dce6 100644
--- a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml
+++ b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml
@@ -2,12 +2,16 @@ title: Logon Scripts Creation in UserInitMprLogonScript Registry
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
status: test
description: Detects creation of UserInitMprLogonScript persistence method
-author: Tom Ueltschi (@c_APT_ure)
references:
- https://attack.mitre.org/techniques/T1037/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
+author: Tom Ueltschi (@c_APT_ure)
date: 2019/01/12
modified: 2022/06/26
+tags:
+ - attack.t1037.001
+ - attack.persistence
+ - attack.lateral_movement
logsource:
category: registry_add
product: windows
@@ -19,7 +23,3 @@ detection:
falsepositives:
- Exclude legitimate logon scripts
level: high
-tags:
- - attack.t1037.001
- - attack.persistence
- - attack.lateral_movement
diff --git a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/rules/windows/registry/registry_add/registry_add_mal_netwire.yml
index 94dfc6975..62e50e652 100644
--- a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml
+++ b/rules/windows/registry/registry_add/registry_add_mal_netwire.yml
@@ -1,21 +1,19 @@
title: NetWire RAT Registry Key
id: 1d218616-71b0-4c40-855b-9dbe75510f7f
-description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
-Note: You likely will have to change the sysmon configuration file.
- Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for,
- or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation"
- Therefore I set netwire in my configuration.
status: experimental
+description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
references:
- https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing
- https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/
- https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
- https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
- https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
+author: Christopher Peacock
date: 2021/10/07
modified: 2022/06/26
-author: Christopher Peacock
-level: high
+tags:
+ - attack.defense_evasion
+ - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
logsource:
product: windows
category: registry_add
@@ -26,6 +24,5 @@ detection:
condition: selection
falsepositives:
- Unknown
-tags:
- - attack.defense_evasion
- - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary
\ No newline at end of file
+level: high
+Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set netwire in my configuration.
diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
index a6e6506f3..18fe8717e 100755
--- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
+++ b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml
@@ -7,6 +7,9 @@ references:
author: Kutepov Anton, oscd.community
date: 2019/10/23
modified: 2022/09/29
+tags:
+ - attack.persistence
+ - attack.t1546.015
logsource:
category: registry_add
product: windows
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
-tags:
- - attack.persistence
- - attack.t1546.015
\ No newline at end of file
diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml
index 217a21292..0bf48f7de 100644
--- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml
@@ -9,8 +9,11 @@ status: experimental
description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools
references:
- Internal Research
-date: 2022/08/24
author: Nasreddine Bencherchali
+date: 2022/08/24
+tags:
+ - attack.resource_development
+ - attack.t1588.002
logsource:
product: windows
category: registry_add
@@ -49,6 +52,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.resource_development
- - attack.t1588.002
diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml
index e1f5fddaa..e441962d1 100644
--- a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml
@@ -7,8 +7,11 @@ status: experimental
description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
-date: 2022/08/24
author: Nasreddine Bencherchali
+date: 2022/08/24
+tags:
+ - attack.resource_development
+ - attack.t1588.002
logsource:
product: windows
category: registry_add
@@ -30,6 +33,3 @@ detection:
falsepositives:
- Legitimate use of SysInternals tools
level: medium
-tags:
- - attack.resource_development
- - attack.t1588.002
diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml
index ce209be72..06cd58376 100755
--- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml
@@ -4,9 +4,12 @@ status: experimental
description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
+author: Markus Neis
date: 2017/08/28
modified: 2022/06/26
-author: Markus Neis
+tags:
+ - attack.resource_development
+ - attack.t1588.002
logsource:
product: windows
category: registry_add
@@ -19,6 +22,3 @@ falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
level: low
-tags:
- - attack.resource_development
- - attack.t1588.002
\ No newline at end of file
diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml
index 7d197391c..8e31f3caf 100644
--- a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml
+++ b/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml
@@ -1,13 +1,16 @@
title: Sysinternals SDelete Registry Keys
id: 9841b233-8df8-4ad7-9133-b0b4402a9014
-description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
status: experimental
-date: 2020/05/02
-modified: 2022/06/26
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2020/05/02
+modified: 2022/06/26
+tags:
+ - attack.defense_evasion
+ - attack.t1070.004
logsource:
product: windows
category: registry_add
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1070.004
\ No newline at end of file
diff --git a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml
index b7c5e2eeb..82894f1c9 100644
--- a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml
+++ b/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml
@@ -1,14 +1,20 @@
title: Persistence Via Disk Cleanup Handler - NewEntry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
+status: experimental
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
- The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
-author: Nasreddine Bencherchali
-date: 2022/07/21
-status: experimental
+ The disk cleanup manager is part of the operating system. It displays the dialog box […]
+ The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
+ Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
+ Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
+ Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
product: windows
category: registry_add
@@ -55,5 +61,3 @@ detection:
falsepositives:
- Legitimate new entry added by windows
level: medium
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml
index 8380c295f..aee728d58 100644
--- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml
@@ -1,11 +1,14 @@
title: Removal Of Folder From ProtectedFolders In Exploit Guard
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
-description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process
status: experimental
-date: 2022/08/05
-author: Nasreddine Bencherchali
+description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
+author: Nasreddine Bencherchali
+date: 2022/08/05
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_delete
product: windows
@@ -17,6 +20,3 @@ detection:
falsepositives:
- Legitimate administrators removing applications (should always be monitored)
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml
index 56b9aa375..5ebbcf43b 100644
--- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml
@@ -1,17 +1,17 @@
title: Terminal Server Client Connection History Cleared
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
+status: experimental
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
+author: Christian Burkard
+date: 2021/10/19
+modified: 2022/03/26
tags:
- attack.defense_evasion
- attack.t1070
- attack.t1112
-author: Christian Burkard
-status: experimental
-date: 2021/10/19
-modified: 2022/03/26
logsource:
category: registry_delete
product: windows
diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
index aad5fc1ed..e2225c984 100644
--- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml
@@ -1,13 +1,16 @@
title: Removal Of Amsi Provider Reg Key
id: 41d1058a-aea7-4952-9293-29eaaf516465
-description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection
status: experimental
-date: 2021/06/07
-modified: 2022/03/26
-author: frack113
+description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://seclists.org/fulldisclosure/2020/Mar/45
+author: frack113
+date: 2021/06/07
+modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: registry_delete
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
index f716aa97c..f2b6f5703 100644
--- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
@@ -2,13 +2,13 @@ title: Removal of Potential COM Hijacking Registry Keys
id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
status: test
description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/7
- https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html
- https://docs.microsoft.com/en-us/windows/win32/shell/launch
- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2022/10/20
tags:
@@ -55,4 +55,3 @@ detection:
falsepositives:
- Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered
level: medium
-
diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml
index 32e9770c7..486c1ae92 100644
--- a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml
@@ -5,12 +5,15 @@ related:
type: similar
- id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
type: similar
-description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
status: experimental
-date: 2022/08/26
-author: Nasreddine Bencherchali
+description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
+author: Nasreddine Bencherchali
+date: 2022/08/26
+tags:
+ - attack.defense_evasion
+ - attack.t1562
logsource:
product: windows
category: registry_delete
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562
diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml
index cae8fa327..a0cdb326d 100644
--- a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml
+++ b/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml
@@ -5,12 +5,15 @@ related:
type: similar
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
type: similar
-description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
status: experimental
-date: 2022/04/15
-author: Sittikorn S
+description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
references:
- https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
+author: Sittikorn S
+date: 2022/04/15
+tags:
+ - attack.defense_evasion
+ - attack.t1562
logsource:
product: windows
category: registry_delete
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562
diff --git a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml
index a88ce15cf..72bd1813c 100644
--- a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml
+++ b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml
@@ -1,15 +1,15 @@
title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
-description: Sysmon registry detection of a local hidden user account.
status: experimental
+description: Sysmon registry detection of a local hidden user account.
+references:
+ - https://twitter.com/SBousseaden/status/1387530414185664538
+author: Christian Burkard
date: 2021/05/03
modified: 2022/08/05
-author: Christian Burkard
tags:
- attack.persistence
- attack.t1136.001
-references:
- - https://twitter.com/SBousseaden/status/1387530414185664538
logsource:
product: windows
category: registry_event
diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
index 51ec57316..ab3b5c255 100755
--- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
+++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
@@ -18,9 +18,6 @@ detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
condition: selection
-falsepositives:
- - Unknown
-level: critical
fields:
- EventID
- CommandLine
@@ -28,3 +25,6 @@ fields:
- Image
- User
- TargetObject
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml
index 39233ad58..b53df547a 100644
--- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml
+++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml
@@ -2,28 +2,28 @@ title: UAC Bypass Via Wsreset
id: 6ea3bf32-9680-422d-9f50-e90716b12a66
status: test
description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
-author: oscd.community, Dmitry Uchakin
references:
- - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
- - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
+ - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
+ - https://lolbas-project.github.io/lolbas/Binaries/Wsreset
+author: oscd.community, Dmitry Uchakin
date: 2020/10/07
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
- condition: selection
-fields:
- - ComputerName
- - Image
- - EventType
- - TargetObject
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
+ condition: selection
+fields:
+ - ComputerName
+ - Image
+ - EventType
+ - TargetObject
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml
index 782a2365c..74ce8d30a 100755
--- a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml
+++ b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml
@@ -2,18 +2,17 @@ title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
+references:
+ - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018/07/16
modified: 2020/12/23
-references:
- - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-fields:
- - CommandLine
- - ParentCommandLine
- - Details
-falsepositives:
- - Legitimate CMSTP use (unlikely in modern enterprise environments)
-level: high
+tags:
+ - attack.defense_evasion
+ - attack.execution
+ - attack.t1218.003
+ - attack.g0069
+ - car.2019-04-001
logsource:
category: registry_event
product: windows
@@ -21,9 +20,10 @@ detection:
selection:
TargetObject|contains: '\cmmgr32.exe'
condition: selection
-tags:
- - attack.defense_evasion
- - attack.execution
- - attack.t1218.003
- - attack.g0069
- - car.2019-04-001
\ No newline at end of file
+fields:
+ - CommandLine
+ - ParentCommandLine
+ - Details
+falsepositives:
+ - Legitimate CMSTP use (unlikely in modern enterprise environments)
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml
index 8adfe4acc..daf5c3715 100755
--- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml
+++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml
@@ -2,31 +2,31 @@ title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
-author: Ilyas Ochkov, oscd.community
references:
- - https://twitter.com/0gtweet/status/1182516740955226112
+ - https://twitter.com/0gtweet/status/1182516740955226112
+author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
- EventType: 'CreateKey' # we don't want deletekey
- # key rename
- - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
- condition: selection
-fields:
- - EventID
- - Image
- - TargetObject
- - NewName
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.t1562.001
- - attack.t1112
+ - attack.defense_evasion
+ - attack.t1562.001
+ - attack.t1112
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
+ - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
+ EventType: 'CreateKey' # we don't want deletekey
+ # key rename
+ - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
+ condition: selection
+fields:
+ - EventID
+ - Image
+ - TargetObject
+ - NewName
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml
index eded7cdd9..4414184fd 100644
--- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml
+++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml
@@ -1,22 +1,25 @@
title: Wdigest CredGuard Registry Modification
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
status: test
-description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+description: |
+ Detects potential malicious modification of the property value of IsCredGuardEnabled from
+ HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
+ This is usually used with UseLogonCredential to manipulate the caching credentials.
references:
- - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
+ - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019/08/25
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- TargetObject|endswith: '\IsCredGuardEnabled'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.t1112
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: '\IsCredGuardEnabled'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml
index a83c14a01..b272bc6a5 100644
--- a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml
+++ b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml
@@ -1,15 +1,15 @@
title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
-description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
status: experimental
+description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/10/20
modified: 2021/12/08
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.credential_access
- attack.t1003.002
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
logsource:
category: registry_event
product: windows
diff --git a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml
index 884564b3e..625d0cf95 100755
--- a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml
+++ b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml
@@ -2,22 +2,22 @@ title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
-author: Florian Roth
references:
- - https://www.ampliasecurity.com/research/windows-credentials-editor/
+ - https://www.ampliasecurity.com/research/windows-credentials-editor/
+author: Florian Roth
date: 2019/12/31
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- TargetObject|contains: Services\WCESERVICE\Start
- condition: selection
-falsepositives:
- - Unknown
-level: critical
tags:
- - attack.credential_access
- - attack.t1003.001
- - attack.s0005
+ - attack.credential_access
+ - attack.t1003.001
+ - attack.s0005
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: Services\WCESERVICE\Start
+ condition: selection
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml
index 3dbb8e686..a8cbe4848 100644
--- a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml
+++ b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml
@@ -1,15 +1,15 @@
title: HybridConnectionManager Service Installation
id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
-description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
status: experimental
+description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
+references:
+ - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021/04/12
modified: 2022/01/13
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.resource_development
- attack.t1608
-references:
- - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
logsource:
category: registry_event
product: windows
@@ -17,7 +17,7 @@ detection:
selection1:
TargetObject|contains: '\Services\HybridConnectionManager'
selection2:
- EventType: SetValue
+ EventType: SetValue
Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
condition: selection1 or selection2
falsepositives:
diff --git a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml
index 6762965f6..b20358d36 100644
--- a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml
+++ b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml
@@ -2,29 +2,29 @@ title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
-author: Trent Liffick
references:
- - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
+ - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
+author: Trent Liffick
date: 2020/05/08
modified: 2021/11/27
-logsource:
- product: windows
- category: registry_event
-detection:
- selection:
- EventID:
- - 12
- - 13
- TargetObject|contains: 'SYSTEM\'
- TargetObject|endswith: '\services\localNETService'
- condition: selection
-fields:
- - Image
- - TargetObject
- - TargetDetails
-falsepositives:
- - Unknown
-level: critical
tags:
- - attack.execution
- - attack.t1112
+ - attack.execution
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ EventID:
+ - 12
+ - 13
+ TargetObject|contains: 'SYSTEM\'
+ TargetObject|endswith: '\services\localNETService'
+ condition: selection
+fields:
+ - Image
+ - TargetObject
+ - TargetDetails
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml
index 336978e71..06320c02f 100644
--- a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml
+++ b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml
@@ -2,12 +2,16 @@ title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: test
description: Detects value modification of registry key containing path to binary used as screensaver.
