From 3c9dd2a959c2d585fb1cdfb4b75d3416385eb27b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 24 Oct 2022 13:45:10 +0200 Subject: [PATCH 01/14] Update image_load_uipromptforcreds_dlls.yml --- .../windows/image_load/image_load_uipromptforcreds_dlls.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index 35bdbe170..ddd33eaa7 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/10/07 +modified: 2022/10/24 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -50,6 +50,9 @@ detection: filter_regedit: # This FP is triggered for example when choosing the "Connect Network Registry" from the menu Image: 'C:\Windows\regedit.exe' + filter_spotify_aurora: + Provider_Name: 'Microsoft-Windows-Kernel-Process' + CommandLine|contains: 'C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_' condition: selection and not 1 of filter_* falsepositives: - Other legitimate processes loading those DLLs in your environment. From b07f843a5ac7326d1aacf63283ac563cc17d9f91 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Oct 2022 11:18:38 +0200 Subject: [PATCH 02/14] Update proc_creation_win_susp_squirrel_lolbin.yml --- ...proc_creation_win_susp_squirrel_lolbin.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 911c0d961..78d0236d2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2022/09/20 +modified: 2022/10/25 logsource: category: process_creation product: windows @@ -24,21 +24,30 @@ detection: - '--processStart' - '--processStartAndWait' - '--createShortcut' - filter1: - - CommandLine|contains|all: + filter_discord: + CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Discord\Update.exe' - ' --processStart Discord.exe' + filter_github_desktop: - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe' - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\GitHubDesktop\Update.exe --processStartAndWait GitHubDesktop.exe' + filter_teams: - CommandLine|contains|all: - 'C:\Users\' - - '\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe"' - condition: all of selection* and not 1 of filter* + - '\AppData\Local\Microsoft\Teams\Update.exe' + - '--processStart' + - 'Teams.exe' + - CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\Microsoft\Teams\Update.exe' + - '--createShortcut' + - 'Teams.exe' + condition: all of selection* and not 1 of filter_* falsepositives: - 1Clipboard - Beaker Browser From c555b33314d752784dfb307b8d5f5efc484afef9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 25 Oct 2022 12:20:07 +0200 Subject: [PATCH 03/14] fix: FP with new Aurora --- .../proc_access_win_susp_proc_access_lsass_susp_source.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index cdfea0bc7..473524037 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2022/10/20 +modified: 2022/10/25 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -82,9 +82,12 @@ detection: SourceImage|endswith: - '\thor64.exe' - '\thor.exe' + - '\aurora-agent-64.exe' + - '\aurora-agent.exe' GrantedAccess: - '0x1fffff' - '0x1010' + - '0x101010' filter_ms_products: SourceImage|contains|all: - '\AppData\Local\Temp\' From c4a89b3b44ec21d323ecabf296e779b2e2a135d3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Oct 2022 13:41:49 +0200 Subject: [PATCH 04/14] Update proc_creation_win_susp_squirrel_lolbin.yml --- ...proc_creation_win_susp_squirrel_lolbin.yml | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 78d0236d2..c7458db1b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -28,25 +28,24 @@ detection: CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Discord\Update.exe' - - ' --processStart Discord.exe' + - ' --processStart' + - 'Discord.exe' filter_github_desktop: - - CommandLine|contains|all: + CommandLine|contains|all: - 'C:\Users\' - - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe' - - CommandLine|contains|all: - - 'C:\Users\' - - '\AppData\Local\GitHubDesktop\Update.exe --processStartAndWait GitHubDesktop.exe' - filter_teams: - - CommandLine|contains|all: - - 'C:\Users\' - - '\AppData\Local\Microsoft\Teams\Update.exe' - - '--processStart' - - 'Teams.exe' - - CommandLine|contains|all: - - 'C:\Users\' - - '\AppData\Local\Microsoft\Teams\Update.exe' + - '\AppData\Local\GitHubDesktop\Update.exe' + - 'GitHubDesktop.exe' + CommandLine|contains: - '--createShortcut' + - '--processStartAndWait' + filter_teams: + CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\Microsoft\Teams\Update.exe' - 'Teams.exe' + CommandLine|contains: + - '--processStart' + - '--createShortcut' condition: all of selection* and not 1 of filter_* falsepositives: - 1Clipboard @@ -81,4 +80,4 @@ falsepositives: - Gitkraken - Slack - Teams -level: medium \ No newline at end of file +level: medium From 5bd0b33a3b18ffb32a401fdaa03fbff520ce54ea Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 25 Oct 2022 14:16:08 +0200 Subject: [PATCH 05/14] Add logsource definition --- .../file_access/file_access_win_browser_credential_stealing.yml | 1 + .../file_access/file_access_win_credential_manager_stealing.yml | 1 + .../file/file_access/file_access_win_dpapi_master_key_access.yml | 1 + .../file/file_access/file_access_win_susp_cred_hist_access.yml | 1 + 4 files changed, 4 insertions(+) diff --git a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml index 8e2b7bf82..4bedaab1b 100644 --- a/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml +++ b/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml @@ -14,6 +14,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: - FileName|contains: diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml index 7e69dc9ea..fceeac479 100644 --- a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml +++ b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml @@ -13,6 +13,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: FileName|contains: diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml index 46ab0a677..aa762c8ff 100644 --- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml @@ -13,6 +13,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: FileName|contains: diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml index bcd731435..d646e23cd 100644 --- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml @@ -13,6 +13,7 @@ tags: logsource: category: file_access product: windows + definition: file_access rules are using the Microsoft-Windows-Kernel-File ETW provider detection: selection: FileName|endswith: '\Microsoft\Protect\CREDHIST' From 176f3ab1b98b63e62f8cb143d29d2f5933e0e0fa Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 25 Oct 2022 16:21:04 +0200 Subject: [PATCH 06/14] fix: FP in testing environment --- .../file/file_change/file_change_win_2022_timestomping.yml | 6 +++++- .../proc_access_win_rare_proc_access_lsass.yml | 4 +++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml index 0a2643eaf..a9d94e23e 100644 --- a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml @@ -8,7 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 -modified: 2022/09/09 +modified: 2022/10/25 tags: - attack.t1070.006 - attack.defense_evasion @@ -33,6 +33,10 @@ detection: - TargetFilename|endswith: - '.tmp' - '.temp' + gen_filter_tiworker: + Image|startswith: 'C:\WINDOWS\' + Image|endswith: '\TiWorker.exe' + TargetFilename|endswith: '.cab' condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index bac055325..fb12d0014 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/10/19 +modified: 2022/10/25 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -68,6 +68,8 @@ detection: SourceImage|endswith: - '\thor64.exe' - '\thor.exe' + - '\aurora-agent-64.exe' + - '\aurora-agent.exe' filter_ms_products: SourceImage|contains|all: - '\AppData\Local\Temp\' From 9b7af82e23ed852ccfdbbc6f9fba9d425170737d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Oct 2022 19:07:53 +0200 Subject: [PATCH 07/14] Add OpenSSH/Operational --- tools/config/elk-windows.yml | 5 +++++ tools/config/elk-winlogbeat-sp.yml | 5 +++++ tools/config/elk-winlogbeat.yml | 5 +++++ tools/config/fireeye-helix.yml | 5 +++++ tools/config/generic/windows-services.yml | 11 ++++++++--- tools/config/logpoint-windows.yml | 5 +++++ tools/config/logstash-windows.yml | 5 +++++ tools/config/powershell.yml | 7 ++++++- tools/config/splunk-windows.yml | 5 +++++ tools/config/sumologic.yml | 5 +++++ tools/config/thor.yml | 5 +++++ tools/config/winlogbeat-modules-enabled.yml | 5 +++++ tools/config/winlogbeat-old.yml | 5 +++++ tools/config/winlogbeat.yml | 5 +++++ 14 files changed, 74 insertions(+), 4 deletions(-) diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index d2d0f9e2e..a0e3d7d8e 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -99,4 +99,9 @@ logsources: service: shell-core conditions: EventLog: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + EventLog: 'OpenSSH/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index abdd5c3cc..2e4e947f3 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -99,6 +99,11 @@ logsources: service: shell-core conditions: log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + log_name: 'OpenSSH/Operational' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 79300a018..fe4c4817a 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -99,6 +99,11 @@ logsources: service: shell-core conditions: logname: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + logname: 'OpenSSH/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 0b8172b35..739327ada 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -127,6 +127,11 @@ logsources: service: shell-core conditions: channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + channel: 'OpenSSH/Operational' linux: product: linux index: posix diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index d1282b208..6d465c395 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -17,7 +17,7 @@ logsources: rewrite: product: windows service: powershell - # for the "classic" channel + # for the "classic" channel ps_classic_start: category: ps_classic_start product: windows @@ -178,8 +178,13 @@ logsources: service: shell-core conditions: Channel: 'Microsoft-Windows-Shell-Core/Operational' - security-mitigations: + windows-security-mitigations: product: windows service: security-mitigations conditions: - Provider_Name: 'Microsoft-Windows-Security-Mitigations' \ No newline at end of file + Provider_Name: 'Microsoft-Windows-Security-Mitigations' + windows-openssh: + product: windows + service: sshd + conditions: + Provider_Name: 'OpenSSH/Operational' \ No newline at end of file diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 60ca2c22c..d0538230c 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -99,6 +99,11 @@ logsources: service: shell-core conditions: event_source: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + event_source: 'OpenSSH/Operational' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 03ed667ad..e5716130b 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -120,4 +120,9 @@ logsources: service: shell-core conditions: Channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + Channel: 'OpenSSH/Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index a01cbdd2e..ae3034af2 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -140,4 +140,9 @@ logsources: product: windows service: shell-core conditions: - LogName: 'Microsoft-Windows-Shell-Core/Operational' \ No newline at end of file + LogName: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + LogName: 'OpenSSH/Operational' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 6f3445e0b..75d748cc0 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -156,6 +156,11 @@ logsources: service: shell-core conditions: source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + source: 'WinEventLog:OpenSSH/Operational' windows-defender: product: windows service: windefend diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 1fa82801c..8d098f9a1 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -130,6 +130,11 @@ logsources: service: shell-core conditions: EventChannel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + EventChannel: 'OpenSSH/Operational' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 10d9ca1b6..75410018e 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -404,6 +404,11 @@ logsources: service: shell-core sources: - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + sources: + - 'WinEventLog:OpenSSH/Operational' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 5d563dc76..bbd720cce 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -144,6 +144,11 @@ logsources: service: shell-core conditions: winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + winlog.channel: 'OpenSSH/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 057945c59..7946d6331 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -107,6 +107,11 @@ logsources: service: shell-core conditions: log_name: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + log_name: 'OpenSSH/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 03dd798e8..b5d2e7152 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -133,6 +133,11 @@ logsources: service: shell-core conditions: winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' + windows-openssh: + product: windows + service: sshd + conditions: + winlog.channel: 'OpenSSH/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' From 9fdc08f17b79c8e5f2eb9f82ef1447880c9b5635 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Oct 2022 19:15:31 +0200 Subject: [PATCH 08/14] Add first sshd Rule --- ...shd_openssh_server_listening_on_socket.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/builtin/sshd/win_sshd_openssh_server_listening_on_socket.yml diff --git a/rules/windows/builtin/sshd/win_sshd_openssh_server_listening_on_socket.yml b/rules/windows/builtin/sshd/win_sshd_openssh_server_listening_on_socket.yml new file mode 100644 index 000000000..caeb92441 --- /dev/null +++ b/rules/windows/builtin/sshd/win_sshd_openssh_server_listening_on_socket.yml @@ -0,0 +1,27 @@ +title: OpenSSH Server Listening On Socket +id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781 +status: experimental +description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket. +references: + - https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH + - https://winaero.com/enable-openssh-server-windows-10/ + - https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse + - https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: mdecrevoisier +date: 2022/10/25 +tags: + - attack.lateral_movement + - attack.t1021.004 +logsource: + product: windows + service: sshd +detection: + selection: + EventID: 4 + process: sshd + payload|startswith: 'Server listening on ' + condition: selection +falsepositives: + - Legitimate administrator activity +level: medium From 2f5fe64099de7366c795f4b144276ac8e11e3638 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Oct 2022 20:01:02 +0200 Subject: [PATCH 09/14] Update service to openssh --- tools/config/elk-windows.yml | 2 +- tools/config/elk-winlogbeat-sp.yml | 2 +- tools/config/elk-winlogbeat.yml | 2 +- tools/config/fireeye-helix.yml | 2 +- tools/config/generic/windows-services.yml | 2 +- tools/config/logpoint-windows.yml | 2 +- tools/config/logstash-windows.yml | 2 +- tools/config/powershell.yml | 2 +- tools/config/splunk-windows.yml | 2 +- tools/config/sumologic.yml | 2 +- tools/config/thor.yml | 2 +- tools/config/winlogbeat-modules-enabled.yml | 2 +- tools/config/winlogbeat-old.yml | 2 +- tools/config/winlogbeat.yml | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index a0e3d7d8e..ec23029dd 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -101,7 +101,7 @@ logsources: EventLog: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: EventLog: 'OpenSSH/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 2e4e947f3..b8ec6a7eb 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -101,7 +101,7 @@ logsources: log_name: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: log_name: 'OpenSSH/Operational' defaultindex: diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index fe4c4817a..b01f6add2 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -101,7 +101,7 @@ logsources: logname: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: logname: 'OpenSSH/Operational' defaultindex: winlogbeat-* diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 739327ada..b7292d3c1 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -129,7 +129,7 @@ logsources: channel: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: channel: 'OpenSSH/Operational' linux: diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 6d465c395..9cb84cd92 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -185,6 +185,6 @@ logsources: Provider_Name: 'Microsoft-Windows-Security-Mitigations' windows-openssh: product: windows - service: sshd + service: openssh conditions: Provider_Name: 'OpenSSH/Operational' \ No newline at end of file diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index d0538230c..cea879cea 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -101,7 +101,7 @@ logsources: event_source: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: event_source: 'OpenSSH/Operational' fieldmappings: diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index e5716130b..bd8e90eac 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -122,7 +122,7 @@ logsources: Channel: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: Channel: 'OpenSSH/Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index ae3034af2..dc5fbb872 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -143,6 +143,6 @@ logsources: LogName: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: LogName: 'OpenSSH/Operational' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 75d748cc0..704f1d367 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -158,7 +158,7 @@ logsources: source: 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: source: 'WinEventLog:OpenSSH/Operational' windows-defender: diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 8d098f9a1..1d3d13c9c 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -132,7 +132,7 @@ logsources: EventChannel: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: EventChannel: 'OpenSSH/Operational' apache: diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 75410018e..d261d14da 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -406,7 +406,7 @@ logsources: - 'WinEventLog:Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh sources: - 'WinEventLog:OpenSSH/Operational' apache: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index bbd720cce..970605461 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -146,7 +146,7 @@ logsources: winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: winlog.channel: 'OpenSSH/Operational' defaultindex: winlogbeat-* diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 7946d6331..75167b4a0 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -109,7 +109,7 @@ logsources: log_name: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: log_name: 'OpenSSH/Operational' defaultindex: winlogbeat-* diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index b5d2e7152..7ade1d521 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -135,7 +135,7 @@ logsources: winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' windows-openssh: product: windows - service: sshd + service: openssh conditions: winlog.channel: 'OpenSSH/Operational' defaultindex: winlogbeat-* From 130e1af009930ade31dfc1861e31daf83935d89f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Oct 2022 20:03:11 +0200 Subject: [PATCH 10/14] Change rule service --- .../win_sshd_openssh_server_listening_on_socket.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/builtin/{sshd => openssh}/win_sshd_openssh_server_listening_on_socket.yml (98%) diff --git a/rules/windows/builtin/sshd/win_sshd_openssh_server_listening_on_socket.yml b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml similarity index 98% rename from rules/windows/builtin/sshd/win_sshd_openssh_server_listening_on_socket.yml rename to rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml index caeb92441..eb81ca6d2 100644 --- a/rules/windows/builtin/sshd/win_sshd_openssh_server_listening_on_socket.yml +++ b/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml @@ -15,7 +15,7 @@ tags: - attack.t1021.004 logsource: product: windows - service: sshd + service: openssh detection: selection: EventID: 4 From fac67328275e58413f299ed4f69219ff40803d70 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 26 Oct 2022 06:16:30 +0200 Subject: [PATCH 11/14] Order yaml field --- ...access_win_credential_manager_stealing.yml | 4 +- ...ile_access_win_dpapi_master_key_access.yml | 4 +- .../file_access_win_susp_cred_hist_access.yml | 4 +- .../file_change_win_2022_timestomping.yml | 4 +- ...ge_win_unusual_modification_by_dns_exe.yml | 4 +- .../file_delete_win_delete_appli_log.yml | 8 +- .../file_delete_win_delete_backup_file.yml | 8 +- .../file_delete_win_delete_prefetch.yml | 2 +- ...win_sysinternals_sdelete_file_deletion.yml | 8 +- ...delete_win_unusual_deletion_by_dns_exe.yml | 4 +- ...lete_win_webserver_access_logs_deleted.yml | 8 +- .../file_event_win_access_susp_teams.yml | 38 ++++---- ...ile_event_win_access_susp_unattend_xml.yml | 12 +-- .../file_event_win_anydesk_artefact.yml | 16 ++-- ...vent_win_anydesk_writing_susp_binaries.yml | 13 +-- ...file_event_win_apt_unidentified_nov_18.yml | 7 +- .../file_event_win_bloodhound_collection.yml | 4 +- .../file_event_win_crackmapexec_patterns.yml | 6 +- ...e_event_win_creation_new_shim_database.yml | 12 +-- ...ile_event_win_creation_scr_binary_file.yml | 12 +-- ...ent_win_creation_unquoted_service_path.yml | 12 +-- ...vent_win_cred_dump_tools_dropped_files.yml | 88 +++++++++---------- ...file_event_win_csharp_compile_artefact.yml | 14 +-- ...e_event_win_cve_2021_1675_printspooler.yml | 6 +- ...le_event_win_cve_2021_26858_msexchange.yml | 11 ++- .../file_event_win_cve_2021_41379_msi_lpe.yml | 4 +- ...t_win_cve_2021_44077_poc_default_files.yml | 8 +- .../file_event_win_cve_2022_24527_lpe.yml | 31 ++++--- ...e_event_win_dll_sideloading_space_path.yml | 18 ++-- ...vent_win_error_handler_cmd_persistence.yml | 6 +- .../file_event_win_exchange_webshell_drop.yml | 48 +++++----- ..._win_exchange_webshell_drop_suspicious.yml | 56 ++++++------ .../file_event_win_ghostpack_safetykatz.yml | 2 +- .../file_event_win_gotoopener_artefact.yml | 12 +-- ...e_event_win_hivenightmare_file_exports.yml | 6 +- .../file_event/file_event_win_hktl_nppspy.yml | 2 +- ...e_event_win_install_teamviewer_desktop.yml | 8 +- ...ile_event_win_iphlpapi_dll_sideloading.yml | 14 +-- .../file_event_win_iso_file_mount.yml | 2 +- .../file_event_win_iso_file_recent.yml | 6 +- ...nt_win_legitimate_app_dropping_archive.yml | 10 +-- ..._event_win_legitimate_app_dropping_exe.yml | 10 +-- ...ent_win_legitimate_app_dropping_script.yml | 10 +-- .../file_event/file_event_win_lsass_dump.yml | 4 +- ...nt_win_lsass_memory_dump_file_creation.yml | 6 +- .../file_event_win_lsass_werfault_dump.yml | 4 +- .../file_event/file_event_win_macro_file.yml | 8 +- .../file_event_win_mal_octopus_scanner.yml | 32 +++---- ...event_win_mimikatz_kirbi_file_creation.yml | 2 +- ...le_event_win_mimimaktz_memssp_log_file.yml | 16 ++-- .../file_event_win_msdt_autorun.yml | 8 +- ...n_new_files_in_uncommon_appdata_folder.yml | 8 +- .../file_event_win_new_src_file.yml | 38 ++++---- ...vent_win_notepad_plus_plus_persistence.yml | 8 +- .../file_event/file_event_win_ntds_dit.yml | 4 +- .../file_event_win_ntds_exfil_tools.yml | 4 +- .../file_event_win_office_persistence.yml | 46 +++++----- ...le_event_win_outlook_c2_macro_creation.yml | 5 +- .../file_event_win_outlook_newform.yml | 6 +- ...e_event_win_powershell_exploit_scripts.yml | 8 +- ...event_win_powershell_startup_shortcuts.yml | 12 ++- .../file_event_win_quarkspw_filedump.yml | 34 +++---- ...e_event_win_redmimicry_winnti_filedrop.yml | 34 +++---- .../file_event/file_event_win_sam_dump.yml | 6 +- .../file_event_win_screenconnect_artefact.yml | 12 +-- ...ript_creation_by_office_using_file_ext.yml | 6 +- ...le_event_win_startup_folder_file_write.yml | 8 +- .../file_event_win_susp_adsi_cache_usage.yml | 8 +- .../file_event_win_susp_colorcpl.yml | 8 +- ...ile_event_win_susp_creation_by_mobsync.yml | 14 +-- ...e_event_win_susp_default_gpo_dir_write.yml | 6 +- .../file_event_win_susp_desktop_ini.yml | 8 +- .../file_event_win_susp_desktop_txt.yml | 8 +- ..._event_win_susp_desktopimgdownldr_file.yml | 52 +++++------ .../file_event_win_susp_diagcab.yml | 26 +++--- .../file_event_win_susp_double_extension.yml | 11 ++- .../file_event_win_susp_dropper.yml | 76 ++++++++-------- ...ile_event_win_susp_exchange_aspx_write.yml | 2 +- ...ile_event_win_susp_executable_creation.yml | 48 +++++----- .../file_event_win_susp_get_variable.yml | 43 +++++---- .../file_event_win_susp_pfx_file_creation.yml | 38 ++++---- ...file_event_win_susp_powershell_profile.yml | 10 +-- ...cexplorer_driver_created_in_tmp_folder.yml | 46 +++++----- ...vent_win_susp_spool_drivers_color_drop.yml | 6 +- ...nt_win_susp_startup_folder_persistence.yml | 6 +- ...win_susp_system_interactive_powershell.yml | 2 +- .../file_event_win_susp_task_write.yml | 4 +- ...ent_win_susp_vscode_powershell_profile.yml | 10 +-- .../file_event_win_susp_winword_startup.yml | 48 +++++----- .../file_event/file_event_win_tool_psexec.yml | 6 +- ...e_event_win_tsclient_filewrite_startup.yml | 6 +- .../file_event_win_uac_bypass_eventvwr.yml | 8 +- ...ent_win_uac_bypass_idiagnostic_profile.yml | 12 +-- ...ile_event_win_webshell_creation_detect.yml | 68 +++++++------- .../file_event_win_werfault_dll_hijacking.yml | 44 +++++----- ..._event_win_win_cscript_wscript_dropper.yml | 10 +-- .../file_event_win_winword_cve_2021_40444.yml | 8 +- ...ersistence_script_event_consumer_write.yml | 28 +++--- ...ile_event_win_wmiexec_default_filename.yml | 4 +- .../file_event_win_word_template_creation.yml | 56 ++++++------ .../file_event_win_wpbbin_persistence.yml | 4 +- ...le_event_win_writing_local_admin_share.yml | 8 +- .../file_rename_win_not_dll_to_dll.yml | 2 +- .../file_rename_win_ransomware.yml | 2 +- 104 files changed, 823 insertions(+), 804 deletions(-) diff --git a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml index fceeac479..c6f7445de 100644 --- a/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml +++ b/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml @@ -1,7 +1,9 @@ title: Credential Manager Access id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6 status: experimental -description: Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function +description: | + Detects suspicious processes based on name and location that access the windows credential manager and vault. + Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function references: - https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml index aa762c8ff..2fd3ea828 100644 --- a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml +++ b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml @@ -1,7 +1,9 @@ title: Suspicious Access To Windows DPAPI Master Keys id: 46612ae6-86be-4802-bc07-39b59feb1309 status: experimental -description: Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function +description: | + Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys. + Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function references: - https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/ - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords diff --git a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml index d646e23cd..fb7d89475 100644 --- a/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml +++ b/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml @@ -1,7 +1,9 @@ title: Suspicious Access To Windows Credential History File id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2 status: experimental -description: Detects suspicious processes based on name and location that access the Windows Credential History File. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function +description: | + Detects suspicious processes based on name and location that access the Windows Credential History File. + Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function references: - https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist - https://www.passcape.com/windows_password_recovery_dpapi_credhist diff --git a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml index a9d94e23e..f39074904 100644 --- a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml @@ -2,8 +2,8 @@ title: File Creation Date Changed to Another Year id: 558eebe5-f2ba-4104-b339-36f7902bcc1a status: experimental description: | - Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. - Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. + Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. + Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index a258a8c66..14d236ac8 100644 --- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -1,11 +1,11 @@ title: Unusual File Modification by dns.exe id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 status: experimental -author: Tim Rauch -date: 2022/09/27 description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html +author: Tim Rauch +date: 2022/09/27 tags: - attack.initial_access - attack.t1133 diff --git a/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml b/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml index 5811518fc..6ba9b58d0 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml @@ -2,10 +2,13 @@ title: Delete Log from Application id: b1decb61-ed83-4339-8e95-53ea51901720 status: experimental description: Deletion of log files is a known anti-forensic technique -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md +author: frack113 date: 2022/01/16 +tags: + - attack.defense_evasion + - attack.t1070.004 logsource: product: windows category: file_delete @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.defense_evasion - - attack.t1070.004 diff --git a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml index b1a52fe3c..eca8fe8fa 100644 --- a/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml @@ -2,11 +2,14 @@ title: Deletes Backup Files id: 06125661-3814-4e03-bfa2-1e4411c60ac3 status: experimental description: Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files +author: frack113 date: 2022/01/02 modified: 2022/06/02 +tags: + - attack.impact + - attack.t1490 logsource: product: windows category: file_delete @@ -26,6 +29,3 @@ detection: falsepositives: - Legitime usage level: medium -tags: - - attack.impact - - attack.t1490 diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index 925148d68..78179b16c 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -2,7 +2,6 @@ title: Prefetch File Deletion id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: experimental description: Detects the deletion of a prefetch file (AntiForensic) -level: high author: Cedric MAURUGEON date: 2021/09/29 modified: 2022/05/27 @@ -24,3 +23,4 @@ detection: condition: selection and not exception falsepositives: - Unknown +level: high diff --git a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 64ea228a5..e510f5533 100644 --- a/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -2,12 +2,15 @@ title: Sysinternals SDelete File Deletion id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc status: test description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 modified: 2022/09/21 +tags: + - attack.defense_evasion + - attack.t1070.004 logsource: product: windows category: file_delete @@ -22,6 +25,3 @@ detection: falsepositives: - Legitime usage of SDelete level: medium -tags: - - attack.defense_evasion - - attack.t1070.004 diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index 51c1d81d0..56289a216 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -1,11 +1,11 @@ title: Unusual File Deletion by dns.exe id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 status: experimental -author: Tim Rauch -date: 2022/09/27 description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html +author: Tim Rauch +date: 2022/09/27 tags: - attack.initial_access - attack.t1133 diff --git a/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml b/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml index b9fbca40b..13c3fa8ae 100644 --- a/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml +++ b/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml @@ -6,12 +6,12 @@ references: - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html author: Tim Rauch date: 2022/09/16 -logsource: - category: file_delete - product: windows tags: - attack.defense_evasion - attack.t1070 +logsource: + category: file_delete + product: windows detection: selection: FileName|startswith: 'C:\inetpub\logs\LogFiles\' @@ -20,4 +20,4 @@ detection: falsepositives: - During uninstallation of the IIS service - During log rotation -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/file/file_event/file_event_win_access_susp_teams.yml b/rules/windows/file/file_event/file_event_win_access_susp_teams.yml index 332a8a19c..ec6a98c67 100644 --- a/rules/windows/file/file_event/file_event_win_access_susp_teams.yml +++ b/rules/windows/file/file_event/file_event_win_access_susp_teams.yml @@ -2,25 +2,25 @@ title: Suspicious File Event With Teams Objects id: 6902955a-01b7-432c-b32a-6f5f81d8f624 status: experimental description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. -author: '@SerkinValery' references: - - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +author: '@SerkinValery' date: 2022/09/16 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|contains: - - '\Microsoft\Teams\Cookies' - - '\Microsoft\Teams\Local Storage\leveldb' - filter: - Image|contains: '\Microsoft\Teams\current\Teams.exe' - condition: selection and not filter -falsepositives: - - Unknown -level: high tags: - - attack.credential_access - - attack.t1528 + - attack.credential_access + - attack.t1528 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + Image|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml b/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml index e430a32df..699cd4a1b 100644 --- a/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml +++ b/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml @@ -2,12 +2,15 @@ title: Suspicious Unattend.xml File Access id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb status: experimental description: | - Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. - If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process -author: frack113 + Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. + If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md +author: frack113 date: 2021/12/19 +tags: + - attack.credential_access + - attack.t1552.001 logsource: product: windows category: file_event @@ -18,6 +21,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.credential_access - - attack.t1552.001 diff --git a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml index 3623ece5f..a6a841a0e 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml @@ -2,16 +2,19 @@ title: Anydesk Temporary Artefact id: 0b9ad457-2554-44c1-82c2-d56a99c42377 status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 date: 2022/02/11 +tags: + - attack.command_and_control + - attack.t1219 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: selection: TargetFilename|contains: @@ -22,6 +25,3 @@ detection: falsepositives: - Legitimate use level: medium -tags: - - attack.command_and_control - - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml index aaaac6289..810c6cc6e 100644 --- a/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml +++ b/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml @@ -1,11 +1,17 @@ title: Suspicious Binary Writes Via AnyDesk id: 2d367498-5112-4ae5-a06a-96e7bc33a211 status: experimental -description: Detects anydesk writing binaries files to disk other than "gcapi.dll". According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) -author: Nasreddine Bencherchali +description: | + Detects anydesk writing binaries files to disk other than "gcapi.dll". + According to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, + which is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) references: - https://redcanary.com/blog/misbehaving-rats/ +author: Nasreddine Bencherchali date: 2022/09/28 +tags: + - attack.command_and_control + - attack.t1219 logsource: product: windows category: file_event @@ -21,6 +27,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.command_and_control - - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml index 687865be6..ba06ae6e2 100644 --- a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml +++ b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml @@ -4,8 +4,7 @@ related: - id: 7453575c-a747-40b9-839b-125a0aae324b type: derived status: stable -description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with - YYTRIUM/APT29 campaign in 2016. +description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. references: - https://twitter.com/DrunkBinary/status/1063075530180886529 author: '@41thexplorer, Microsoft Defender ATP' @@ -19,6 +18,6 @@ logsource: category: file_event detection: selection: - TargetFilename|contains: 'ds7002.lnk' + TargetFilename|contains: 'ds7002.lnk' condition: selection -level: high \ No newline at end of file +level: high diff --git a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml index 3bcde4c93..1549b8423 