-author: Bartlomiej Czyz @bczyz1, oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
+author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020/10/11
modified: 2021/11/27
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1546.002
logsource:
category: registry_event
product: windows
@@ -22,7 +26,3 @@ detection:
falsepositives:
- Legitimate modification of screensaver
level: medium
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1546.002
diff --git a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml
index a630578fc..27264ac15 100755
--- a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml
+++ b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml
@@ -2,25 +2,25 @@ title: Narrator's Feedback-Hub Persistence
id: f663a6d9-9d1b-49b8-b2b1-0637914d199a
status: test
description: Detects abusing Windows 10 Narrator's Feedback-Hub
-author: Dmitriy Lifanov, oscd.community
references:
- - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+ - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
+author: Dmitriy Lifanov, oscd.community
date: 2019/10/25
modified: 2022/03/26
-logsource:
- category: registry_event
- product: windows
-detection:
- selection1:
- EventType: DeleteValue
- TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
- selection2:
- TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
- #add the payload in the (Default)
- condition: 1 of selection*
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.t1547.001
+ - attack.persistence
+ - attack.t1547.001
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection1:
+ EventType: DeleteValue
+ TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute'
+ selection2:
+ TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)'
+ #add the payload in the (Default)
+ condition: 1 of selection*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml
index 2e4d32e44..982ed0066 100755
--- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml
+++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml
@@ -1,31 +1,33 @@
title: New DLL Added to AppCertDlls Registry Key
id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
status: test
-description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
-author: Ilyas Ochkov, oscd.community
+description: |
+ Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
+ by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
references:
- - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
+ - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+ - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
+author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
- # key rename
- - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
- condition: selection
-fields:
- - EventID
- - Image
- - TargetObject
- - NewName
-falsepositives:
- - Unknown
-level: medium
tags:
- - attack.persistence
- - attack.t1546.009
+ - attack.persistence
+ - attack.t1546.009
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
+ - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
+ # key rename
+ - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
+ condition: selection
+fields:
+ - EventID
+ - Image
+ - TargetObject
+ - NewName
+falsepositives:
+ - Unknown
+level: medium
diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
index 08baeb45e..ddbbfd7d8 100755
--- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
+++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml
@@ -1,27 +1,29 @@
title: New DLL Added to AppInit_DLLs Registry Key
id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
status: experimental
-description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll
- into every process that loads user32.dll
+description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
references:
- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
author: Ilyas Ochkov, oscd.community, Tim Shelton
date: 2019/10/25
modified: 2021/11/11
+tags:
+ - attack.persistence
+ - attack.t1546.010
logsource:
category: registry_event
product: windows
detection:
selection:
- - TargetObject|endswith:
- - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - TargetObject|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
#key rename
- - NewName|endswith:
- - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - NewName|endswith:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
+ - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
filter:
- Details: '(Empty)'
+ Details: '(Empty)'
condition: selection and not filter
fields:
- EventID
@@ -31,6 +33,3 @@ fields:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
- - attack.t1546.010
\ No newline at end of file
diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml
index 01591d068..c60319ecb 100644
--- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml
+++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml
@@ -4,8 +4,11 @@ status: experimental
description: Detects persistence registry keys for Recycle Bin
references:
- https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
-date: 2021/11/18
author: frack113
+date: 2021/11/18
+tags:
+ - attack.persistence
+ - attack.t1547
logsource:
category: registry_event
product: windows
@@ -17,9 +20,6 @@ detection:
EventType: SetValue
TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)
condition: 1 of selection_*
-tags:
- - attack.persistence
- - attack.t1547
falsepositives:
- Unknown
level: high
diff --git a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml
index 7e00f57ee..61dc1ff80 100644
--- a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml
+++ b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml
@@ -2,21 +2,21 @@ title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
-author: Alexander Rausch
references:
- - https://redmimicry.com
+ - https://redmimicry.com
+author: Alexander Rausch
date: 2020/06/24
modified: 2021/11/27
-logsource:
- product: windows
- category: registry_event
-detection:
- selection:
- TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.t1112
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_event
+detection:
+ selection:
+ TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml
index 1e891ab5f..3a4efef7c 100644
--- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml
+++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml
@@ -2,26 +2,26 @@ title: WINEKEY Registry Modification
id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
status: test
description: Detects potential malicious modification of run keys by winekey or team9 backdoor
-author: omkar72
references:
- - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+author: omkar72
date: 2020/10/30
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
- condition: selection
-fields:
- - ComputerName
- - Image
- - EventType
- - TargetObject
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.t1547
+ - attack.persistence
+ - attack.t1547
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
+ condition: selection
+fields:
+ - ComputerName
+ - Image
+ - EventType
+ - TargetObject
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml
index 1fc7bde2f..13736f4a1 100644
--- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml
+++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml
@@ -2,12 +2,15 @@ title: Run Once Task Configuration in Registry
id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
status: test
description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
-author: 'Avneet Singh @v3t0_, oscd.community'
references:
- https://twitter.com/pabraeken/status/990717080805789697
- https://lolbas-project.github.io/lolbas/Binaries/Runonce/
+author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020/11/15
modified: 2022/04/04
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
product: windows
category: registry_event
@@ -27,6 +30,3 @@ detection:
falsepositives:
- Legitimate modification of the registry key by legitimate program
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
index cb73fa4c4..1986b53a0 100644
--- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
+++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml
@@ -1,15 +1,15 @@
title: Shell Open Registry Keys Manipulation
id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
-description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
-author: Christian Burkard
-date: 2021/08/30
-modified: 2022/01/13
status: experimental
+description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
references:
- https://github.com/hfiref0x/UACME
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
- https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
+author: Christian Burkard
+date: 2021/08/30
+modified: 2022/01/13
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -20,14 +20,14 @@ logsource:
product: windows
detection:
selection1:
- EventType: SetValue
+ EventType: SetValue
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
Details|contains: '\Software\Classes\{'
selection2:
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
selection3:
EventType: SetValue
- TargetObject|endswith:
+ TargetObject|endswith:
- 'Classes\ms-settings\shell\open\command\(Default)'
- 'Classes\exefile\shell\open\command\(Default)'
filter_sel3:
diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml
index b1a0279f3..6b5f69270 100644
--- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml
+++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml
@@ -3,12 +3,12 @@ id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 1f24c7c1-0b71-4e4e-8a6d-f863c9d8aa4a
type: similar
-description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
status: experimental
-author: Florian Roth
+description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+author: Florian Roth
date: 2021/02/26
modified: 2022/09/07
tags:
diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml
index 021550b27..bfcc87c45 100755
--- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml
+++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml
@@ -2,11 +2,14 @@ title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: test
description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
-author: iwillkeepwatch
references:
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
+author: iwillkeepwatch
date: 2019/01/18
modified: 2022/08/09
+tags:
+ - attack.persistence
+ - attack.t1547.005
logsource:
category: registry_event
product: windows
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Unlikely
level: critical
-tags:
- - attack.persistence
- - attack.t1547.005
diff --git a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml
index 411041b6e..b06d3bffc 100755
--- a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml
+++ b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml
@@ -1,14 +1,19 @@
title: Sticky Key Like Backdoor Usage
id: baca5663-583c-45f9-b5dc-ea96a22ce542
-description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login
- screen
status: experimental
+description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018/03/15
modified: 2022/08/06
+tags:
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.t1546.008
+ - car.2014-11-003
+ - car.2014-11-008
logsource:
category: registry_event
product: windows
@@ -27,9 +32,3 @@ detection:
falsepositives:
- Unlikely
level: critical
-tags:
- - attack.privilege_escalation
- - attack.persistence
- - attack.t1546.008
- - car.2014-11-003
- - car.2014-11-008
\ No newline at end of file
diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml
index f3cb1b87c..efb7e3aed 100644
--- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml
+++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml
@@ -1,11 +1,11 @@
title: Atbroker Registry Change
id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
-description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
status: experimental
-author: Mateusz Wydra, oscd.community
+description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
references:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
+author: Mateusz Wydra, oscd.community
date: 2020/10/13
modified: 2022/09/21
tags:
diff --git a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml
index 42eeaf985..f46485a59 100755
--- a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml
+++ b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml
@@ -2,25 +2,25 @@ title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: test
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
-author: Florian Roth
references:
- - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
+ - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
+author: Florian Roth
date: 2019/10/01
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- Image|contains:
- - '\Downloads\'
- - '\Temporary Internet Files\Content.Outlook\'
- - '\Local Settings\Temporary Internet Files\'
- TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
- condition: selection
-falsepositives:
- - Software installers downloaded and used by users
-level: high
tags:
- - attack.persistence
- - attack.t1547.001
+ - attack.persistence
+ - attack.t1547.001
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ Image|contains:
+ - '\Downloads\'
+ - '\Temporary Internet Files\Content.Outlook\'
+ - '\Local Settings\Temporary Internet Files\'
+ TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
+ condition: selection
+falsepositives:
+ - Software installers downloaded and used by users
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml
index a59066260..5d8f745cd 100644
--- a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml
+++ b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml
@@ -2,30 +2,30 @@ title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
-author: Florian Roth
references:
- - https://blog.xpnsec.com/exploring-mimikatz-part-1/
- - https://twitter.com/SBousseaden/status/1183745981189427200
+ - https://blog.xpnsec.com/exploring-mimikatz-part-1/
+ - https://twitter.com/SBousseaden/status/1183745981189427200
+author: Florian Roth
date: 2019/10/16
modified: 2022/04/21
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- TargetObject|contains:
- - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
- - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
- filter_domain_controller:
- Image: 'C:\Windows\system32\lsass.exe'
- Details:
- - '%%systemroot%%\system32\ntdsa.dll'
- - '%%systemroot%%\system32\lsadb.dll'
- condition: selection and not 1 of filter_*
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.execution
- - attack.persistence
- - attack.t1547.008
+ - attack.execution
+ - attack.persistence
+ - attack.t1547.008
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains:
+ - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
+ - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
+ filter_domain_controller:
+ Image: 'C:\Windows\system32\lsass.exe'
+ Details:
+ - '%%systemroot%%\system32\ntdsa.dll'
+ - '%%systemroot%%\system32\lsadb.dll'
+ condition: selection and not 1 of filter_*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml b/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml
index 1ab4d22be..d26fdce5f 100755
--- a/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml
+++ b/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml
@@ -2,22 +2,22 @@ title: Windows Registry Trust Record Modification
id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
status: test
description: Alerts on trust record modification within the registry, indicating usage of macros
-author: Antonlovesdnb
references:
- - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
- - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
+ - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
+ - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
+author: Antonlovesdnb
date: 2020/02/19
modified: 2021/11/27
-logsource:
- category: registry_event
- product: windows
-detection:
- selection:
- TargetObject|contains: 'TrustRecords'
- condition: selection
-falsepositives:
- - Alerts on legitimate macro usage as well, will need to filter as appropriate
-level: medium
tags:
- - attack.initial_access
- - attack.t1566.001
+ - attack.initial_access
+ - attack.t1566.001
+logsource:
+ category: registry_event
+ product: windows
+detection:
+ selection:
+ TargetObject|contains: 'TrustRecords'
+ condition: selection
+falsepositives:
+ - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml
index f6b74bfaa..a24c688bb 100644
--- a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml
@@ -1,17 +1,20 @@
title: Abusing Windows Telemetry For Persistence
id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
status: experimental
-description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
+description: |
+ Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
+ This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
+ The problem is, it will run any arbitrary command without restriction of location or type.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020/09/29
modified: 2022/03/26
-fields:
- - EventID
- - CommandLine
- - TargetObject
- - Details
+tags:
+ - attack.defense_evasion
+ - attack.persistence
+ - attack.t1112
+ - attack.t1053
logsource:
product: windows
category: registry_set
@@ -19,7 +22,7 @@ detection:
selection:
EventType: SetValue
TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
- Details|endswith:
+ Details|endswith:
- .sh
- .exe
- .dll
@@ -34,11 +37,11 @@ detection:
- .msi
- .vbs
condition: selection
+fields:
+ - EventID
+ - CommandLine
+ - TargetObject
+ - Details
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1112
- - attack.t1053
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml b/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml
index b496ddbc6..01cacc89f 100644
--- a/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml
+++ b/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml
@@ -1,11 +1,14 @@
title: User Account Hidden By Registry
id: 8a58209c-7ae6-4027-afb0-307a78e4589a
-description: Detect modification for a specific user to prevent that user from being listed on the logon screen
status: experimental
-date: 2022/08/20
-author: frack113
+description: Detect modification for a specific user to prevent that user from being listed on the logon screen
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
+author: frack113
+date: 2022/08/20
+tags:
+ - attack.defense_evasion
+ - attack.t1564.002
logsource:
product: windows
category: registry_set
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1564.002
diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml
index fd07b7e81..461a84752 100644
--- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml
+++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml
@@ -1,13 +1,16 @@
title: Registry Persitence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
-description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
-author: frack113
-date: 2022/04/04
-modified: 2022/06/26
status: experimental
+description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
+author: frack113
+date: 2022/04/04
+modified: 2022/06/26
+tags:
+ - attack.defense_evasion
+ - attack.t1564.001
logsource:
category: registry_set
product: windows
@@ -28,6 +31,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1564.001
diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml
index 5b66ed84b..1c5ce69c8 100644
--- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml
+++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml
@@ -1,14 +1,17 @@
title: Add Port Monitor Persistence in Registry
id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
+status: experimental
description: |
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
author: frack113
date: 2021/12/30
modified: 2022/09/18
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
+tags:
+ - attack.persistence
+ - attack.t1547.010
logsource:
category: registry_set
product: windows
@@ -35,6 +38,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1547.010
diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml
index 5c806f084..5270e6600 100644
--- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml
@@ -1,12 +1,14 @@
title: Add Debugger Entry To AeDebug For Persistence
id: 092af964-4233-4373-b4ba-d86ea2890288
-description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
-author: Nasreddine Bencherchali
-date: 2022/07/21
status: experimental
+description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
references:
- https://persistence-info.github.io/Data/aedebug.html
- https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -21,5 +23,3 @@ detection:
falsepositives:
- Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml
index d6fe350c8..22241a0af 100644
--- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml
+++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml
@@ -1,11 +1,14 @@
title: Allow RDP Remote Assistance Feature
id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
-description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
-author: frack113
-date: 2022/08/19
status: experimental
+description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
+author: frack113
+date: 2022/08/19
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitmate use of the feature (alerts should be investigated either way)
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml
index 874009427..cb01e74e1 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/06/04
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -53,6 +56,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml
index d605c7e6b..73c9c3ce6 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml
@@ -5,14 +5,17 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
date: 2019/10/25
modified: 2022/04/04
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -75,6 +78,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml
index 608a3071b..4a251912d 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/09/20
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -62,6 +65,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml
index 82a226146..57591152e 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/07/05
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -83,6 +86,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml
index 879e1c62c..a2a4508c4 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -49,6 +52,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml
index da07b1a40..d627b0384 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/06/10
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -58,8 +61,8 @@ detection:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_avg:
- Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
+ Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
+ TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
condition: office and office_details and not 1 of filter_*
fields:
- SecurityID
@@ -70,6 +73,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml
index 95aed74c3..6f6cc6e2a 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml
@@ -5,13 +5,17 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1547.001
+ - attack.t1546.009
logsource:
category: registry_set
product: windows
@@ -39,7 +43,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
- - attack.t1546.009
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml
index 0835d87f6..1d1b33595 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -37,6 +40,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml
index 651577c2f..23d2b2d08 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -37,6 +40,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml
index 31626072c..19c92301e 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml
@@ -5,14 +5,17 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/09/21
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -85,6 +88,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml
index ff76d31f4..d0221d76f 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -45,6 +48,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml
index 8d31fa4c6..21b046d56 100644
--- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml
+++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml
@@ -5,13 +5,16 @@ related:
type: derived
status: experimental
description: Detects modification of autostart extensibility point (ASEP) in registry.
-author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
+author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019/10/25
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -38,6 +41,3 @@ falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml
index a8504a2b4..7b5987064 100644
--- a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml
+++ b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml
@@ -1,28 +1,28 @@
title: Blackbyte Ransomware Registry
id: 83314318-052a-4c90-a1ad-660ece38d276
-description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
-author: frack113
-date: 2022/01/24
-modified: 2022/03/26
status: experimental
+description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
references:
- https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
+author: frack113
+date: 2022/01/24
+modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
- TargetObject:
+ TargetObject:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections
- - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled
+ - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled
Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml
index e4a73cafd..28e76b9a4 100644
--- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml
+++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml
@@ -1,14 +1,18 @@
title: Bypass UAC Using DelegateExecute
id: 46dd5308-4572-4d12-aa43-8938f0184d4f
-description: Bypasses User Account Control using a fileless method
-author: frack113
-date: 2022/01/05
-modified: 2022/03/26
status: experimental
+description: Bypasses User Account Control using a fileless method
references:
- https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
+author: frack113
+date: 2022/01/05
+modified: 2022/03/26
+tags:
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1548.002
logsource:
category: registry_set
product: windows
@@ -21,7 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.privilege_escalation
- - attack.defense_evasion
- - attack.t1548.002
diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
index 6fcac7a54..2576a4a3b 100644
--- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
+++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml
@@ -1,13 +1,16 @@
title: Bypass UAC Using Event Viewer
id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
-description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
-author: frack113
-date: 2022/01/05
-modified: 2022/10/05
status: experimental
+description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
+author: frack113
+date: 2022/01/05
+modified: 2022/10/05
+tags:
+ - attack.persistence
+ - attack.t1547.010
logsource:
category: registry_set
product: windows
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1547.010
diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml
index 2ca3cbce3..8a7a00c46 100644
--- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml
+++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml
@@ -1,13 +1,17 @@
title: Bypass UAC Using SilentCleanup Task
id: 724ea201-6514-4f38-9739-e5973c34f49a
-description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC
-author: frack113
-date: 2022/01/06
-modified: 2022/03/26
status: experimental
+description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
- https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
+author: frack113
+date: 2022/01/06
+modified: 2022/03/26
+tags:
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1548.002
logsource:
category: registry_set
product: windows
@@ -20,7 +24,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.privilege_escalation
- - attack.defense_evasion
- - attack.t1548.002
diff --git a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml
index fba5705d5..eaf45f3af 100644
--- a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml
+++ b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml
@@ -1,15 +1,18 @@
title: Changing RDP Port to Non Standard Number
id: 509e84b9-a71a-40e0-834f-05470369bd1e
+status: experimental
description: |
Remote desktop is a common feature in operating systems.
It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller
author: frack113
date: 2022/01/01
modified: 2022/03/26
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller
+tags:
+ - attack.persistence
+ - attack.t1547.010
logsource:
category: registry_set
product: windows
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1547.010
diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml
index 1d95d769a..241d4cc46 100644
--- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml
+++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml
@@ -1,13 +1,16 @@
title: IE Change Domain Zone
id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
-description: Hides the file extension through modification of the registry
-author: frack113
-date: 2022/01/22
-modified: 2022/04/04
status: experimental
+description: Hides the file extension through modification of the registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
+author: frack113
+date: 2022/01/22
+modified: 2022/04/04
+tags:
+ - attack.persistence
+ - attack.t1137
logsource:
category: registry_set
product: windows
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Administrative scripts
level: medium
-tags:
- - attack.persistence
- - attack.t1137
diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml
index e2a62b6e4..341022fff 100644
--- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml
+++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml
@@ -5,20 +5,20 @@ description: Detects changes in Sysmon driver altitude. If the Sysmon driver is
references:
- https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
- https://youtu.be/zSihR3lTf7g
+author: B.Talebi
+date: 2022/07/28
tags:
- attack.defense_evasion
- attack.t1562.001
-author: B.Talebi
-date: 2022/07/28
logsource:
category: registry_set
product: windows
detection:
- selection:
- EventType: SetValue
- TargetObject|startswith: 'HKLM\SYSTEM\CurrentControlSet\'
- TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
- condition: selection
+ selection:
+ EventType: SetValue
+ TargetObject|startswith: 'HKLM\SYSTEM\CurrentControlSet\'
+ TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
+ condition: selection
falsepositives:
- Legitimate driver altitude change to hide sysmon
level: high
diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml
index 02b5704aa..b38ee9706 100644
--- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml
+++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml
@@ -1,14 +1,17 @@
title: Change Winevt Event Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
-description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel
-author: frack113
-date: 2022/09/17
-modified: 2022/09/29
status: experimental
+description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel
references:
- https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
- https://learn.microsoft.com/en-us/windows/win32/api/winevt/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
+author: frack113
+date: 2022/09/17
+modified: 2022/09/29
+tags:
+ - attack.defense_evasion
+ - attack.t1562.002
logsource:
category: registry_set
product: windows
@@ -18,7 +21,7 @@ detection:
TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\ChannelAccess'
# Add more interesting combinations if you found them
- Details|contains:
+ Details|contains:
- '(A;;0x1;;;SY)' # Local System having GENERIC ALL
- '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE
- '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
@@ -30,6 +33,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.002
diff --git a/rules/windows/registry/registry_set/registry_set_chm_persistence.yml b/rules/windows/registry/registry_set/registry_set_chm_persistence.yml
index 73e69e004..ede89b64d 100644
--- a/rules/windows/registry/registry_set/registry_set_chm_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_chm_persistence.yml
@@ -1,12 +1,14 @@
title: CHM Helper DLL Persistence
id: 976dd1f2-a484-45ec-aa1d-0e87e882262b
-description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
-author: Nasreddine Bencherchali
-date: 2022/07/21
status: experimental
+description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
references:
- https://persistence-info.github.io/Data/htmlhelpauthor.html
- https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -20,5 +22,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml
index 3034c7f70..93d275074 100644
--- a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml
+++ b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml
@@ -1,12 +1,15 @@
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
+status: experimental
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021/12/28
modified: 2022/03/26
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
+tags:
+ - attack.persistence
+ - attack.t1133
logsource:
category: registry_set
product: windows
@@ -127,6 +130,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1133
diff --git a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml
index c85b40813..b15fe777c 100644
--- a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml
+++ b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml
@@ -1,14 +1,22 @@
title: CobaltStrike Service Installations in Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
-description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
- We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
- In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
status: experimental
-date: 2021/06/29
-modified: 2022/03/26
-author: Wojciech Lesicki
+description: |
+ Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
+ We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)
+ In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
+author: Wojciech Lesicki
+date: 2021/06/29
+modified: 2022/03/26
+tags:
+ - attack.execution
+ - attack.privilege_escalation
+ - attack.lateral_movement
+ - attack.t1021.002
+ - attack.t1543.003
+ - attack.t1569.002
logsource:
category: registry_set
product: windows
@@ -29,10 +37,3 @@ detection:
falsepositives:
- Unknown
level: critical
-tags:
- - attack.execution
- - attack.privilege_escalation
- - attack.lateral_movement
- - attack.t1021.002
- - attack.t1543.003
- - attack.t1569.002
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml
index 92114070e..d43dbae98 100644
--- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml
+++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml
@@ -2,24 +2,24 @@ title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
-author: Omkar Gudhate
references:
- - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
- - https://www.exploit-db.com/exploits/47696
+ - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
+ - https://www.exploit-db.com/exploits/47696
+author: Omkar Gudhate
date: 2020/09/27
modified: 2022/06/26
-logsource:
- category: registry_set
- product: windows
-detection:
- selection:
- EventType: Setvalue
- TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.privilege_escalation
- - attack.t1546
- - attack.t1548
+ - attack.privilege_escalation
+ - attack.t1546
+ - attack.t1548
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: Setvalue
+ TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml
index a3c75e5a4..8ab969495 100644
--- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml
+++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml
@@ -2,11 +2,14 @@ title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: experimental
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
+references:
+ - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski
date: 2022/02/24
modified: 2022/08/23
-references:
- - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
+tags:
+ - attack.t1564
+ - attack.t1112
logsource:
product: windows
category: registry_set
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Legitimate disabling of crashdumps
level: medium
-tags:
- - attack.t1564
- - attack.t1112
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml
index 72c157e9d..0777c27a4 100644
--- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml
+++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml
@@ -3,12 +3,15 @@ id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
- id: c0abc838-36b0-47c9-b3b3-a90c39455382
type: obsoletes
-description: Detect the creation of a service with a service binary located in a suspicious directory
status: experimental
-date: 2022/05/02
-author: Florian Roth, frack113
+description: Detect the creation of a service with a service binary located in a suspicious directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
+author: Florian Roth, frack113
+date: 2022/05/02
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -40,6 +43,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
index a9e7f644f..e51e48614 100644
--- a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
+++ b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml
@@ -1,12 +1,15 @@
title: Service Binary in Uncommon Folder
id: 277dc340-0540-42e7-8efb-5ff460045e07
-description: Detect the creation of a service with a service binary located in a uncommon directory
status: experimental
-date: 2022/05/02
-modified: 2022/05/04
-author: Florian Roth
+description: Detect the creation of a service with a service binary located in a uncommon directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
+author: Florian Roth
+date: 2022/05/02
+modified: 2022/05/04
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -41,6 +44,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml
index c13f6736d..aba00a2fd 100644
--- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml
+++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml
@@ -1,11 +1,14 @@
title: Custom File Open Handler Executes PowerShell
id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
-description: Detects the abuse of custom file open handler, executing powershell
-author: CD_R0M_
-date: 2022/06/11
status: experimental
+description: Detects the abuse of custom file open handler, executing powershell
references:
- https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
+author: CD_R0M_
+date: 2022/06/11
+tags:
+ - attack.defense_evasion
+ - attack.t1202
logsource:
category: registry_set
product: windows
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1202
diff --git a/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml b/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml
index ee73d996a..313a32ba4 100644
--- a/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml
+++ b/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml
@@ -2,30 +2,30 @@ title: Suspicious New Printer Ports in Registry (CVE-2020-1048)
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: test
description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
-author: EagleEye Team, Florian Roth, NVISO
references:
- - https://windows-internals.com/printdemon-cve-2020-1048/
+ - https://windows-internals.com/printdemon-cve-2020-1048/
+author: EagleEye Team, Florian Roth, NVISO
date: 2020/05/13
modified: 2022/01/13
-logsource:
- product: windows
- category: registry_set
-detection:
- selection:
- EventType: SetValue
- TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
- Details|contains:
- - '.dll'
- - '.exe'
- - '.bat'
- - '.com'
- - 'C:'
- condition: selection
-falsepositives:
- - New printer port install on host
-level: high
tags:
- - attack.persistence
- - attack.execution
- - attack.defense_evasion
- - attack.t1112
+ - attack.persistence
+ - attack.execution
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports'
+ Details|contains:
+ - '.dll'
+ - '.exe'
+ - '.bat'
+ - '.com'
+ - 'C:'
+ condition: selection
+falsepositives:
+ - New printer port install on host
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
index 7a9c52e09..07e50a3c8 100644
--- a/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
+++ b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
@@ -2,12 +2,12 @@ title: CVE-2021-31979 CVE-2021-33771 Exploits
id: 32b5db62-cb5f-4266-9639-0fa48376ac00
status: experimental
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
-author: Sittikorn S, frack113
-date: 2021/07/16
-modified: 2022/08/23
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
+author: Sittikorn S, frack113
+date: 2021/07/16
+modified: 2022/08/23
tags:
- attack.credential_access
- attack.t1566
@@ -31,4 +31,4 @@ detection:
condition: selection and not filter
falsepositives:
- Unlikely
-level: critical
\ No newline at end of file
+level: critical
diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml
index 36c464935..f214e54f8 100644
--- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml
@@ -1,12 +1,15 @@
title: Add Debugger Entry To DbgManagedDebugger For Persistence
id: 9827ae57-3802-418f-994b-d5ecf5cd974b
-description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes
-author: frack113
-date: 2022/08/07
status: experimental
+description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes
references:
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://github.com/last-byte/PersistenceSniper
+author: frack113
+date: 2022/08/07
+tags:
+ - attack.persistence
+ - attack.t1574
logsource:
category: registry_set
product: windows
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium
-tags:
- - attack.persistence
- - attack.t1574
diff --git a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml
index d938019a3..c8d29604a 100644
--- a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml
+++ b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml
@@ -3,13 +3,16 @@ id: a982fc9c-6333-4ffb-a51d-addb04e8b529
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: derived
+status: test
description: Detects the Setting of Windows Defender Exclusions
-date: 2021/07/06
-modified: 2022/03/26
-author: Christian Burkard
references:
- https://twitter.com/_nullbind/status/1204923340810543109
-status: test
+author: Christian Burkard
+date: 2021/07/06
+modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: registry_set
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Administrator actions
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml
index 565fffe53..a749c5311 100755
--- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml
+++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml
@@ -2,27 +2,27 @@ title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
-author: Dimitrios Slamaris
references:
- - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+ - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
+ - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
+ - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
+author: Dimitrios Slamaris
date: 2017/05/15
modified: 2022/06/26
-logsource:
- category: registry_set
- product: windows
-detection:
- selection:
- EventType: Setvalue
- TargetObject|endswith:
- - '\Services\DHCPServer\Parameters\CalloutDlls'
- - '\Services\DHCPServer\Parameters\CalloutEnabled'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.t1574.002
- - attack.t1112
+ - attack.defense_evasion
+ - attack.t1574.002
+ - attack.t1112
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: Setvalue
+ TargetObject|endswith:
+ - '\Services\DHCPServer\Parameters\CalloutDlls'
+ - '\Services\DHCPServer\Parameters\CalloutEnabled'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml
index 3c26e4b6f..bd7d5bfd8 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml
@@ -1,12 +1,15 @@
title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
+status: experimental
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022/01/16
modified: 2022/03/26
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
+tags:
+ - attack.defense_evasion
+ - attack.t1070.005
logsource:
category: registry_set
product: windows
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1070.005
diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml
index 72d5abdd5..38c4c79fa 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml
@@ -2,12 +2,14 @@ title: AutoLogger Sessions Tamper
id: f37b4bce-49d0-4087-9f5b-58bffda77316
status: experimental
description: Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging
-author: Nasreddine Bencherchali
references:
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
+author: Nasreddine Bencherchali
date: 2022/08/01
modified: 2022/09/18
+tags:
+ - attack.defense_evasion
logsource:
category: registry_set
product: windows
@@ -29,5 +31,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml
index 30c87d624..2cd58a900 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml
@@ -1,12 +1,15 @@
title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
+status: experimental
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022/01/09
modified: 2022/03/26
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
+tags:
+ - attack.defense_evasion
+ - attack.t1562.004
logsource:
category: registry_set
product: windows
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.004
diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml
index 3563aa1a2..cd043992c 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml
@@ -8,6 +8,9 @@ references:
author: frack113, Nasreddine Bencherchali
date: 2022/03/18
modified: 2022/06/03
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -35,6 +38,3 @@ detection:
falsepositives:
- Legitimate admin script
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml b/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml
index bd77d09d8..55df5be1e 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml
@@ -1,14 +1,17 @@
title: Disable Microsoft Office Security Features
id: 7c637634-c95d-4bbf-b26c-a82510874b34
-description: Disable Microsoft Office Security Features by registry
status: experimental
-date: 2021/06/08
-modified: 2022/03/26
-author: frack113
+description: Disable Microsoft Office Security Features by registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
+author: frack113
+date: 2021/06/08
+modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: registry_set
@@ -32,6 +35,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml
index c61f90cd5..c1cc47836 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml
@@ -6,6 +6,9 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
author: frack113
date: 2022/10/02
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitimate admin script
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml
index e6c0e3d8e..ba278b9b2 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml
@@ -1,11 +1,14 @@
title: Disable Windows Security Center Notifications
id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
-description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification
-author: frack113
-date: 2022/08/19
status: experimental
+description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
+author: frack113
+date: 2022/08/19
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
index 5e3e00f86..0bb5dc998 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
@@ -1,12 +1,15 @@
title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
+status: experimental
description: Detects the modification of the registry to disable a system restore on the computer
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022/04/04
modified: 2022/09/09
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
+tags:
+ - attack.impact
+ - attack.t1490
logsource:
category: registry_set
product: windows
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.impact
- - attack.t1490
diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml
index 99a22abb6..205c5afca 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml
@@ -1,12 +1,16 @@
title: Disable UAC Using Registry
id: 48437c39-9e5f-47fb-af95-3d663c3f2919
+status: experimental
description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe
author: frack113
date: 2022/01/05
modified: 2022/08/06
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe
+tags:
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1548.002
logsource:
category: registry_set
product: windows
@@ -19,7 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.privilege_escalation
- - attack.defense_evasion
- - attack.t1548.002
diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml
index 5df7a8b5a..88fdf579f 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml
@@ -1,12 +1,15 @@
title: Windows Defender Service Disabled
id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
+status: experimental
description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
-date: 2022/08/01
-author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
-status: experimental
+author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
+date: 2022/08/01
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: registry_set
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Administrator actions
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml
index 8db7a6082..9efca0a3e 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml
@@ -1,11 +1,14 @@
title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
-description: Detect set EnableFirewall to 0 to disable the windows firewall
-author: frack113
-date: 2022/08/19
status: experimental
+description: Detect set EnableFirewall to 0 to disable the windows firewall
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
+author: frack113
+date: 2022/08/19
+tags:
+ - attack.defense_evasion
+ - attack.t1562.004
logsource:
category: registry_set
product: windows
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.004
diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
index cd739dbf1..25d02b959 100644
--- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
+++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
@@ -1,13 +1,16 @@
title: Disable Winevt Event Logging Via Registry
id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
-description: Detects tampering with the "Enabled" registry key in order to disable windows logging of a windows event channel
-author: frack113, Nasreddine Bencherchali
-date: 2022/07/04
-modified: 2022/10/11
status: experimental
+description: Detects tampering with the "Enabled" registry key in order to disable windows logging of a windows event channel
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889
- https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
+author: frack113, Nasreddine Bencherchali
+date: 2022/07/04
+modified: 2022/10/11
+tags:
+ - attack.defense_evasion
+ - attack.t1562.002
logsource:
category: registry_set
product: windows
@@ -40,6 +43,3 @@ detection:
falsepositives:
- Legitimate administrators disabling specific event log for troubleshooting
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.002
diff --git a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
index c97fa0429..b45bd63e4 100644
--- a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
+++ b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml
@@ -1,12 +1,15 @@
title: Disable Exploit Guard Network Protection on Windows Defender
id: bf9e1387-b040-4393-9851-1598f8ecfae9
-description: Detects disabling Windows Defender Exploit Guard Network Protection
status: experimental
-date: 2021/08/04
-modified: 2022/08/05
-author: Austin Songer @austinsonger
+description: Detects disabling Windows Defender Exploit Guard Network Protection
references:
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
+author: Austin Songer @austinsonger
+date: 2021/08/04
+modified: 2022/08/05
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_set
product: windows
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml
index 7b61cd8de..d19be98cf 100644
--- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml
+++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml
@@ -1,11 +1,14 @@
title: Disabled Windows Defender Eventlog
id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
-description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
status: experimental
-date: 2022/07/04
-author: Florian Roth
+description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
+author: Florian Roth
+date: 2022/07/04
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
index 2124509d3..7fc338391 100644
--- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
+++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml
@@ -1,12 +1,15 @@
title: Disable PUA Protection on Windows Defender
id: 8ffc5407-52e3-478f-9596-0a7371eafe13
-description: Detects disabling Windows Defender PUA protection
status: experimental
-date: 2021/08/04
-modified: 2022/07/04
-author: Austin Songer @austinsonger
+description: Detects disabling Windows Defender PUA protection
references:
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
+author: Austin Songer @austinsonger
+date: 2021/08/04
+modified: 2022/07/04
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_set
product: windows
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml
index 5904adb45..6cf89f826 100644
--- a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml
+++ b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml
@@ -1,12 +1,15 @@
title: Disable Tamper Protection on Windows Defender
id: 93d298a1-d28f-47f1-a468-d971e7796679
-description: Detects disabling Windows Defender Tamper Protection
status: experimental
-date: 2021/08/04
-modified: 2022/04/21
-author: Austin Songer @austinsonger
+description: Detects disabling Windows Defender Tamper Protection
references:
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
+author: Austin Songer @austinsonger
+date: 2021/08/04
+modified: 2022/04/21
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_set
product: windows
@@ -24,6 +27,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml
index 322cf5715..19ed848e4 100644
--- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml
+++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml
@@ -1,11 +1,14 @@
title: Add DisallowRun Execution to Registry
id: 275641a5-a492-45e2-a817-7c81e9d9d3e9
-description: Detect set DisallowRun to 1 to prevent user running specific computer program
-author: frack113
-date: 2022/08/19
status: experimental
+description: Detect set DisallowRun to 1 to prevent user running specific computer program
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
+author: frack113
+date: 2022/08/19
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml
index 3b115c0b4..e324577e5 100644
--- a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml
@@ -1,15 +1,21 @@
title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
+status: experimental
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
- The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
-author: Nasreddine Bencherchali
-date: 2022/07/21
-modified: 2022/10/21
-status: experimental
+ The disk cleanup manager is part of the operating system.
+ It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
+ Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
+ Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
+ Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
+author: Nasreddine Bencherchali
+date: 2022/07/21
+modified: 2022/10/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -41,5 +47,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml
index 032cf6788..fd00f69ae 100644
--- a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml
+++ b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml
@@ -1,18 +1,25 @@
title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: experimental
-description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
-author: Austin Songer
+description: |
+ Detects when a user enables DNS-over-HTTPS.
+ This can be used to hide internet activity or be used to hide the process of exfiltrating data.
+ With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
- https://github.com/elastic/detection-rules/issues/1371
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
+author: Austin Songer
date: 2021/07/22
modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1140
+ - attack.t1112
logsource:
- product: windows
- category: registry_set
+ product: windows
+ category: registry_set
detection:
selection_edge:
EventType: SetValue
@@ -28,9 +35,5 @@ detection:
Details: DWORD (0x00000001)
condition: 1 of selection_*
falsepositives:
-- Unlikely
+ - Unlikely
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1140
- - attack.t1112
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml
index 38ea828ff..03c53eb59 100755
--- a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml
+++ b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml
@@ -1,13 +1,12 @@
title: DNS ServerLevelPluginDll Install
id: e61e8a88-59a9-451c-874e-70fcc9740d67
status: experimental
-description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
- (restart required)
+description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+author: Florian Roth
date: 2017/05/08
modified: 2022/08/23
-author: Florian Roth
tags:
- attack.defense_evasion
- attack.t1574.002
diff --git a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml
index e6caec211..7ebdf090b 100644
--- a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml
+++ b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml
@@ -2,26 +2,26 @@ title: Enabling COR Profiler Environment Variables
id: ad89044a-8f49-4673-9a55-cbd88a1b374f
status: test
description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.