100644 --- a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml +++ b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml @@ -1,10 +1,10 @@ title: BloodHound Collection Files id: 02773bed-83bf-469f-b7ff-e676e7d78bab -description: Detects default file names outputted by the BloodHound collection tool SharpHound status: experimental -author: C.J. May +description: Detects default file names outputted by the BloodHound collection tool SharpHound references: - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection +author: C.J. May date: 2022/08/09 modified: 2022/08/09 tags: diff --git a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml b/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml index d4b6e6cce..ea83cc117 100644 --- a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml +++ b/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml @@ -1,10 +1,10 @@ title: CrackMapExec File Creation Patterns id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 -description: Detects suspicious file creation patterns found in logs when CrackMapExec is used status: experimental -author: Florian Roth +description: Detects suspicious file creation patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass +author: Florian Roth date: 2022/03/12 modified: 2022/05/27 tags: @@ -55,4 +55,4 @@ detection: condition: 1 of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 9f8e52580..fea4b166f 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -2,12 +2,15 @@ title: New Shim Database Created in the Default Directory id: ee63c85c-6d51-4d12-ad09-04e25877a947 status: experimental description: | - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. - The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. -author: frack113 + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. + The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory +author: frack113 date: 2021/12/29 +tags: + - attack.persistence + - attack.t1547.009 logsource: product: windows category: file_event @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.persistence - - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml index fdb389f1d..8b9034bd3 100644 --- a/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml @@ -2,13 +2,16 @@ title: Suspicious Screensaver Binary File Creation id: 97aa2e88-555c-450d-85a6-229bcd87efb8 status: experimental description: | - Adversaries may establish persistence by executing malicious content triggered by user inactivity. - Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension -author: frack113 + Adversaries may establish persistence by executing malicious content triggered by user inactivity. + Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md +author: frack113 date: 2021/12/29 modified: 2022/01/10 +tags: + - attack.persistence + - attack.t1546.002 logsource: product: windows category: file_event @@ -23,6 +26,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.persistence - - attack.t1546.002 diff --git a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml index 43f0a7b9c..e8dda4a85 100644 --- a/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml @@ -2,12 +2,15 @@ title: Creation Exe for Service with Unquoted Path id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 status: experimental description: | - Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. - Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. -author: frack113 + Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. + Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md +author: frack113 date: 2021/12/30 +tags: + - attack.persistence + - attack.t1547.009 logsource: product: windows category: file_event @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index 4f1bf73ac..6089b9e4c 100755 --- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -2,51 +2,51 @@ title: Cred Dump Tools Dropped Files id: 8fbf3271-1ef6-4e94-8210-03c2317947f6 status: test description: Files with well-known filenames (parts of credential dump software or files produced by them) creation -author: Teymur Kheirkhabarov, oscd.community references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +author: Teymur Kheirkhabarov, oscd.community date: 2019/11/01 modified: 2022/09/21 -logsource: - category: file_event - product: windows -detection: - selection: - - TargetFilename|contains: - - '\pwdump' - - '\kirbi' - - '\pwhashes' - - '\wce_ccache' - - '\wce_krbtkts' - - '\fgdump-log' - - TargetFilename|endswith: - - '\test.pwd' - - '\lsremora64.dll' - - '\lsremora.dll' - - '\fgexec.exe' - - '\wceaux.dll' - - '\SAM.out' - - '\SECURITY.out' - - '\SYSTEM.out' - - '\NTDS.out' - - '\DumpExt.dll' - - '\DumpSvc.exe' - - '\cachedump64.exe' - - '\cachedump.exe' - - '\pstgdump.exe' - - '\servpw.exe' - - '\servpw64.exe' - - '\pwdump.exe' - - '\procdump64.exe' - - '\Dumpy.exe' - condition: selection -falsepositives: - - Legitimate Administrator using tool for password recovery -level: high tags: - - attack.credential_access - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.003 - - attack.t1003.004 - - attack.t1003.005 + - attack.credential_access + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.003 + - attack.t1003.004 + - attack.t1003.005 +logsource: + category: file_event + product: windows +detection: + selection: + - TargetFilename|contains: + - '\pwdump' + - '\kirbi' + - '\pwhashes' + - '\wce_ccache' + - '\wce_krbtkts' + - '\fgdump-log' + - TargetFilename|endswith: + - '\test.pwd' + - '\lsremora64.dll' + - '\lsremora.dll' + - '\fgexec.exe' + - '\wceaux.dll' + - '\SAM.out' + - '\SECURITY.out' + - '\SYSTEM.out' + - '\NTDS.out' + - '\DumpExt.dll' + - '\DumpSvc.exe' + - '\cachedump64.exe' + - '\cachedump.exe' + - '\pstgdump.exe' + - '\servpw.exe' + - '\servpw64.exe' + - '\pwdump.exe' + - '\procdump64.exe' + - '\Dumpy.exe' + condition: selection +falsepositives: + - Legitimate Administrator using tool for password recovery +level: high diff --git a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml index a985084bc..e6aa57282 100644 --- a/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml @@ -2,13 +2,16 @@ title: Dynamic C Sharp Compile Artefact id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0 status: experimental description: | - When C# is compiled dynamically, a .cmdline file will be created as a part of the process. - Certain processes are not typically observed compiling C# code, but can do so without touching disk. - This can be used to unpack a payload for execution -author: frack113 + When C# is compiled dynamically, a .cmdline file will be created as a part of the process. + Certain processes are not typically observed compiling C# code, but can do so without touching disk. + This can be used to unpack a payload for execution references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile +author: frack113 date: 2022/01/09 +tags: + - attack.defense_evasion + - attack.t1027.004 logsource: product: windows category: file_event @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.defense_evasion - - attack.t1027.004 diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml b/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml index 045ca1dbf..6e168fe6d 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml @@ -1,13 +1,12 @@ title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07 -description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 -author: Florian Roth status: experimental -level: critical +description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare - https://github.com/cube0x0/CVE-2021-1675 +author: Florian Roth date: 2021/06/29 modified: 2021/12/01 tags: @@ -28,3 +27,4 @@ fields: - TargetFilename falsepositives: - Unknown +level: critical diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml b/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml index 3fd08abd1..9e9ae31f4 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml @@ -1,7 +1,10 @@ title: CVE-2021-26858 Exchange Exploitation id: b06335b3-55ac-4b41-937e-16b7f5d57dfd status: test -description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange Server’s Unified Messaging service | which could indicate dropping web shells or other malicious content +description: | + Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for + creation of non-standard files on disk by Exchange Server’s Unified Messaging service + which could indicate dropping web shells or other malicious content references: - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ author: Bhabesh Raj @@ -25,9 +28,9 @@ detection: - '.cfg' - 'cleanup.bin' condition: selection and not filter -falsepositives: - - Unknown -level: high fields: - ComputerName - TargetFilename +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml b/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml index 7f56caf56..eb836af3d 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml @@ -2,11 +2,11 @@ title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event id: 3be82d5d-09fe-4d6a-a275-0d40d234d324 status: experimental description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file -author: Florian Roth -date: 2021/11/22 references: - https://github.com/klinix5/InstallerFileTakeOver - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ +author: Florian Roth +date: 2021/11/22 tags: - attack.privilege_escalation - attack.t1068 diff --git a/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml b/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml index b25760627..238d5900d 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml @@ -2,11 +2,14 @@ title: CVE-2021-44077 POC Default Dropped File id: 7b501acf-fa98-4272-aa39-194f82edc8a3 status: experimental description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) -author: Nasreddine Bencherchali references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py +author: Nasreddine Bencherchali date: 2022/06/06 +tags: + - attack.execution + - cve.2021.44077 logsource: category: file_event product: windows @@ -17,6 +20,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.execution - - cve.2021.44077 diff --git a/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml b/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml index 1a32e0300..ae0f17b84 100644 --- a/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml +++ b/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml @@ -1,27 +1,26 @@ title: CVE-2022-24527 Microsoft Connected Cache LPE id: e0a41412-c69a-446f-8e6e-0e6d7483dad7 -description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache -author: Florian Roth status: experimental +description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache references: - - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ + - https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ +author: Florian Roth date: 2022/04/13 tags: - - attack.privilege_escalation - - attack.t1059.001 - - cve.2022.24527 + - attack.privilege_escalation + - attack.t1059.001 + - cve.2022.24527 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: - selection: - TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1' - filter: - User|contains: # covers many language settings - - 'AUTHORI' - - 'AUTORI' - condition: selection and not filter + selection: + TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1' + filter: + User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + condition: selection and not filter falsepositives: - Unknown level: high - diff --git a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml index 9f0dfb2fe..2a33e4696 100644 --- a/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml +++ b/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml @@ -2,16 +2,21 @@ title: DLL Search Order Hijackig Via Additional Space in Path id: b6f91281-20aa-446a-b986-38a92813a18f status: experimental description: | - Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) - but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack + Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) + but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack references: - https://twitter.com/cyb3rops/status/1552932770464292864 - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows author: frack113, Nasreddine Bencherchali date: 2022/07/30 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.002 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: selection: TargetFilename|startswith: @@ -23,8 +28,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1574.002 