-author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
references:
- - https://twitter.com/jamieantisocial/status/1304520651248668673
- - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
- - https://www.sans.org/cyber-security-summit/archives
+ - https://twitter.com/jamieantisocial/status/1304520651248668673
+ - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
+ - https://www.sans.org/cyber-security-summit/archives
+author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
date: 2020/09/10
modified: 2022/06/26
-logsource:
- category: registry_set
- product: windows
-detection:
- selection:
- EventType: Setvalue
- TargetObject|endswith:
- - '\COR_ENABLE_PROFILING'
- - '\COR_PROFILER'
- condition: selection
-level: high
tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.defense_evasion
- - attack.t1574.012
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.defense_evasion
+ - attack.t1574.012
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: Setvalue
+ TargetObject|endswith:
+ - '\COR_ENABLE_PROFILING'
+ - '\COR_PROFILER'
+ condition: selection
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml
index 5fe588e2a..7eca6ab9a 100644
--- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml
+++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml
@@ -1,12 +1,15 @@
title: Scripted Diagnostics Turn Off Check Enabled - Registry
id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
+status: experimental
description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
-date: 2022/06/15
-modified: 2022/09/09
-author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
references:
- https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
-status: experimental
+author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
+date: 2022/06/15
+modified: 2022/09/09
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: registry_set
@@ -19,6 +22,3 @@ detection:
falsepositives:
- Administrator actions
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml
index 582540079..14481ee9a 100644
--- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml
+++ b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml
@@ -2,31 +2,31 @@ title: COMPlus_ETWEnabled Registry Modification
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- - https://twitter.com/_xpn_/status/1268712093928378368
- - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- - https://bunnyinside.com/?term=f71e8cb9c76a
- - http://managed670.rssing.com/chan-5590147/all_p1.html
- - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+ - https://twitter.com/_xpn_/status/1268712093928378368
+ - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
+ - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
+ - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
+ - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
+ - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
+ - https://bunnyinside.com/?term=f71e8cb9c76a
+ - http://managed670.rssing.com/chan-5590147/all_p1.html
+ - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/06/05
modified: 2022/03/26
-logsource:
- product: windows
- category: registry_set
-detection:
- selection:
- EventType: SetValue
- TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
- Details: 'DWORD (0x00000000)'
- condition: selection
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.defense_evasion
- - attack.t1112
+ - attack.defense_evasion
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
+ Details: 'DWORD (0x00000000)'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml
index 74dd927cd..8d9b52fa7 100644
--- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml
+++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml
@@ -1,11 +1,14 @@
title: Suspicious Application Allowed Through Exploit Guard
id: 42205c73-75c8-4a63-9db1-e3782e06fda0
-description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
status: experimental
-date: 2022/08/05
-author: Nasreddine Bencherchali
+description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
+author: Nasreddine Bencherchali
+date: 2022/08/05
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_set
product: windows
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml
index c3f66f11a..67414d7d6 100644
--- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml
+++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml
@@ -1,15 +1,15 @@
title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
-description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
status: experimental
+description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
-date: 2022/07/17
author: frack113
+date: 2022/07/17
tags:
- attack.defense_evasion
- - attack.t1112
+ - attack.t1112
logsource:
product: windows
category: registry_set
diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml
index 7b1dd6c2c..8a908a175 100644
--- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml
+++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml
@@ -1,15 +1,15 @@
title: Change the Fax Dll
id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
-description: Detect possible persistence using Fax DLL load when service restart
status: experimental
+description: Detect possible persistence using Fax DLL load when service restart
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
-date: 2022/07/17
author: frack113
+date: 2022/07/17
tags:
- attack.defense_evasion
- - attack.t1112
+ - attack.t1112
logsource:
product: windows
category: registry_set
diff --git a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml
index 09fff0992..23e016a48 100644
--- a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml
+++ b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml
@@ -1,12 +1,14 @@
title: New File Association Using Exefile
id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
+status: experimental
description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
+references:
+ - https://twitter.com/mrd0x/status/1461041276514623491
author: Andreas Hunkeler (@Karneades)
date: 2021/11/19
modified: 2022/03/26
-status: experimental
-references:
- - https://twitter.com/mrd0x/status/1461041276514623491
+tags:
+ - attack.defense_evasion
logsource:
category: registry_set
product: windows
@@ -19,5 +21,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml
index 1837b12e6..831bbfecd 100755
--- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml
@@ -2,11 +2,17 @@ title: GlobalFlags Registry Persistence Mechanisms
id: 36803969-5421-41ec-b92f-8500f79c23b0
status: test
description: Detects persistence using GlobalFlags in image file execution options
-author: Karneades, Jonhnathan Ribeiro
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
+author: Karneades, Jonhnathan Ribeiro
date: 2018/04/11
modified: 2022/09/07
+tags:
+ - attack.privilege_escalation
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1546.012
+ - car.2013-01-002
logsource:
category: registry_set
product: windows
@@ -27,9 +33,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.privilege_escalation
- - attack.persistence
- - attack.defense_evasion
- - attack.t1546.012
- - car.2013-01-002
diff --git a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml
index 1cca25fec..eacc10205 100644
--- a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml
@@ -1,12 +1,14 @@
title: Add Debugger Entry To Hangs Key For Persistence
id: 833ef470-fa01-4631-a79b-6f291c9ac498
-description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
-author: Nasreddine Bencherchali
-date: 2022/07/21
status: experimental
+description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
references:
- https://persistence-info.github.io/Data/wer_debugger.html
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -18,5 +20,3 @@ detection:
falsepositives:
- This value is not set by default but could be rarly used by administrators
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml
index f2d1a1811..fe4dba8a2 100644
--- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml
@@ -1,12 +1,14 @@
title: Persistence Via Hhctrl.ocx
id: f10ed525-97fe-4fed-be7c-2feecca941b1
-description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
-author: Nasreddine Bencherchali
-date: 2022/07/21
status: experimental
+description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
references:
- https://persistence-info.github.io/Data/hhctrl.html
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -20,5 +22,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml
index 4690ef61e..487ab6ea2 100644
--- a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml
+++ b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml
@@ -1,14 +1,17 @@
title: Registry Modification to Hidden File Extension
id: 5df86130-4e95-4a54-90f7-26541b40aec2
-description: Hides the file extension through modification of the registry
-author: frack113
-date: 2022/01/22
-modified: 2022/03/26
status: experimental
+description: Hides the file extension through modification of the registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd
- https://unit42.paloaltonetworks.com/ransomware-families/
- https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
+author: frack113
+date: 2022/01/22
+modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1137
logsource:
category: registry_set
product: windows
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Administrative scripts
level: medium
-tags:
- - attack.persistence
- - attack.t1137
diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml
index 90602874d..897b88988 100644
--- a/rules/windows/registry/registry_set/registry_set_hide_file.yml
+++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml
@@ -1,12 +1,15 @@
title: Modification of Explorer Hidden Keys
id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
+status: experimental
description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
author: frack113
date: 2022/04/02
modified: 2022/06/26
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
+tags:
+ - attack.defense_evasion
+ - attack.t1564.001
logsource:
category: registry_set
product: windows
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1564.001
diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml
index d96729b30..bae6bf817 100644
--- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml
+++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml
@@ -7,6 +7,9 @@ references:
author: frack113
date: 2022/03/18
modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -30,6 +33,3 @@ detection:
falsepositives:
- Legitimate admin script
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml
index 7bc8185e4..f6c8144fd 100644
--- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml
+++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml
@@ -5,12 +5,17 @@ related:
type: similar
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
type: similar
-description: Detects when the "index" value of a scheduled task is modified from the registry. Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
status: experimental
-date: 2022/08/26
-author: Nasreddine Bencherchali
+description: |
+ Detects when the "index" value of a scheduled task is modified from the registry
+ Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
+author: Nasreddine Bencherchali
+date: 2022/08/26
+tags:
+ - attack.defense_evasion
+ - attack.t1562
logsource:
category: registry_set
product: windows
@@ -25,6 +30,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562
diff --git a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml
index 6e9968124..62ff81e87 100644
--- a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml
@@ -1,12 +1,15 @@
title: Modification of IE Registry Settings
id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
+status: experimental
description: Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
author: frack113
date: 2022/01/22
modified: 2022/03/29
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -31,7 +34,4 @@ detection:
condition: selection_domains and not 1 of filter_*
falsepositives:
- Unknown
-level: low # as unknow false positives
-tags:
- - attack.defense_evasion
- - attack.t1112
+level: low
diff --git a/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml b/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml
index 6f4aa3c76..80f4ae4b0 100644
--- a/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml
@@ -1,14 +1,16 @@
title: Register New IFiltre For Persistence
id: b23818c7-e575-4d13-8012-332075ec0a2b
-description: Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files
-author: Nasreddine Bencherchali
-date: 2022/07/21
status: experimental
+description: Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files
references:
- https://persistence-info.github.io/Data/ifilters.html
- https://twitter.com/0gtweet/status/1468548924600459267
- https://github.com/gtworek/PSBits/tree/master/IFilter
- https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -29,5 +31,3 @@ detection:
falsepositives:
- Legitimate registration of IFilters by the OS or software
level: medium
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml
index 8da757bce..23e2569ad 100644
--- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml
+++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml
@@ -1,13 +1,16 @@
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
-description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
-author: frack113
-date: 2022/04/04
-modified: 2022/06/26
status: experimental
+description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+author: frack113
+date: 2022/04/04
+modified: 2022/06/26
+tags:
+ - attack.impact
+ - attack.t1490
logsource:
category: registry_set
product: windows
@@ -30,6 +33,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.impact
- - attack.t1490
diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml
index 24ad1a6f4..dfc7c2b27 100644
--- a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml
+++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml
@@ -1,24 +1,24 @@
title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
-description: |
- Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
- anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
status: experimental
-date: 2022/05/28
+description: |
+ Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
+ anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
references:
- - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
+ - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
author: frack113
-logsource:
- category: registry_set
- product: windows
-detection:
- selection:
- EventType: SetValue
- TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
- condition: selection
-falsepositives:
- - Unknown
-level: high
+date: 2022/05/28
tags:
- - attack.command_and_control
- - attack.t1105
+ - attack.command_and_control
+ - attack.t1105
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml b/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml
index e5f0469d4..55e464bd0 100644
--- a/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml
@@ -1,14 +1,16 @@
title: Persistence Via LSA Extensions
id: 41f6531d-af6e-4c6e-918f-b946f2b85a36
+status: experimental
description: |
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
-author: Nasreddine Bencherchali
-date: 2022/07/21
-status: experimental
references:
- https://persistence-info.github.io/Data/lsaaextension.html
- https://twitter.com/0gtweet/status/1476286368385019906
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -20,5 +22,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml
index 27e863f79..9c7599907 100644
--- a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml
+++ b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml
@@ -11,6 +11,10 @@ references:
author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017/11/10
modified: 2022/03/26
+tags:
+ - attack.execution
+ - attack.t1059.005
+ - attack.t1059.007
logsource:
category: registry_set
product: windows
@@ -21,7 +25,3 @@ detection:
Details|startswith: '%AppData%\Roaming\Oracle\bin\'
condition: selection
level: high
-tags:
- - attack.execution
- - attack.t1059.005
- - attack.t1059.007
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml
index 9931e5066..320207644 100644
--- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml
+++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml
@@ -3,25 +3,25 @@ id: 92b0b372-a939-44ed-a11b-5136cf680e27
related:
- id: c3198a27-23a0-4c2c-af19-e5328d49680e
type: derived
-date: 2020/05/14
-modified: 2022/06/26
status: experimental
description: Attempts to detect system changes made by Blue Mockingbird
references:
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
author: Trent Liffick (@tliffick)
-logsource:
- product: windows
- category: registry_set
-detection:
- selection:
- EventType: Setvalue
- TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
- condition: selection
-falsepositives:
- - Unknown
-level: high
+date: 2020/05/14
+modified: 2022/06/26
tags:
- attack.execution
- attack.t1112
- - attack.t1047
\ No newline at end of file
+ - attack.t1047
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection:
+ EventType: Setvalue
+ TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
+ condition: selection
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml
index 07e929f64..a94aa9444 100644
--- a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml
@@ -1,12 +1,14 @@
title: Persistence Via Mpnotify
id: 92772523-d9c1-4c93-9547-b0ca500baba3
-description: Detects when an attacker register a new SIP provider for persistence and defense evasion
-author: Nasreddine Bencherchali
-date: 2022/07/21
status: experimental
+description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/mpnotify.html
- https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -18,6 +20,3 @@ detection:
falsepositives:
- Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
level: high
-tags:
- - attack.persistence
-
diff --git a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml
index a15053708..742342140 100644
--- a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml
+++ b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml
@@ -2,25 +2,25 @@ title: New Application in AppCompat
id: 60936b49-fca0-4f32-993d-7415edcf9a5d
status: test
description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
references:
- - https://github.com/OTRF/detection-hackathon-apt29/issues/1
- - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
+ - https://github.com/OTRF/detection-hackathon-apt29/issues/1
+ - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
modified: 2022/06/26
-logsource:
- product: windows
- category: registry_set
-detection:
- selection:
- EventType: Setvalue
- TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
- condition: selection
-falsepositives:
- - This rule is to explore new applications on an endpoint. False positives depends on the organization.
- - Newly setup system.
- - Legitimate installation of new application.
-level: informational
tags:
- - attack.execution
- - attack.t1204.002
+ - attack.execution
+ - attack.t1204.002
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection:
+ EventType: Setvalue
+ TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
+ condition: selection
+falsepositives:
+ - This rule is to explore new applications on an endpoint. False positives depends on the organization.
+ - Newly setup system.
+ - Legitimate installation of new application.
+level: informational
diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml
index b356a4de5..ad7d6be77 100644
--- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml
+++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml
@@ -3,14 +3,17 @@ id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
- id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
type: similar
-description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
-author: Nasreddine Bencherchali
-date: 2022/08/23
-modified: 2022/09/18
status: experimental
+description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
+author: Nasreddine Bencherchali
+date: 2022/08/23
+modified: 2022/09/18
+tags:
+ - attack.credential_access
+ - attack.t1003
logsource:
category: registry_set
product: windows
@@ -32,6 +35,3 @@ detection:
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
-tags:
- - attack.credential_access
- - attack.t1003
diff --git a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml
index ddc1c6bf9..faa02b90f 100644
--- a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml
+++ b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml
@@ -1,12 +1,15 @@
title: Enable Microsoft Dynamic Data Exchange
id: 63647769-326d-4dde-a419-b925cc0caf42
+status: experimental
description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
+references:
+ - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
author: frack113
date: 2022/02/26
modified: 2022/03/26
-status: experimental
-references:
- - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
+tags:
+ - attack.execution
+ - attack.t1559.002
logsource:
category: registry_set
product: windows
@@ -14,7 +17,7 @@ detection:
selection_word:
EventType: SetValue
TargetObject|endswith: '\Word\Security\AllowDDE'
- Details:
+ Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000002)'
selection_excel:
@@ -27,6 +30,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.execution
- - attack.t1559.002
diff --git a/rules/windows/registry/registry_set/registry_set_office_security.yml b/rules/windows/registry/registry_set/registry_set_office_security.yml
index fe5e28dba..b54ec0047 100644
--- a/rules/windows/registry/registry_set/registry_set_office_security.yml
+++ b/rules/windows/registry/registry_set/registry_set_office_security.yml
@@ -2,13 +2,16 @@ title: Office Security Settings Changed
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
status: experimental
description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
-author: Trent Liffick (@tliffick)
-date: 2020/05/22
-modified: 2022/06/26
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
+author: Trent Liffick (@tliffick)
+date: 2020/05/22
+modified: 2022/06/26
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Valid Macros and/or internal documents
level: high
-tags:
- - attack.defense_evasion
- - attack.t1112
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml
index d3c9a0508..5c9e48ff6 100644
--- a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml
@@ -8,6 +8,9 @@ references:
author: Bhabesh Raj
date: 2021/01/10
modified: 2022/06/10
+tags:
+ - attack.t1137.006
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -15,11 +18,11 @@ detection:
selection:
EventType: SetValue
TargetObject|contains:
- - '\Software\Microsoft\Office\Outlook\Addins\'
- - '\Software\Microsoft\Office\Word\Addins\'
- - '\Software\Microsoft\Office\Excel\Addins\'
- - '\Software\Microsoft\Office\Powerpoint\Addins\'
- - '\Software\Microsoft\VSTO\Security\Inclusion\'
+ - '\Software\Microsoft\Office\Outlook\Addins\'
+ - '\Software\Microsoft\Office\Word\Addins\'
+ - '\Software\Microsoft\Office\Excel\Addins\'
+ - '\Software\Microsoft\Office\Powerpoint\Addins\'
+ - '\Software\Microsoft\VSTO\Security\Inclusion\'
filter_image:
Image|endswith:
- '\msiexec.exe'
@@ -35,8 +38,5 @@ detection:
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
condition: selection and not 1 of filter_*
falsepositives:
- - Legitimate Addin Installation
+ - Legitimate Addin Installation
level: medium
-tags:
- - attack.t1137.006
- - attack.persistence
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml b/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml
index b4be180c9..bf17b61cb 100644
--- a/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml
+++ b/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml
@@ -7,21 +7,21 @@ references:
author: '@ScoubiMtl'
date: 2021/04/05
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.command_and_control
+ - attack.t1137
+ - attack.t1008
+ - attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection_registry:
- EventType: SetValue
+ EventType: SetValue
TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level'
Details|contains: '0x00000001'
condition: selection_registry
falsepositives:
- Unlikely
level: medium
-tags:
- - attack.persistence
- - attack.command_and_control
- - attack.t1137
- - attack.t1008
- - attack.t1546
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml
index 0d9630a45..e153b7de0 100644
--- a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml
+++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml
@@ -1,37 +1,37 @@
title: Persistent Outlook Landing Pages
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
-description: Detects the manipulation of persistent URLs which could execute malicious code
status: experimental
+description: Detects the manipulation of persistent URLs which could execute malicious code
references:
- - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
author: Tobias Michalski
date: 2021/06/10
modified: 2022/06/26
-logsource:
- product: windows
- category: registry_set
-detection:
- selection1:
- EventType: SetValue
- TargetObject|contains:
- - 'Software\Microsoft\Office\'
- - '\Outlook\Today\'
- selectionStamp:
- TargetObject|endswith: 'Stamp'
- Details: 'DWORD (0x00000001)'
- selectionUserDefined:
- TargetObject|endswith: 'UserDefinedUrl'
- filter_office:
- Image|startswith:
- - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
- Image|endswith: '\OfficeClickToRun.exe'
- condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_*
-fields:
- - Details
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.t1112
\ No newline at end of file
+ - attack.persistence
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection1:
+ EventType: SetValue
+ TargetObject|contains:
+ - 'Software\Microsoft\Office\'
+ - '\Outlook\Today\'
+ selectionStamp:
+ TargetObject|endswith: 'Stamp'
+ Details: 'DWORD (0x00000001)'
+ selectionUserDefined:
+ TargetObject|endswith: 'UserDefinedUrl'
+ filter_office:
+ Image|startswith:
+ - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
+ - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
+ Image|endswith: '\OfficeClickToRun.exe'
+ condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_*
+fields:
+ - Details
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml
index 3b9382b7a..7674417cc 100644
--- a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml
+++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml
@@ -1,33 +1,33 @@
title: Persistent Outlook Landing Pages
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
-description: Detects the manipulation of persistent URLs which can be malicious
status: experimental
+description: Detects the manipulation of persistent URLs which can be malicious
references:
- - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
- - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
+ - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
+ - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
author: Tobias Michalski
date: 2021/06/09
modified: 2022/06/26
-logsource:
- product: windows
- category: registry_set
-detection:
- selection_1:
- EventType: SetValue
- TargetObject|contains:
- - '\Software\Microsoft\Office\'
- - '\Outlook\WebView\'
- TargetObject|endswith: '\URL'
- selection_2:
- TargetObject|contains:
- - '\Calendar\'
- - '\Inbox\'
- condition: all of selection_*
-fields:
- - Details
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.t1112
\ No newline at end of file
+ - attack.persistence
+ - attack.t1112
+logsource:
+ product: windows
+ category: registry_set
+detection:
+ selection_1:
+ EventType: SetValue
+ TargetObject|contains:
+ - '\Software\Microsoft\Office\'
+ - '\Outlook\WebView\'
+ TargetObject|endswith: '\URL'
+ selection_2:
+ TargetObject|contains:
+ - '\Calendar\'
+ - '\Inbox\'
+ condition: all of selection_*
+fields:
+ - Details
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_outlook_security.yml b/rules/windows/registry/registry_set/registry_set_outlook_security.yml
index ce4094cdb..4dcb31de2 100644
--- a/rules/windows/registry/registry_set/registry_set_outlook_security.yml
+++ b/rules/windows/registry/registry_set/registry_set_outlook_security.yml
@@ -1,13 +1,16 @@
title: Change Outlook Security Setting in Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
-description: Change outlook email security settings
-author: frack113
-date: 2021/12/28
-modified: 2022/03/26
status: experimental
+description: Change outlook email security settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
- https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
+author: frack113
+date: 2021/12/28
+modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1137
logsource:
category: registry_set
product: windows
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Administrative scripts
level: medium
-tags:
- - attack.persistence
- - attack.t1137
diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml
index 5a6c841ae..6acc5562a 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml
@@ -7,15 +7,18 @@ references:
- https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022/07/27
+tags:
+ - attack.persistence
+ - attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
- selection_debug:
+ selection_debug:
EventType: SetValue
TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
TargetObject|endswith: '\DebugPath'
- selection_default:
+ selection_default:
EventType: SetValue
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
TargetObject|endswith: '\(Default)'
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
- - attack.t1546.015
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml
index ecaac87d7..5c4e72d43 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml
@@ -1,12 +1,14 @@
title: Persistence Via AutodialDLL
id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3
-description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
status: experimental
-author: Nasreddine Bencherchali
-date: 2022/08/10
+description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
references:
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://persistence-info.github.io/Data/autodialdll.html
+author: Nasreddine Bencherchali
+date: 2022/08/10
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -18,5 +20,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml
index b68f4b1eb..a8cae2014 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml
@@ -7,6 +7,9 @@ references:
author: Nasreddine Bencherchali
date: 2022/07/28
modified: 2022/09/13
+tags:
+ - attack.persistence
+ - attack.t1546.015
logsource:
category: registry_set
product: windows
@@ -36,6 +39,3 @@ detection:
falsepositives:
- Probable legitimate applications. If you find these please add them to an exclusion list
level: high
-tags:
- - attack.persistence
- - attack.t1546.015
diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml
index 4836d2feb..5e1fc84ff 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml
@@ -1,11 +1,13 @@
title: Persistence Via MyComputer Key and SubKeys
id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06
-description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
status: experimental
-author: Nasreddine Bencherchali
-date: 2022/08/09
+description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
references:
- https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
+author: Nasreddine Bencherchali
+date: 2022/08/09
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -18,5 +20,3 @@ detection:
falsepositives:
- Unlikely but if you experience FPs add specific processes and locations you would like to monitor for
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
index dce4cc2a3..ea12562cf 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml
@@ -8,6 +8,9 @@ references:
author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien
date: 2020/04/14
modified: 2022/09/20
+tags:
+ - attack.persistence
+ - attack.t1546.015
logsource:
category: registry_set
product: windows
@@ -88,6 +91,3 @@ detection:
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level
level: medium
-tags:
- - attack.persistence
- - attack.t1546.015
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml
index ffa22e52a..e96278cab 100644
--- a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml
+++ b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml
@@ -1,12 +1,14 @@
title: Persistence Via TypedPaths
id: 086ae989-9ca6-4fe7-895a-759c5544f247
-description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
status: experimental
-author: Nasreddine Bencherchali
-date: 2022/08/22
+description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
references:
- https://twitter.com/dez_/status/1560101453150257154
- https://forensafe.com/blogs/typedpaths.html
+author: Nasreddine Bencherchali
+date: 2022/08/22
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -22,5 +24,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml
index 12b416168..637f46cb2 100644
--- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml
+++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml
@@ -2,11 +2,13 @@ title: Modify Attachment Manager Settings - Associations
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: experimental
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
-author: Nasreddine Bencherchali
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
+author: Nasreddine Bencherchali
date: 2022/08/01
+tags:
+ - attack.defense_evasion
logsource:
category: registry_set
product: windows
@@ -34,5 +36,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.defense_evasion
diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml
index 244958054..d55e60452 100644
--- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml
+++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml
@@ -2,11 +2,13 @@ title: Modify Attachment Manager Settings - Attachments
id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
status: experimental
description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
-author: Nasreddine Bencherchali
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
+author: Nasreddine Bencherchali
date: 2022/08/01
+tags:
+ - attack.defense_evasion
logsource:
category: registry_set
product: windows
@@ -27,5 +29,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.defense_evasion
diff --git a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml
index f3c05aed5..f23087434 100644
--- a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml
+++ b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml
@@ -1,12 +1,15 @@
title: PowerShell as a Service in Registry
id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
-description: Detects that a powershell code is written to the registry as a service.
status: experimental
+description: Detects that a powershell code is written to the registry as a service.
+references:
+ - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020/10/06
modified: 2022/03/26
-references:
- - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
+tags:
+ - attack.execution
+ - attack.t1569.002
logsource:
category: registry_set
product: windows
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.execution
- - attack.t1569.002
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
index d68048b45..17dc150ed 100644
--- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
+++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml
@@ -7,6 +7,9 @@ references:
author: frack113, Florian Roth
date: 2022/03/17
modified: 2022/10/06
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -30,6 +33,3 @@ detection:
falsepositives:
- Legitimate admin or third party scripts
level: medium
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml
index 3d3148d0f..15582a589 100644
--- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml
+++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml
@@ -1,12 +1,15 @@
title: PowerShell Logging Disabled
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
+status: experimental
description: Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022/04/02
modified: 2022/06/26
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
+tags:
+ - attack.defense_evasion
+ - attack.t1564.001
logsource:
category: registry_set
product: windows
@@ -23,6 +26,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1564.001
diff --git a/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml
index e3bf63b89..dccdbd3b7 100644
--- a/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml
+++ b/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml
@@ -1,11 +1,11 @@
title: Newly Registered Protocol Handler
id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
-description: Detects when a new custom protocole handler is registered
status: experimental
-date: 2022/05/30
-author: Nasreddine Bencherchali
+description: Detects when a new custom protocole handler is registered
references:
- https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
+author: Nasreddine Bencherchali
+date: 2022/05/30
tags:
- attack.defense_evasion
- attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml
index a32ab7cc3..6563c590e 100644
--- a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml
@@ -9,8 +9,11 @@ status: experimental
description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
references:
- Internal Research
-date: 2022/08/24
author: Nasreddine Bencherchali
+date: 2022/08/24
+tags:
+ - attack.resource_development
+ - attack.t1588.002
logsource:
product: windows
category: registry_set
@@ -49,6 +52,3 @@ detection:
falsepositives:
- Unlikely
level: high
-tags:
- - attack.resource_development
- - attack.t1588.002
diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
index 83eb3a245..ee1ff1de0 100644
--- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
+++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml
@@ -1,14 +1,17 @@
title: ScreenSaver Registry Key Set
id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
-description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
status: experimental
-date: 2022/05/04
-modified: 2022/05/04
-author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
+description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
references:
- https://twitter.com/VakninHai/status/1517027824984547329
- https://twitter.com/pabraeken/status/998627081360695297
- https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
+author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
+date: 2022/05/04
+modified: 2022/05/04
+tags:
+ - attack.defense_evasion
+ - attack.t1218.011
logsource:
product: windows
category: registry_set
@@ -20,13 +23,10 @@ detection:
TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
Details|endswith: '.scr'
filter:
- Details|contains:
- - 'C:\Windows\System32\'
- - 'C:\Windows\SysWOW64\'
+ Details|contains:
+ - 'C:\Windows\System32\'
+ - 'C:\Windows\SysWOW64\'
condition: selection and registry and not filter
falsepositives:
- Legitimate use of screen saver
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1218.011
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml b/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml
index 71ba74583..b169d151a 100644
--- a/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml
@@ -1,11 +1,14 @@
title: Scrobj.dll COM Hijacking
id: fe20dda1-6f37-4379-bbe0-a98d400cae90
-description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
-author: frack113
-date: 2022/08/20
status: experimental
+description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
+author: frack113
+date: 2022/08/20
+tags:
+ - attack.persistence
+ - attack.t1546.015
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Legitimate use of the dll.
level: medium
-tags:
- - attack.persistence
- - attack.t1546.015
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml
index 5ce063496..073a94c69 100644
--- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml
+++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml
@@ -1,13 +1,17 @@
title: ServiceDll Hijack
id: 612e47e9-8a59-43a6-b404-f48683f45bd6
-description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
-author: frack113
-date: 2022/02/04
-modified: 2022/09/20
status: experimental
+description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
+author: frack113
+date: 2022/02/04
+modified: 2022/09/20
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1543.003
logsource:
category: registry_set
product: windows
@@ -29,7 +33,3 @@ falsepositives:
- Administrative scripts
- Installation of a service
level: medium
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1543.003
diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml
index 59f340799..ea6679173 100644
--- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml
+++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml
@@ -7,6 +7,9 @@ references:
author: frack113
date: 2022/03/18
modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -29,6 +32,3 @@ detection:
falsepositives:
- Legitimate admin script
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml b/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml
index bcb530f08..25dc6febc 100644
--- a/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml
@@ -1,15 +1,18 @@
title: Registry Key Creation or Modification for Shim DataBase
id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
+status: experimental
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
-author: frack113
-date: 2021/12/30
-modified: 2022/03/26
-status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+author: frack113
+date: 2021/12/30
+modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1546.011
logsource:
category: registry_set
product: windows
@@ -25,6 +28,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.persistence
- - attack.t1546.011
diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml
index 8d398a926..19f3c96d0 100644
--- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml
+++ b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml
@@ -1,13 +1,16 @@
title: SilentProcessExit Monitor Registration
id: c81fe886-cac0-4913-a511-2822d72ff505
-description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
status: experimental
-author: Florian Roth
+description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
references:
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
+author: Florian Roth
date: 2021/02/26
modified: 2022/03/26
+tags:
+ - attack.persistence
+ - attack.t1546.012
logsource:
category: registry_set
product: windows
@@ -20,6 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1546.012
diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml
index 3af8eef6b..37986564d 100644
--- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml
@@ -1,14 +1,18 @@
title: Persistence Via New SIP Provider
id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
-description: Detects when an attacker register a new SIP provider for persistence and defense evasion
-author: Nasreddine Bencherchali
-date: 2022/07/21
-modified: 2022/09/21
status: experimental
+description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/codesigning.html
- https://github.com/gtworek/PSBits/tree/master/SIP
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
+author: Nasreddine Bencherchali
+date: 2022/07/21
+modified: 2022/09/21
+tags:
+ - attack.persistence
+ - attack.defense_evasion
+ - attack.t1553.003
logsource:
category: registry_set
product: windows
@@ -37,7 +41,3 @@ detection:
falsepositives:
- Legitimate SIP being registered by the OS or different software.
level: medium
-tags:
- - attack.persistence
- - attack.defense_evasion
- - attack.t1553.003
diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml
index cc87fa1ba..94507a655 100644
--- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml
+++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml
@@ -1,11 +1,14 @@
title: Tamper With Sophos AV Registry Keys
id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
-description: Detects tamper attempts to sophos av functionality via registry key modification
-author: Nasreddine Bencherchali
-date: 2022/09/02
status: experimental
+description: Detects tamper attempts to sophos av functionality via registry key modification
references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
+author: Nasreddine Bencherchali
+date: 2022/09/02
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
category: registry_set
product: windows
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml
index ad1d7f9b1..3af8edd81 100644
--- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml
+++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml
@@ -1,11 +1,14 @@
title: Hide User Account Via Special Accounts Reg Key
id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
-description: Detects when an attacker set the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" to "0" in order to hide user account.