diff --git a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml index 9ff1d6061..cfdfb81b9 100644 --- a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -4,11 +4,13 @@ status: experimental description: | Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. -author: Nasreddine Bencherchali references: - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ - https://github.com/last-byte/PersistenceSniper +author: Nasreddine Bencherchali date: 2022/08/09 +tags: + - attack.persistence logsource: category: file_event product: windows @@ -19,5 +21,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml index ae3fa8527..59e2d8a5f 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml @@ -1,35 +1,35 @@ title: Suspicious ASPX File Drop by Exchange id: bd1212e5-78da-431e-95fa-c58e3237a8e6 related: - - id: 6b269392-9eba-40b5-acb6-55c882b20ba6 - type: similar -description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder -author: Florian Roth (rule), MSTI (query, idea) + - id: 6b269392-9eba-40b5-acb6-55c882b20ba6 + type: similar status: experimental +description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder references: - - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ + - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html + - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html +author: Florian Roth (rule), MSTI (query, idea) date: 2022/10/01 tags: - - attack.persistence - - attack.t1505.003 + - attack.persistence + - attack.t1505.003 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - Image|endswith: '\w3wp.exe' - CommandLine|contains: 'MSExchange' - TargetFilename|contains: - - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports - - '\inetpub\wwwroot\aspnet_client\' # from GTSC report - selection_types: - TargetFilename|endswith: - - '.aspx' - - '.asp' - - '.ashx' - condition: all of selection* + selection: + Image|endswith: '\w3wp.exe' + CommandLine|contains: 'MSExchange' + TargetFilename|contains: + - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports + - '\inetpub\wwwroot\aspnet_client\' # from GTSC report + selection_types: + TargetFilename|endswith: + - '.aspx' + - '.asp' + - '.ashx' + condition: all of selection* falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml index 7f32e3e4f..1c3900cfc 100644 --- a/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml +++ b/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml @@ -1,39 +1,39 @@ title: Suspicious File Drop by Exchange id: 6b269392-9eba-40b5-acb6-55c882b20ba6 related: - - id: bd1212e5-78da-431e-95fa-c58e3237a8e6 - type: similar -description: Detects suspicious file type dropped by an Exchange component in IIS -author: Florian Roth + - id: bd1212e5-78da-431e-95fa-c58e3237a8e6 + type: similar status: experimental +description: Detects suspicious file type dropped by an Exchange component in IIS references: - - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html - - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html + - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ + - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html + - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html +author: Florian Roth date: 2022/10/04 tags: - - attack.persistence - - attack.t1190 - - attack.initial_access - - attack.t1505.003 + - attack.persistence + - attack.t1190 + - attack.initial_access + - attack.t1505.003 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - Image|endswith: '\w3wp.exe' - CommandLine|contains: 'MSExchange' - selection_types: - TargetFilename|endswith: - - '.aspx' - - '.asp' - - '.ashx' - - '.ps1' - - '.bat' - - '.exe' - - '.dll' - - '.vbs' - condition: all of selection* + selection: + Image|endswith: '\w3wp.exe' + CommandLine|contains: 'MSExchange' + selection_types: + TargetFilename|endswith: + - '.aspx' + - '.asp' + - '.ashx' + - '.ps1' + - '.bat' + - '.exe' + - '.dll' + - '.vbs' + condition: all of selection* falsepositives: - - Unknown + - Unknown level: medium diff --git a/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml b/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml index 09e7847b9..4eb173ba0 100755 --- a/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml +++ b/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml @@ -2,10 +2,10 @@ title: SafetyKatz Default Dump Filename id: e074832a-eada-4fd7-94a1-10642b130e16 status: test description: Detects default lsass dump filename from SafetyKatz -author: Markus Neis references: - https://github.com/GhostPack/SafetyKatz - https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63 +author: Markus Neis date: 2018/07/24 modified: 2021/11/27 tags: diff --git a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml index 9602ed295..dc356ec8c 100644 --- a/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml @@ -2,13 +2,16 @@ title: GoToAssist Temporary Installation Artefact id: 5d756aee-ad3e-4306-ad95-cb1abec48de2 status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows author: frack113 date: 2022/02/13 +tags: + - attack.command_and_control + - attack.t1219 logsource: category: file_event product: windows @@ -19,6 +22,3 @@ detection: falsepositives: - Legitimate use level: medium -tags: - - attack.command_and_control - - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml index b8b818b07..889b3c559 100644 --- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml @@ -29,9 +29,9 @@ detection: - TargetFilename: - 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection -falsepositives: - - Files that accidentally contain these strings -level: high fields: - CommandLine - ParentCommandLine +falsepositives: + - Files that accidentally contain these strings +level: high diff --git a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml index 4a718b7aa..3e6fc7a69 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml @@ -2,10 +2,10 @@ title: NPPSpy Hacktool Usage id: cad1fe90-2406-44dc-bd03-59d0b58fe722 status: experimental description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file -author: Florian Roth references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy - https://twitter.com/0gtweet/status/1465282548494487554 +author: Florian Roth date: 2021/11/29 tags: - attack.credential_access diff --git a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml index 1a8fcf21a..925faee7c 100644 --- a/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml @@ -2,10 +2,13 @@ title: Installation of TeamViewer Desktop id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d status: experimental description: TeamViewer_Desktop.exe is create during install -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows +author: frack113 date: 2022/01/28 +tags: + - attack.command_and_control + - attack.t1219 logsource: product: windows category: file_event @@ -16,6 +19,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.command_and_control - - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml index 195227579..6823bc852 100644 --- a/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml +++ b/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -8,9 +8,14 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ author: frack113 date: 2022/08/12 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.002 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: selection: TargetFilename|contains|all: @@ -20,8 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1574.002 diff --git a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml index 52febe0f3..031e74836 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_mount.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_mount.yml @@ -2,7 +2,7 @@ title: ISO File Created Within Temp Folders id: 2f9356ae-bf43-41b8-b858-4496d83b2acb status: experimental description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. -references: +references: - https://twitter.com/Sam0x90/status/1552011547974696960 - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html author: '@sam0x90' diff --git a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml index c4ec55e2e..31e1c934c 100644 --- a/rules/windows/file/file_event/file_event_win_iso_file_recent.yml +++ b/rules/windows/file/file_event/file_event_win_iso_file_recent.yml @@ -1,13 +1,15 @@ title: ISO or Image Mount Indicator in Recent Files id: 4358e5a5-7542-4dcb-b9f3-87667371839b -description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. status: experimental -author: Florian Roth +description: | + Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. + This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. references: - https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore - https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/ - https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ +author: Florian Roth date: 2022/02/11 logsource: product: windows diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml index c03a1d896..1ca1d28d2 100644 --- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml +++ b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml @@ -1,11 +1,14 @@ title: Legitimate Application Dropped Archive id: 654fcc6d-840d-4844-9b07-2c3300e54a26 -description: Detects programs on a Windows system that should not write an archive to disk status: experimental -author: frack113, Florian Roth +description: Detects programs on a Windows system that should not write an archive to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +author: frack113, Florian Roth date: 2022/08/21 +tags: + - attack.defense_evasion + - attack.t1218 logsource: product: windows category: file_event @@ -47,6 +50,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1218 diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml index fb41d165a..34152ab99 100644 --- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml +++ b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml @@ -1,11 +1,14 @@ title: Legitimate Application Dropped Executable id: f0540f7e-2db3-4432-b9e0-3965486744bc -description: Detects programs on a Windows system that should not write executables to disk status: experimental -author: frack113, Florian Roth +description: Detects programs on a Windows system that should not write executables to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +author: frack113, Florian Roth date: 2022/08/21 +tags: + - attack.defense_evasion + - attack.t1218 logsource: product: windows category: file_event @@ -45,6 +48,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1218 diff --git a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml index 297ecd472..61ec04aa2 100644 --- a/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml +++ b/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml @@ -1,11 +1,14 @@ title: Legitimate Application Dropped Script id: 7d604714-e071-49ff-8726-edeb95a70679 -description: Detects programs on a Windows system that should not write scripts to disk status: experimental -author: frack113, Florian Roth +description: Detects programs on a Windows system that should not write scripts to disk references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +author: frack113, Florian Roth date: 2022/08/21 +tags: + - attack.defense_evasion + - attack.t1218 logsource: product: windows category: file_event @@ -47,6 +50,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1218 diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml index f1c62f982..7184c6c4d 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_dump.yml @@ -3,15 +3,15 @@ id: a5a2d357-1ab8-4675-a967-ef9990a59391 related: - id: db2110f3-479d-42a6-94fb-d35bc1e46492 type: obsoletes -description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials status: experimental -author: Florian Roth +description: Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials references: - https://www.google.com/search?q=procdump+lsass - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ - https://github.com/helpsystems/nanodump +author: Florian Roth date: 2021/11/15 modified: 2022/06/27 tags: diff --git a/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml b/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml index b36022f26..acd3f9236 100755 --- a/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml @@ -18,10 +18,10 @@ detection: TargetFilename|contains: 'lsass' TargetFilename|endswith: 'dmp' condition: selection +fields: + - ComputerName + - TargetFilename falsepositives: - Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator - Dumps of another process that contains lsass in its process name (substring) level: high -fields: - - ComputerName - - TargetFilename diff --git a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml index 11694c4d6..e0ead914e 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml @@ -1,10 +1,10 @@ title: WerFault LSASS Process Memory Dump id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182 -description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials status: experimental -author: Florian Roth +description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials references: - https://github.com/helpsystems/nanodump +author: Florian Roth date: 2022/06/27 tags: - attack.credential_access diff --git a/rules/windows/file/file_event/file_event_win_macro_file.yml b/rules/windows/file/file_event/file_event_win_macro_file.yml index fc57d6286..9e50c175a 100644 --- a/rules/windows/file/file_event/file_event_win_macro_file.yml +++ b/rules/windows/file/file_event/file_event_win_macro_file.yml @@ -2,12 +2,15 @@ title: Dump Office Macro Files from Commandline id: b1c50487-1967-4315-a026-6491686d860e status: experimental description: A office file with macro is created from a commandline or a script -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +author: frack113 date: 2022/01/23 modified: 2022/07/14 +tags: + - attack.initial_access + - attack.t1566.001 logsource: category: file_event product: windows @@ -34,6 +37,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.initial_access - - attack.t1566.001 diff --git a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml index 89ae6af09..153e0f4d9 100644 --- a/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml @@ -2,23 +2,23 @@ title: Octopus Scanner Malware id: 805c55d9-31e6-4846-9878-c34c75054fe9 status: test description: Detects Octopus Scanner Malware. -author: NVISO references: - - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain + - https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain +author: NVISO date: 2020/06/09 modified: 2021/11/27 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|endswith: - - '\AppData\Local\Microsoft\Cache134.dat' - - '\AppData\Local\Microsoft\ExplorerSync.db' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.t1195 - - attack.t1195.001 + - attack.t1195 + - attack.t1195.001 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '\AppData\Local\Microsoft\Cache134.dat' + - '\AppData\Local\Microsoft\ExplorerSync.db' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml b/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml index 4aadcd2fc..3e5ceac63 100644 --- a/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml @@ -2,9 +2,9 @@ title: Mimikatz Kirbi File Creation id: 9e099d99-44c2-42b6-a6d8-54c3545cab29 status: test description: Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz -author: Florian Roth references: - https://cobalt.io/blog/kerberoast-attack-techniques +author: Florian Roth date: 2021/11/08 tags: - attack.credential_access diff --git a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml index c497d9784..efdabcb90 100644 --- a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml +++ b/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml @@ -2,20 +2,20 @@ title: Mimikatz MemSSP Default Log File Creation id: 034affe8-6170-11ec-844f-0f78aa0c4d66 status: experimental description: Detects Mimikatz MemSSP default log file creation -author: David ANDRE references: - - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ + - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ +author: David ANDRE date: 2021/12/20 tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 logsource: product: windows category: file_event detection: - selection: - TargetFilename|endswith: 'mimilsa.log' - condition: selection + selection: + TargetFilename|endswith: 'mimilsa.log' + condition: selection falsepositives: - - Unlikely + - Unlikely level: critical diff --git a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file/file_event/file_event_win_msdt_autorun.yml index 65151c6fb..4d7362e61 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_autorun.yml @@ -1,11 +1,11 @@ -title: MSDT.exe Creates Files in Autorun Directory +title: MSDT.exe Creates Files in Autorun Directory id: 318557a5-150c-4c8d-b70e-a9910e199857 status: experimental description: Detects msdt.exe creating files in suspicious directories -author: Vadim Varganov, Florian Roth references: - - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd + - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ +author: Vadim Varganov, Florian Roth date: 2022/08/24 tags: - attack.persistence @@ -17,7 +17,7 @@ logsource: detection: selection: Image|endswith: '\msdt.exe' - TargetFilename|contains: + TargetFilename|contains: - '\Start Menu\Programs\Startup\' - 'C:\Users\Public\' - 'C:\PerfLogs\' diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 31c25d08c..95757847b 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -2,10 +2,13 @@ title: Creation Suspicious File In Uncommon AppData Folder id: d7b50671-d1ad-4871-aa60-5aa5b331fe04 status: experimental description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs -author: Nasreddine Bencherchali references: - Internal Research +author: Nasreddine Bencherchali date: 2022/08/05 +tags: + - attack.defense_evasion + - attack.execution logsource: product: windows category: file_event @@ -31,6 +34,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.defense_evasion - - attack.execution diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml index 7caec1c22..6ad24e0ed 100644 --- a/rules/windows/file/file_event/file_event_win_new_src_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml @@ -2,30 +2,30 @@ title: SCR File Write Event id: c048f047-7e2a-4888-b302-55f509d4a91d status: experimental description: An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver -author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' references: - - https://lolbas-project.github.io/lolbas/Libraries/Desk/ + - https://lolbas-project.github.io/lolbas/Libraries/Desk/ +author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022/04/27 modified: 2022/10/07 tags: - - attack.t1218.011 - - attack.defense_evasion + - attack.t1218.011 + - attack.defense_evasion logsource: - category: file_event - product: windows + category: file_event + product: windows detection: - selection: - TargetFilename|endswith: '.scr' - filter: - TargetFilename|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\system32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\SysWow64\' - - 'C:\Windows\winsxs\' - - 'C:\Windows\WinSxS\' - - 'C:\$WINDOWS.~BT\NewOS\' - condition: selection and not filter + selection: + TargetFilename|endswith: '.scr' + filter: + TargetFilename|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\SysWow64\' + - 'C:\Windows\winsxs\' + - 'C:\Windows\WinSxS\' + - 'C:\$WINDOWS.~BT\NewOS\' + condition: selection and not filter falsepositives: - - The installation of new screen savers. + - The installation of new screen savers. level: medium diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index d684b222a..65be22fc8 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -1,12 +1,14 @@ title: Persistence Via Notepad++ Plugins id: 54127bd4-f541-4ac3-afdb-ea073f63f692 -description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence status: experimental -author: Nasreddine Bencherchali +description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ +author: Nasreddine Bencherchali date: 2022/06/10 modified: 2022/09/20 +tags: + - attack.persistence logsource: product: windows category: file_event @@ -28,5 +30,3 @@ falsepositives: - Possible FPs during first installation of Notepad++ - Legitimate use of custom plugins to enhance notepad++ functionality by users level: medium -tags: - - attack.persistence diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit.yml index 476846bab..8b70e991a 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit.yml @@ -1,13 +1,13 @@ title: Suspicious NTDS.DIT Creation id: 4e7050dd-e548-483f-b7d6-527ab4fa784d -description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner status: experimental -author: Florian Roth +description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://pentestlab.blog/tag/ntds-dit/ - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 +author: Florian Roth date: 2022/03/11 modified: 2022/07/14 tags: diff --git a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml index 17b5bff09..8ffac4619 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml @@ -1,12 +1,12 @@ title: Suspicious NTDS Exfil Filename Patterns id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a -description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration status: experimental -author: Florian Roth +description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration references: - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 +author: Florian Roth date: 2022/03/11 tags: - attack.credential_access diff --git a/rules/windows/file/file_event/file_event_win_office_persistence.yml b/rules/windows/file/file_event/file_event_win_office_persistence.yml index af5c704af..076a0b695 100644 --- a/rules/windows/file/file_event/file_event_win_office_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_office_persistence.yml @@ -2,30 +2,30 @@ title: Microsoft Office Add-In Loading id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936 status: test description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel). -author: NVISO references: - - Internal Research + - Internal Research +author: NVISO date: 2020/05/11 modified: 2021/11/27 -logsource: - category: file_event - product: windows -detection: - selection_wlldropped: - TargetFilename|contains: '\Microsoft\Word\Startup\' - TargetFilename|endswith: '.wll' - selection_xlldropped: - TargetFilename|contains: '\Microsoft\Excel\Startup\' - TargetFilename|endswith: '.xll' - selection_generic: - TargetFilename|contains: '\Microsoft\Addins\' - TargetFilename|endswith: - - '.xlam' - - '.xla' - condition: 1 of selection* -falsepositives: - - Legitimate add-ins -level: high tags: - - attack.persistence - - attack.t1137.006 + - attack.persistence + - attack.t1137.006 +logsource: + category: file_event + product: windows +detection: + selection_wlldropped: + TargetFilename|contains: '\Microsoft\Word\Startup\' + TargetFilename|endswith: '.wll' + selection_xlldropped: + TargetFilename|contains: '\Microsoft\Excel\Startup\' + TargetFilename|endswith: '.xll' + selection_generic: + TargetFilename|contains: '\Microsoft\Addins\' + TargetFilename|endswith: + - '.xlam' + - '.xla' + condition: 1 of selection* +falsepositives: + - Legitimate add-ins +level: high diff --git a/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml b/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml index 380a47f1d..1e571fc62 100644 --- a/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml +++ b/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml @@ -1,7 +1,10 @@ title: Outlook C2 Macro Creation id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 status: test -description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. +description: | + Detects the creation of a macro file for Outlook. + Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. + Particularly interesting if both events Registry & File Creation happens at the same time. references: - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ author: '@ScoubiMtl' diff --git a/rules/windows/file/file_event/file_event_win_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_outlook_newform.yml index ba01fea48..022efb165 100644 --- a/rules/windows/file/file_event/file_event_win_outlook_newform.yml +++ b/rules/windows/file/file_event/file_event_win_outlook_newform.yml @@ -4,12 +4,12 @@ status: experimental description: Detects the creation of new Outlook form which can contain malicious code references: - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -tags: - - attack.persistence - - attack.t1137.003 author: Tobias Michalski date: 2021/06/10 modified: 2022/06/16 +tags: + - attack.persistence + - attack.t1137.003 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 73ec4a996..adec9285c 100755 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -2,7 +2,6 @@ title: Malicious PowerShell Commandlet Names id: f331aa1f-8c53-4fc3-b083-cc159bc971cb status: test description: Detects the creation of known powershell