-author: Nasreddine Bencherchali
-date: 2022/07/12
status: experimental
+description: Detects when an attacker set the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" to "0" in order to hide user account.
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
+author: Nasreddine Bencherchali
+date: 2022/07/12
+tags:
+ - attack.defense_evasion
+ - attack.t1564.002
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1564.002
diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml
index 6c539be1f..46292cf7c 100644
--- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml
+++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml
@@ -1,11 +1,14 @@
title: Disable Windows Security Center Notifications
id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63
-description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification
-author: frack113
-date: 2022/08/19
status: experimental
+description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
+author: frack113
+date: 2022/08/19
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -18,6 +21,3 @@ detection:
falsepositives:
- Unknown
level: medium
-tags:
- - attack.defense_evasion
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml
index 58cc3cf87..8e16b0203 100644
--- a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml
@@ -1,17 +1,20 @@
title: Suspicious Values In App Paths Default Property
id: 707e097c-e20f-4f67-8807-1f72ff4500d6
+status: experimental
description: |
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to pre-pend information to the PATH environment variable on a per-application, per-process basis.
-status: experimental
-author: Nasreddine Bencherchali
references:
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN
+author: Nasreddine Bencherchali
date: 2022/08/10
modified: 2022/09/13
+tags:
+ - attack.persistence
+ - attack.t1546.012
logsource:
category: registry_set
product: windows
@@ -46,6 +49,3 @@ detection:
falsepositives:
- Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
level: high
-tags:
- - attack.persistence
- - attack.t1546.012
diff --git a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml
index 99b08e747..276bafc8b 100755
--- a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml
@@ -2,30 +2,30 @@ title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
status: test
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
-author: Florian Roth
references:
- - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
- - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
+ - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
+ - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
+author: Florian Roth
date: 2019/10/12
modified: 2022/03/26
-logsource:
- category: registry_set
- product: windows
- definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
-detection:
- selection_registry:
- EventType: SetValue
- TargetObject|contains:
- - '\Keyboard Layout\Preload\'
- - '\Keyboard Layout\Substitutes\'
- Details|contains:
- - 00000429 # Persian (Iran)
- - 00050429 # Persian (Iran)
- - 0000042a # Vietnamese
- condition: selection_registry
-falsepositives:
- - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
-level: medium
tags:
- - attack.resource_development
- - attack.t1588.002
+ - attack.resource_development
+ - attack.t1588.002
+logsource:
+ category: registry_set
+ product: windows
+ definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
+detection:
+ selection_registry:
+ EventType: SetValue
+ TargetObject|contains:
+ - '\Keyboard Layout\Preload\'
+ - '\Keyboard Layout\Substitutes\'
+ Details|contains:
+ - 00000429 # Persian (Iran)
+ - 00050429 # Persian (Iran)
+ - 0000042a # Vietnamese
+ condition: selection_registry
+falsepositives:
+ - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
+level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml
index 691ef5e8c..2860f1e97 100644
--- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml
@@ -2,32 +2,32 @@ title: Suspicious Printer Driver Empty Manufacturer
id: e0813366-0407-449a-9869-a2db1119dc41
status: test
description: Detects a suspicious printer driver installation with an empty Manufacturer value
-author: Florian Roth
references:
- - https://twitter.com/SBousseaden/status/1410545674773467140
+ - https://twitter.com/SBousseaden/status/1410545674773467140
+author: Florian Roth
date: 2020/07/01
modified: 2022/09/21
-logsource:
- category: registry_set
- product: windows
-detection:
- selection:
- EventType: SetValue
- TargetObject|contains|all:
- - '\Control\Print\Environments\Windows x64\Drivers'
- - '\Manufacturer'
- Details: '(Empty)'
- filter_cutepdf:
- TargetObject|contains: '\CutePDF Writer v4.0\'
- filter_vnc:
- TargetObject|contains:
- - '\VNC Printer (PS)\'
- - '\VNC Printer (UD)\'
- condition: selection and not 1 of filter_*
-falsepositives:
- - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
-level: high
tags:
- - attack.privilege_escalation
- - attack.t1574
- - cve.2021.1675
+ - attack.privilege_escalation
+ - attack.t1574
+ - cve.2021.1675
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|contains|all:
+ - '\Control\Print\Environments\Windows x64\Drivers'
+ - '\Manufacturer'
+ Details: '(Empty)'
+ filter_cutepdf:
+ TargetObject|contains: '\CutePDF Writer v4.0\'
+ filter_vnc:
+ TargetObject|contains:
+ - '\VNC Printer (PS)\'
+ - '\VNC Printer (UD)\'
+ condition: selection and not 1 of filter_*
+falsepositives:
+ - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml
index 79344ac32..a288c972d 100755
--- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml
@@ -2,35 +2,35 @@ title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
-author: Florian Roth, oscd.community
references:
- - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
+ - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
+author: Florian Roth, oscd.community
date: 2018/07/18
modified: 2022/03/26
-logsource:
- category: registry_set
- product: windows
-detection:
- selection:
- EventType: SetValue
- TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- selection2:
- - Details|startswith:
- - 'C:\Windows\Temp\'
- - 'C:\ProgramData\'
- - 'C:\$Recycle.bin\'
- - 'C:\Temp\'
- - 'C:\Users\Public\'
- - 'C:\Users\Default\'
- - Details|contains:
- - '\AppData\'
- condition: selection and selection2
-fields:
- - Image
- - ParentImage
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.t1547.001
+ - attack.persistence
+ - attack.t1547.001
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
+ selection2:
+ - Details|startswith:
+ - 'C:\Windows\Temp\'
+ - 'C:\ProgramData\'
+ - 'C:\$Recycle.bin\'
+ - 'C:\Temp\'
+ - 'C:\Users\Public\'
+ - 'C:\Users\Default\'
+ - Details|contains:
+ - '\AppData\'
+ condition: selection and selection2
+fields:
+ - Image
+ - ParentImage
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
index ede76c2ee..9cad28208 100755
--- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml
@@ -7,6 +7,9 @@ references:
author: Florian Roth, Markus Neis, Sander Wiebing
date: 2018/08/25
modified: 2022/09/13
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
@@ -37,6 +40,3 @@ fields:
falsepositives:
- Software using weird folders for updates
level: high
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml
index b1eb7f852..b1ac2de91 100755
--- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml
@@ -1,33 +1,35 @@
title: Suspicious Service Installed
id: f2485272-a156-4773-82d7-1d178bc4905b
status: test
-description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
-author: xknow (@xknow_infosec), xorxes (@xor_xes)
+description: |
+ Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
+ Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
references:
- - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+ - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
+author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
modified: 2022/03/26
-logsource:
- category: registry_set
- product: windows
-detection:
- selection_1:
- EventType: SetValue
- TargetObject:
- - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
- - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
- selection_2:
- Image|endswith:
- - '\procexp64.exe'
- - '\procexp.exe'
- - '\procmon64.exe'
- - '\procmon.exe'
- selection_3:
- Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
- condition: selection_1 and not selection_2 and not selection_3
-falsepositives:
- - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
-level: medium
tags:
- - attack.t1562.001
- - attack.defense_evasion
+ - attack.t1562.001
+ - attack.defense_evasion
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection_1:
+ EventType: SetValue
+ TargetObject:
+ - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
+ - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
+ selection_2:
+ Image|endswith:
+ - '\procexp64.exe'
+ - '\procexp.exe'
+ - '\procmon64.exe'
+ - '\procmon.exe'
+ selection_3:
+ Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
+ condition: selection_1 and not selection_2 and not selection_3
+falsepositives:
+ - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
+level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml
index e3220eb05..ea77413a4 100644
--- a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml
+++ b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml
@@ -1,11 +1,15 @@
title: Modify User Shell Folders Startup Value
id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
-description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
status: experimental
-date: 2022/10/01
-author: frack113
+description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
+author: frack113
+date: 2022/10/01
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1547.001
logsource:
product: windows
category: registry_set
@@ -19,7 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
index 2813c718e..bc0be2442 100644
--- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
+++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
@@ -1,56 +1,56 @@
title: Scheduled TaskCache Change by Uncommon Program
id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
-description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
status: experimental
+description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
+references:
+ - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
+ - https://labs.f-secure.com/blog/scheduled-task-tampering/
+author: Syed Hasan (@syedhasan009)
date: 2021/06/18
modified: 2022/10/21
-references:
- - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- - https://labs.f-secure.com/blog/scheduled-task-tampering/
-author: Syed Hasan (@syedhasan009)
-logsource:
- category: registry_set
- product: windows
-detection:
- selection:
- EventType: SetValue
- TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
- filter:
- TargetObject|contains:
- - 'Microsoft\Windows\UpdateOrchestrator'
- - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
- - 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
- filter_tiworker:
- Image|startswith: 'C:\Windows\'
- Image|endswith: '\TiWorker.exe'
- filter_svchost:
- Image: 'C:\WINDOWS\system32\svchost.exe'
- filter_ngen:
- Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
- Image|endswith: '\ngen.exe'
- TargetObject|contains:
- - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
- - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
- filter_office_click_to_run:
- Image:
- - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
- - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
- filter_msiexec:
- Image: 'C:\Windows\System32\msiexec.exe'
- filter_dropbox_updater:
- Image:
- - 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
- - 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
- filter_explorer:
- Image: 'C:\Windows\explorer.exe'
- TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
- filter_system:
- Image: 'System'
- condition: selection and not 1 of filter*
-falsepositives:
- - Unknown
-level: high
tags:
- - attack.persistence
- - attack.t1053
- - attack.t1053.005
+ - attack.persistence
+ - attack.t1053
+ - attack.t1053.005
+logsource:
+ category: registry_set
+ product: windows
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
+ filter:
+ TargetObject|contains:
+ - 'Microsoft\Windows\UpdateOrchestrator'
+ - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
+ - 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
+ filter_tiworker:
+ Image|startswith: 'C:\Windows\'
+ Image|endswith: '\TiWorker.exe'
+ filter_svchost:
+ Image: 'C:\WINDOWS\system32\svchost.exe'
+ filter_ngen:
+ Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
+ Image|endswith: '\ngen.exe'
+ TargetObject|contains:
+ - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
+ - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
+ filter_office_click_to_run:
+ Image:
+ - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
+ - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
+ filter_msiexec:
+ Image: 'C:\Windows\System32\msiexec.exe'
+ filter_dropbox_updater:
+ Image:
+ - 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
+ - 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
+ filter_explorer:
+ Image: 'C:\Windows\explorer.exe'
+ TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
+ filter_system:
+ Image: 'System'
+ condition: selection and not 1 of filter*
+falsepositives:
+ - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml
index 25cfce045..dfc509f1a 100644
--- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml
@@ -2,30 +2,30 @@ title: Registry Persistence Mechanism via Windows Telemetry
id: 73a883d0-0348-4be4-a8d8-51031c2564f8
status: test
description: Detects persistence method using windows telemetry
-author: Lednyov Alexey, oscd.community
references:
- - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+ - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
+author: Lednyov Alexey, oscd.community
date: 2020/10/16
modified: 2022/03/26
-logsource:
- category: registry_set
- product: windows
- definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
-detection:
- selection:
- EventType: SetValue
- TargetObject|contains|all:
- - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
- - '\Command'
- Details|contains: '.exe'
- filter:
- Details|contains:
- - '\system32\CompatTelRunner.exe'
- - '\system32\DeviceCensus.exe'
- condition: selection and not filter
-falsepositives:
- - Unknown
-level: critical
tags:
- - attack.persistence
- - attack.t1053.005
+ - attack.persistence
+ - attack.t1053.005
+logsource:
+ category: registry_set
+ product: windows
+ definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives'
+detection:
+ selection:
+ EventType: SetValue
+ TargetObject|contains|all:
+ - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
+ - '\Command'
+ Details|contains: '.exe'
+ filter:
+ Details|contains:
+ - '\system32\CompatTelRunner.exe'
+ - '\system32\DeviceCensus.exe'
+ condition: selection and not filter
+falsepositives:
+ - Unknown
+level: critical
diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml
index 8d8c3eb24..7e45c4761 100644
--- a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml
+++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml
@@ -5,7 +5,6 @@ related:
type: similar
status: test
description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
-author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
references:
- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
@@ -14,7 +13,12 @@ references:
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
+author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022/09/29
+tags:
+ - attack.defense_evasion
+ - attack.persistence
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -29,7 +33,3 @@ detection:
falsepositives:
- Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: medium
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml
index f14fc77fe..a7bc5b6ca 100644
--- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml
+++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml
@@ -9,7 +9,6 @@ related:
type: similar
status: test
description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
-author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
references:
- https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
@@ -18,8 +17,13 @@ references:
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
+author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022/08/06
modified: 2022/09/29
+tags:
+ - attack.defense_evasion
+ - attack.persistence
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -57,7 +61,3 @@ detection:
falsepositives:
- Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high
-tags:
- - attack.defense_evasion
- - attack.persistence
- - attack.t1112
diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
index bae0d5932..0db4e4be1 100644
--- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
+++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml
@@ -2,11 +2,17 @@ title: Set TimeProviders DllName
id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
status: experimental
description: |
- Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
-author: frack113
-date: 2022/06/19
+ Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
+ Adversaries may abuse time providers to execute DLLs when the system boots.
+ The Windows Time service (W32Time) enables time synchronization across and within domains.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md
+author: frack113
+date: 2022/06/19
+tags:
+ - attack.persistence
+ - attack.privilege_escalation
+ - attack.t1547.003
logsource:
category: registry_set
product: windows
@@ -21,7 +27,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.privilege_escalation
- - attack.t1547.003
diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
index 6b453e15e..a7ec76dc0 100644
--- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
+++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
@@ -1,12 +1,15 @@
title: COM Hijacking via TreatAs
id: dc5c24af-6995-49b2-86eb-a9ff62199e82
-description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
-author: frack113
-date: 2022/08/28
status: experimental
+description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
- https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
+author: frack113
+date: 2022/08/28
+tags:
+ - attack.persistence
+ - attack.t1546.015
logsource:
category: registry_set
product: windows
@@ -28,6 +31,3 @@ detection:
falsepositives:
- Legitimate use
level: medium
-tags:
- - attack.persistence
- - attack.t1546.015
diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml
index a8577c8f6..fab13cd6c 100755
--- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml
+++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml
@@ -8,6 +8,11 @@ references:
author: Florian Roth
date: 2017/03/19
modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+ - car.2019-04-001
logsource:
product: windows
category: registry_set
@@ -19,8 +24,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
- - car.2019-04-001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml
index 8c09aacb7..23c3d9908 100755
--- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml
+++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml
@@ -8,23 +8,23 @@ references:
author: Omer Yampel, Christian Burkard
date: 2017/03/17
modified: 2022/06/26
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
+ - car.2019-04-001
logsource:
category: registry_set
product: windows
detection:
selection1:
- EventType: SetValue
+ EventType: SetValue
TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand'
selection2:
- EventType: SetValue
+ EventType: SetValue
TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
Details|contains: '-1???\Software\Classes\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
- - car.2019-04-001
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml
index 120ef0e9b..42cf141ec 100644
--- a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml
+++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml
@@ -1,12 +1,16 @@
title: UAC Bypass Abusing Winsat Path Parsing - Registry
id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
+status: experimental
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
+references:
+ - https://github.com/hfiref0x/UACME
author: Christian Burkard
date: 2021/08/30
modified: 2022/03/26
-status: experimental
-references:
- - https://github.com/hfiref0x/UACME
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
logsource:
category: registry_set
product: windows
@@ -21,7 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml
index 3aab4807b..e51352027 100644
--- a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml
+++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml
@@ -1,12 +1,16 @@
title: UAC Bypass Using Windows Media Player - Registry
id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
+status: experimental
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
+references:
+ - https://github.com/hfiref0x/UACME
author: Christian Burkard
date: 2021/08/23
modified: 2022/03/26
-status: experimental
-references:
- - https://github.com/hfiref0x/UACME
+tags:
+ - attack.defense_evasion
+ - attack.privilege_escalation
+ - attack.t1548.002
logsource:
category: registry_set
product: windows
@@ -19,7 +23,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.privilege_escalation
- - attack.t1548.002
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml
index 935988c83..5d8312511 100644
--- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml
+++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml
@@ -1,18 +1,21 @@
title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
-description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
status: experimental
-date: 2021/03/05
-modified: 2022/09/19
-author: Florian Roth
+description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
+author: Florian Roth
+date: 2021/03/05
+modified: 2022/09/19
+tags:
+ - attack.persistence
+ - attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
- EventType: SetValue
+ EventType: SetValue
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
Details|contains:
- 'vbscript:'
@@ -22,7 +25,7 @@ detection:
- 'Execute('
- 'CreateObject'
- 'window.close'
- filter:
+ filter:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
filter_dotnet:
Image|endswith: '\msiexec.exe'
@@ -36,6 +39,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1547.001
diff --git a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
index 3ad28b0d2..d2a31655f 100644
--- a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
+++ b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml
@@ -1,14 +1,17 @@
title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
-description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
status: experimental
+description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
- https://twitter.com/Hexacorn/status/991447379864932352
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+author: oscd.community, Natalia Shornikova
date: 2020/10/13
modified: 2022/03/26
-author: oscd.community, Natalia Shornikova
+tags:
+ - attack.defense_evasion
+ - attack.t1218
logsource:
category: registry_set
product: windows
@@ -22,6 +25,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1218
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml
index b04bafc12..d404c2c77 100644
--- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml
+++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml
@@ -1,13 +1,16 @@
title: Wdigest Enable UseLogonCredential
id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
-description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
status: experimental
-date: 2019/09/12
-modified: 2022/03/26
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
- https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
+date: 2019/09/12
+modified: 2022/03/26
+tags:
+ - attack.defense_evasion
+ - attack.t1112
logsource:
category: registry_set
product: windows
@@ -15,11 +18,8 @@ detection:
selection:
EventType: SetValue
TargetObject|endswith: 'WDigest\UseLogonCredential'
- Details: DWORD (0x00000001)
+ Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Unknown
level: high
-tags:
- - attack.defense_evasion
- - attack.t1112
\ No newline at end of file
diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml
index d0a413eb6..887e5ad1a 100644
--- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml
+++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml
@@ -5,15 +5,18 @@ related:
type: obsoletes
- id: fd115e64-97c7-491f-951c-fc8da7e042fa
type: obsoletes
+status: experimental
description: Detects when attackers or tools disable Windows Defender functionalities via the windows registry
-date: 2022/08/01
-author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
-status: experimental
+author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali
+date: 2022/08/01
+tags:
+ - attack.defense_evasion
+ - attack.t1562.001
logsource:
product: windows
category: registry_set
@@ -43,6 +46,3 @@ detection:
falsepositives:
- Administrator actions
level: high
-tags:
- - attack.defense_evasion
- - attack.t1562.001
diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml
index 4fb70441a..a8276ee81 100644
--- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml
+++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml
@@ -1,11 +1,16 @@
title: Winlogon AllowMultipleTSSessions Enable
id: f7997770-92c3-4ec9-b112-774c4ef96f96
-description: Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
-author: Nasreddine Bencherchali
-date: 2022/09/09
status: experimental
+description: |
+ Detects when the 'AllowMultipleTSSessions' value is enabled.
+ Which allows for multiple Remote Desktop connection sessions to be opened at once.
+ This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
+author: Nasreddine Bencherchali
+date: 2022/09/09
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -18,5 +23,3 @@ detection:
falsepositives:
- Legitmate use of the multi session functionality
level: medium
-tags:
- - attack.persistence
diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml
index 2fb5ed352..04d54b9e7 100644
--- a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml
+++ b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml
@@ -1,14 +1,17 @@
title: Winlogon Notify Key Logon Persistence
id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
+status: experimental
description: |
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
+references:
+ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
author: frack113
date: 2021/12/30
modified: 2022/03/26
-status: experimental
-references:
- - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
+tags:
+ - attack.persistence
+ - attack.t1547.004
logsource:
category: registry_set
product: windows
@@ -21,6 +24,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
- - attack.t1547.004
diff --git a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml b/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml
index cbf17b1ba..6a4ebe975 100644
--- a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml
+++ b/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml
@@ -1,12 +1,14 @@
title: Add DLLPathOverride Entry For Persistence
id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8
-description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
-author: Nasreddine Bencherchali
-date: 2022/07/21
status: experimental
+description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
references:
- https://persistence-info.github.io/Data/naturallanguage6.html
- https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
+author: Nasreddine Bencherchali
+date: 2022/07/21
+tags:
+ - attack.persistence
logsource:
category: registry_set
product: windows
@@ -28,5 +30,3 @@ detection:
falsepositives:
- Unknown
level: high
-tags:
- - attack.persistence
diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml
index d2d0f9e2e..ec23029dd 100644
--- a/tools/config/elk-windows.yml
+++ b/tools/config/elk-windows.yml
@@ -99,4 +99,9 @@ logsources:
service: shell-core
conditions:
EventLog: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ EventLog: 'OpenSSH/Operational'
defaultindex: logstash-*
diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml
index abdd5c3cc..b8ec6a7eb 100644
--- a/tools/config/elk-winlogbeat-sp.yml
+++ b/tools/config/elk-winlogbeat-sp.yml
@@ -99,6 +99,11 @@ logsources:
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ log_name: 'OpenSSH/Operational'
defaultindex:
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml
index 79300a018..b01f6add2 100644
--- a/tools/config/elk-winlogbeat.yml
+++ b/tools/config/elk-winlogbeat.yml
@@ -99,6 +99,11 @@ logsources:
service: shell-core
conditions:
logname: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ logname: 'OpenSSH/Operational'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml
index 0b8172b35..b7292d3c1 100644
--- a/tools/config/fireeye-helix.yml
+++ b/tools/config/fireeye-helix.yml
@@ -127,6 +127,11 @@ logsources:
service: shell-core
conditions:
channel: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ channel: 'OpenSSH/Operational'
linux:
product: linux
index: posix
diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml
index d1282b208..9cb84cd92 100644
--- a/tools/config/generic/windows-services.yml
+++ b/tools/config/generic/windows-services.yml
@@ -17,7 +17,7 @@ logsources:
rewrite:
product: windows
service: powershell
- # for the "classic" channel
+ # for the "classic" channel
ps_classic_start:
category: ps_classic_start
product: windows
@@ -178,8 +178,13 @@ logsources:
service: shell-core
conditions:
Channel: 'Microsoft-Windows-Shell-Core/Operational'
- security-mitigations:
+ windows-security-mitigations:
product: windows
service: security-mitigations
conditions:
- Provider_Name: 'Microsoft-Windows-Security-Mitigations'
\ No newline at end of file
+ Provider_Name: 'Microsoft-Windows-Security-Mitigations'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ Provider_Name: 'OpenSSH/Operational'
\ No newline at end of file
diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml
index 60ca2c22c..cea879cea 100644
--- a/tools/config/logpoint-windows.yml
+++ b/tools/config/logpoint-windows.yml
@@ -99,6 +99,11 @@ logsources:
service: shell-core
conditions:
event_source: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ event_source: 'OpenSSH/Operational'
fieldmappings:
EventID: event_id
FailureCode: result_code
diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml
index 03ed667ad..bd8e90eac 100644
--- a/tools/config/logstash-windows.yml
+++ b/tools/config/logstash-windows.yml
@@ -120,4 +120,9 @@ logsources:
service: shell-core
conditions:
Channel: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ Channel: 'OpenSSH/Operational'
defaultindex: logstash-*
diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml
index a01cbdd2e..dc5fbb872 100644
--- a/tools/config/powershell.yml
+++ b/tools/config/powershell.yml
@@ -140,4 +140,9 @@ logsources:
product: windows
service: shell-core
conditions:
- LogName: 'Microsoft-Windows-Shell-Core/Operational'
\ No newline at end of file
+ LogName: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ LogName: 'OpenSSH/Operational'
\ No newline at end of file
diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml
index 6f3445e0b..704f1d367 100644
--- a/tools/config/splunk-windows.yml
+++ b/tools/config/splunk-windows.yml
@@ -156,6 +156,11 @@ logsources:
service: shell-core
conditions:
source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ source: 'WinEventLog:OpenSSH/Operational'
windows-defender:
product: windows
service: windefend
diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml
index 1fa82801c..1d3d13c9c 100644
--- a/tools/config/sumologic.yml
+++ b/tools/config/sumologic.yml
@@ -130,6 +130,11 @@ logsources:
service: shell-core
conditions:
EventChannel: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ EventChannel: 'OpenSSH/Operational'
apache:
service: apache
index: WEBSERVER
diff --git a/tools/config/thor.yml b/tools/config/thor.yml
index 10d9ca1b6..d261d14da 100644
--- a/tools/config/thor.yml
+++ b/tools/config/thor.yml
@@ -404,6 +404,11 @@ logsources:
service: shell-core
sources:
- 'WinEventLog:Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ sources:
+ - 'WinEventLog:OpenSSH/Operational'
apache:
category: webserver
sources:
diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml
index 5d563dc76..970605461 100644
--- a/tools/config/winlogbeat-modules-enabled.yml
+++ b/tools/config/winlogbeat-modules-enabled.yml
@@ -144,6 +144,11 @@ logsources:
service: shell-core
conditions:
winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ winlog.channel: 'OpenSSH/Operational'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'
diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml
index 057945c59..75167b4a0 100644
--- a/tools/config/winlogbeat-old.yml
+++ b/tools/config/winlogbeat-old.yml
@@ -107,6 +107,11 @@ logsources:
service: shell-core
conditions:
log_name: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ log_name: 'OpenSSH/Operational'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g'
diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml
index 03dd798e8..7ade1d521 100644
--- a/tools/config/winlogbeat.yml
+++ b/tools/config/winlogbeat.yml
@@ -133,6 +133,11 @@ logsources:
service: shell-core
conditions:
winlog.channel: 'Microsoft-Windows-Shell-Core/Operational'
+ windows-openssh:
+ product: windows
+ service: openssh
+ conditions:
+ winlog.channel: 'OpenSSH/Operational'
defaultindex: winlogbeat-*
# Extract all field names with yq:
# yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g'