scripts for exploitation -author: Markus Neis, Nasreddine Bencherchali references: - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml - https://github.com/PowerShellMafia/PowerSploit @@ -14,8 +13,12 @@ references: - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 +author: Markus Neis, Nasreddine Bencherchali date: 2018/04/07 modified: 2022/10/04 +tags: + - attack.execution + - attack.t1059.001 logsource: category: file_event product: windows @@ -212,6 +215,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index 621b861c0..90fa23699 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -1,16 +1,20 @@ title: PowerShell Writing Startup Shortcuts id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d -description: Attempts to detect PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" status: experimental +description: | + Attempts to detect PowerShell writing startup shortcuts. + This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. + Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. + In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder +author: Christopher Peacock '@securepeacock', SCYTHE +date: 2021/10/24 +modified: 2022/08/10 tags: - attack.persistence - attack.t1547.001 -date: 2021/10/24 -modified: 2022/08/10 -author: Christopher Peacock '@securepeacock', SCYTHE logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml index 3e8ca7f58..5670924b8 100755 --- a/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml +++ b/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml @@ -2,24 +2,24 @@ title: QuarksPwDump Dump File id: 847def9e-924d-4e90-b7c4-5f581395a2b4 status: test description: Detects a dump file written by QuarksPwDump password dumper -author: Florian Roth references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm +author: Florian Roth date: 2018/02/10 modified: 2021/11/27 -logsource: - category: file_event - product: windows -detection: - selection: - # Sysmon: File Creation (ID 11) - TargetFilename|contains|all: - - '\AppData\Local\Temp\SAM-' - - '.dmp' - condition: selection -falsepositives: - - Unknown -level: critical tags: - - attack.credential_access - - attack.t1003.002 + - attack.credential_access + - attack.t1003.002 +logsource: + category: file_event + product: windows +detection: + selection: + # Sysmon: File Creation (ID 11) + TargetFilename|contains|all: + - '\AppData\Local\Temp\SAM-' + - '.dmp' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml index 6674129da..3850c9dca 100644 --- a/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml +++ b/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml @@ -2,24 +2,24 @@ title: RedMimicry Winnti Playbook Dropped File id: 130c9e58-28ac-4f83-8574-0a4cc913b97e status: test description: Detects actions caused by the RedMimicry Winnti playbook -author: Alexander Rausch references: - - https://redmimicry.com + - https://redmimicry.com +author: Alexander Rausch date: 2020/06/24 modified: 2021/11/27 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|contains: - - gthread-3.6.dll - - sigcmm-2.4.dll - - \Windows\Temp\tmp.bat - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.t1027 + - attack.defense_evasion + - attack.t1027 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - gthread-3.6.dll + - sigcmm-2.4.dll + - \Windows\Temp\tmp.bat + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_sam_dump.yml b/rules/windows/file/file_event/file_event_win_sam_dump.yml index 32302222c..109779a3b 100644 --- a/rules/windows/file/file_event/file_event_win_sam_dump.yml +++ b/rules/windows/file/file_event/file_event_win_sam_dump.yml @@ -1,14 +1,14 @@ title: SAM Dump File Creation id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0 -description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) status: experimental -author: Florian Roth +description: Detects the creation of files that look like exports of the local SAM (Security Account Manager) references: - https://github.com/search?q=CVE-2021-36934 - https://github.com/cube0x0/CVE-2021-36934 - https://www.google.com/search?q=%22reg.exe+save%22+sam - https://github.com/HuskyHacks/ShadowSteal - https://github.com/FireFart/hivenightmare +author: Florian Roth date: 2022/02/11 tags: - attack.credential_access @@ -18,7 +18,7 @@ logsource: category: file_event detection: selection: - - TargetFilename|endswith: + - TargetFilename|endswith: - '\Temp\sam' - '\sam.sav' - '\Intel\sam' diff --git a/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml b/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml index 574f5a596..459a7c16c 100644 --- a/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml @@ -2,13 +2,16 @@ title: ScreenConnect Temporary Installation Artefact id: fec96f39-988b-4586-b746-b93d59fd1922 status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows author: frack113 date: 2022/02/13 +tags: + - attack.command_and_control + - attack.t1219 logsource: category: file_event product: windows @@ -19,6 +22,3 @@ detection: falsepositives: - Legitimate use level: medium -tags: - - attack.command_and_control - - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml b/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml index d8d5d9a7a..22446ba9c 100644 --- a/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml +++ b/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml @@ -1,16 +1,16 @@ title: Created Files by Office Applications id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4 +status: experimental description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' +date: 2021/08/23 +modified: 2022/07/11 tags: - attack.t1204.002 - attack.execution -status: experimental -date: 2021/08/23 -modified: 2022/07/11 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml index 79868daed..e303701db 100644 --- a/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml +++ b/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml @@ -2,12 +2,15 @@ title: Startup Folder File Write id: 2aa0a6b4-a865-495b-ab51-c28249537b75 status: test description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://github.com/OTRF/detection-hackathon-apt29/issues/12 - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 modified: 2022/10/07 +tags: + - attack.persistence + - attack.t1547.001 logsource: product: windows category: file_event @@ -21,6 +24,3 @@ detection: falsepositives: - An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml index b7afdc19b..0ae200cbc 100755 --- a/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml +++ b/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml @@ -2,13 +2,16 @@ title: Suspicious ADSI-Cache Usage By Unknown Tool id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb status: test description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. -author: xknow @xknow_infosec, Tim Shelton references: - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger +author: xknow @xknow_infosec, Tim Shelton date: 2019/03/24 modified: 2022/08/24 +tags: + - attack.t1001.003 + - attack.command_and_control logsource: product: windows category: file_event @@ -39,6 +42,3 @@ detection: falsepositives: - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc. level: high -tags: - - attack.t1001.003 - - attack.command_and_control diff --git a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml index 1eaa671db..4cd414b40 100644 --- a/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml @@ -2,10 +2,13 @@ title: Suspicious Creation with Colorcpl id: e15b518d-b4ce-4410-a9cd-501f23ce4a18 status: experimental description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ -author: frack113 references: - https://twitter.com/eral4m/status/1480468728324231172?s=20 +author: frack113 date: 2022/01/21 +tags: + - attack.defense_evasion + - attack.t1564 logsource: product: windows category: file_event @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1564 diff --git a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml index fb0b8c602..997f25fbc 100644 --- a/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml +++ b/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml @@ -1,13 +1,17 @@ title: Created Files by Microsoft Sync Center id: 409f8a98-4496-4aaa-818a-c931c0a8b832 +status: experimental description: This rule detects suspicious files created by Microsoft Sync Center (mobsync) references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim -status: experimental -level: medium date: 2022/04/28 modified: 2022/06/02 +tags: + - attack.t1055 + - attack.t1218 + - attack.execution + - attack.defense_evasion logsource: product: windows category: file_event @@ -21,8 +25,4 @@ detection: condition: selection_mobsync and filter_created_file falsepositives: - Unknown -tags: - - attack.t1055 - - attack.t1218 - - attack.execution - - attack.defense_evasion +level: medium diff --git a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml index 8d383edf9..9c33fe014 100644 --- a/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml @@ -6,6 +6,9 @@ references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim date: 2022/04/28 +tags: + - attack.t1036.005 + - attack.defense_evasion logsource: product: windows category: file_event @@ -18,7 +21,4 @@ detection: condition: selection falsepositives: - Unknown -tags: - - attack.t1036.005 - - attack.defense_evasion level: medium diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml index 1914ec979..25189fd01 100755 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml @@ -2,11 +2,14 @@ title: Suspicious desktop.ini Action id: 81315b50-6b60-4d8f-9928-3466e1022515 status: test description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. -author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ +author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) date: 2020/03/19 modified: 2022/10/07 +tags: + - attack.persistence + - attack.t1547.009 logsource: product: windows category: file_event @@ -28,6 +31,3 @@ falsepositives: - Operations performed through Windows SCCM or equivalent - Read only access list authority level: medium -tags: - - attack.persistence - - attack.t1547.009 diff --git a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml index ad488b343..231684d35 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml @@ -2,10 +2,13 @@ title: Suspicious Creation TXT File in User Desktop id: caf02a0a-1e1c-4552-9b48-5e070bd88d11 status: experimental description: Ransomware create txt file in the user Desktop -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note +author: frack113 date: 2021/12/26 +tags: + - attack.impact + - attack.t1486 logsource: product: windows category: file_event @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.impact - - attack.t1486 diff --git a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml index 1e378a7f1..0c61bb03d 100644 --- a/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml +++ b/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml @@ -2,33 +2,33 @@ title: Suspicious Desktopimgdownldr Target File id: fc4f4817-0c53-4683-a4ee-b17a64bc1039 status: test description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension -author: Florian Roth references: - - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - - https://twitter.com/SBousseaden/status/1278977301745741825 + - https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + - https://twitter.com/SBousseaden/status/1278977301745741825 +author: Florian Roth date: 2020/07/03 modified: 2022/06/02 -logsource: - product: windows - category: file_event -detection: - selection: - Image|endswith: '\svchost.exe' - TargetFilename|contains: '\Personalization\LockScreenImage\' - filter1: - TargetFilename|contains: 'C:\Windows\' - filter2: - TargetFilename|contains: - - '.jpg' - - '.jpeg' - - '.png' - condition: selection and not filter1 and not filter2 -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: high tags: - - attack.defense_evasion - - attack.t1105 + - attack.defense_evasion + - attack.t1105 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\svchost.exe' + TargetFilename|contains: '\Personalization\LockScreenImage\' + filter1: + TargetFilename|contains: 'C:\Windows\' + filter2: + TargetFilename|contains: + - '.jpg' + - '.jpeg' + - '.png' + condition: selection and not filter1 and not filter2 +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml index da940be20..14e7663b2 100644 --- a/rules/windows/file/file_event/file_event_win_susp_diagcab.yml +++ b/rules/windows/file/file_event/file_event_win_susp_diagcab.yml @@ -2,19 +2,19 @@ title: Creation of a Diagcab id: 3d0ed417-3d94-4963-a562-4a92c940656a status: experimental description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location) -author: frack113 references: - - https://threadreaderapp.com/thread/1533879688141086720.html + - https://threadreaderapp.com/thread/1533879688141086720.html +author: frack113 date: 2022/06/08 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|endswith: '.diagcab' - condition: selection -falsepositives: - - Legitimate microsoft diagcab -level: medium tags: - - attack.resource_development + - attack.resource_development +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '.diagcab' + condition: selection +falsepositives: + - Legitimate microsoft diagcab +level: medium diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index b94f6c3a4..9fe5b68f7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -5,15 +5,18 @@ related: type: derived status: experimental description: Detects dropped files with double extensions which is often used by malware as a method to abuse the fact that windows hide default extensions by default. -author: Nasreddine Bencherchali, frack113 references: - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles - https://twitter.com/malwrhunterteam/status/1235135745611960321 - https://twitter.com/luc4m/status/1073181154126254080 +author: Nasreddine Bencherchali, frack113 date: 2022/06/19 modified: 2022/07/28 +tags: + - attack.defense_evasion + - attack.t1036.007 logsource: category: file_event product: windows @@ -36,7 +39,7 @@ detection: selection_exe: TargetFilename|endswith: - '.zip.exe' - - '.rar.exe' + - '.rar.exe' filter: TargetFilename|contains: - '\AppData\Roaming\Microsoft\Office\Recent\' @@ -45,7 +48,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.defense_evasion - - attack.t1036.007 - diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index 821c7ef0d..1889fa5a8 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -2,50 +2,50 @@ title: Creation of an Executable by an Executable id: 297afac9-5d02-4138-8c58-b977bac60556 status: experimental description: Detects the creation of an executable by another executable -author: frack113 references: - - Malware Sandbox + - Malware Sandbox +author: frack113 date: 2022/03/09 modified: 2022/07/27 +tags: + - attack.resource_development + - attack.t1587.001 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - Image|endswith: '.exe' - TargetFilename|endswith: '.exe' - filter_whitelist: - Image: - - 'C:\Windows\System32\msiexec.exe' - - 'C:\Windows\system32\cleanmgr.exe' - - 'C:\Windows\explorer.exe' - - 'C:\WINDOWS\system32\dxgiadaptercache.exe' - - 'C:\WINDOWS\system32\Dism.exe' - - 'C:\Windows\System32\wuauclt.exe' - filter_update: - Image: 'C:\WINDOWS\system32\svchost.exe' - TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\' + selection: + Image|endswith: '.exe' + TargetFilename|endswith: '.exe' + filter_whitelist: + Image: + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\system32\cleanmgr.exe' + - 'C:\Windows\explorer.exe' + - 'C:\WINDOWS\system32\dxgiadaptercache.exe' + - 'C:\WINDOWS\system32\Dism.exe' + - 'C:\Windows\System32\wuauclt.exe' + filter_update: + Image: 'C:\WINDOWS\system32\svchost.exe' + TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\' # Security_UserID: S-1-5-18 - filter_tiworker: - Image|startswith: 'C:\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_programfiles: - - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - TargetFilename|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - filter_defender: - Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' - filter_windows_apps: - TargetFilename|contains: '\Microsoft\WindowsApps\' - condition: selection and not 1 of filter_* + filter_tiworker: + Image|startswith: 'C:\Windows\WinSxS\' + Image|endswith: '\TiWorker.exe' + filter_programfiles: + - Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - TargetFilename|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_defender: + Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' + filter_windows_apps: + TargetFilename|contains: '\Microsoft\WindowsApps\' + condition: selection and not 1 of filter_* falsepositives: - - Software installers - - Update utilities + - Software installers + - Update utilities #Please contribute to FP to go up the level level: low -tags: - - attack.resource_development - - attack.t1587.001 diff --git a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml index 82ed285c9..644d6dba8 100644 --- a/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml @@ -17,7 +17,7 @@ logsource: detection: selection: Image|endswith: '\MSExchangeMailboxReplication.exe' - TargetFilename|endswith: + TargetFilename|endswith: - '.aspx' - '.asp' condition: selection diff --git a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml index 3444fe185..b4b85c849 100644 --- a/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml @@ -2,30 +2,30 @@ title: Suspicious Executable File Creation id: 74babdd6-a758-4549-9632-26535279e654 status: experimental description: Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. -author: frack113 references: - - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae - - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ + - https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae + - https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ +author: frack113 date: 2022/09/05 -logsource: - product: windows - category: file_event -detection: - selection_double: - TargetFilename|endswith: - - '.bat.exe' - - '.sys.exe' - selection_folder: - TargetFilename: - - 'C:\$Recycle.Bin.exe' - - 'C:\Documents and Settings.exe' - - 'C:\MSOCache.exe' - - 'C:\Recovery.exe' - - 'C:\PerfLogs.exe' - condition: 1 of selection_* -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.t1564 + - attack.defense_evasion + - attack.t1564 +logsource: + product: windows + category: file_event +detection: + selection_double: + TargetFilename|endswith: + - '.bat.exe' + - '.sys.exe' + selection_folder: + TargetFilename: + - 'C:\$Recycle.Bin.exe' + - 'C:\Documents and Settings.exe' + - 'C:\MSOCache.exe' + - 'C:\Recovery.exe' + - 'C:\PerfLogs.exe' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml index d5060e84e..de8768f42 100644 --- a/rules/windows/file/file_event/file_event_win_susp_get_variable.yml +++ b/rules/windows/file/file_event/file_event_win_susp_get_variable.yml @@ -1,28 +1,27 @@ -title: Suspicious Get-Variable.exe Creation +title: Suspicious Get-Variable.exe Creation id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b status: experimental description: | - Get-Variable is a valid PowerShell cmdlet - WindowsApps is by default in the path where PowerShell is executed. - So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. -author: frack113 + Get-Variable is a valid PowerShell cmdlet + WindowsApps is by default in the path where PowerShell is executed. + So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. references: - - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ - - https://www.joesandbox.com/analysis/465533/0/html + - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ + - https://www.joesandbox.com/analysis/465533/0/html +author: frack113 date: 2022/04/23 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.t1546 - - attack.defense_evasion - - attack.t1027 - + - attack.persistence + - attack.t1546 + - attack.defense_evasion + - attack.t1027 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml index 925d1dbbd..e403199e5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml +++ b/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml @@ -2,26 +2,26 @@ title: Suspicious PFX File Creation id: dca1b3e8-e043-4ec8-85d7-867f334b5724 status: test description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/14 - - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/14 + - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 modified: 2022/07/07 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|endswith: '.pfx' - filter: - TargetFilename|contains|all: - - '\Templates\Windows\Windows_TemporaryKey.pfx' - - '\CMake\' - condition: selection and not 1 of filter* -falsepositives: - - System administrators managing certififcates. -level: medium tags: - - attack.credential_access - - attack.t1552.004 + - attack.credential_access + - attack.t1552.004 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '.pfx' + filter: + TargetFilename|contains|all: + - '\Templates\Windows\Windows_TemporaryKey.pfx' + - '\CMake\' + condition: selection and not 1 of filter* +falsepositives: + - System administrators managing certififcates. +level: medium diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml index 737db2024..2a904a121 100644 --- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml @@ -2,12 +2,16 @@ title: PowerShell Profile Modification id: b5b78988-486d-4a80-b991-930eff3ff8bf status: test description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -author: HieuTT35, Nasreddine Bencherchali references: - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ - https://persistence-info.github.io/Data/powershellprofile.html +author: HieuTT35, Nasreddine Bencherchali date: 2019/10/24 modified: 2022/08/24 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 logsource: product: windows category: file_event @@ -23,7 +27,3 @@ detection: falsepositives: - System administrator create Powershell profile manually level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.013 diff --git a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml index d32dd30da..3839b9148 100755 --- a/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -1,29 +1,31 @@ title: Suspicious PROCEXP152.sys File Created In TMP id: 3da70954-0f2c-4103-adff-b7440368f50e status: test -description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. -author: xknow (@xknow_infosec), xorxes (@xor_xes) +description: | + Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. + This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 modified: 2021/11/27 -logsource: - product: windows - category: file_event -detection: - selection_1: - TargetFilename|contains: '\AppData\Local\Temp\' - TargetFilename|endswith: 'PROCEXP152.sys' - selection_2: - Image|contains: - - '\procexp64.exe' - - '\procexp.exe' - - '\procmon64.exe' - - '\procmon.exe' - condition: selection_1 and not selection_2 -falsepositives: - - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. -level: medium tags: - - attack.t1562.001 - - attack.defense_evasion + - attack.t1562.001 + - attack.defense_evasion +logsource: + product: windows + category: file_event +detection: + selection_1: + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: 'PROCEXP152.sys' + selection_2: + Image|contains: + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' + condition: selection_1 and not selection_2 +falsepositives: + - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. +level: medium diff --git a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml index bea1f1e60..5426d6bc5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml +++ b/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml @@ -2,10 +2,12 @@ title: Drop Binaries Into Spool Drivers Color Folder id: ce7066a6-508a-42d3-995b-2952c65dc2ce status: experimental description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below -author: Nasreddine Bencherchali references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ +author: Nasreddine Bencherchali date: 2022/07/28 +tags: + - attack.defense_evasion logsource: product: windows category: file_event @@ -20,5 +22,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion diff --git a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml index 78280468e..4e7346ec3 100644 --- a/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -1,14 +1,14 @@ title: Suspicious Startup Folder Persistence id: 28208707-fe31-437f-9a7f-4b1108b94d2e -description: Detects when a file with a suspicious extension is created in the startup folder status: experimental -author: Nasreddine Bencherchali +description: Detects when a file with a suspicious extension is created in the startup folder references: - https://github.com/last-byte/PersistenceSniper +author: Nasreddine Bencherchali +date: 2022/08/10 tags: - attack.persistence - attack.t1547.001 -date: 2022/08/10 logsource: product: windows category: file_event diff --git a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml index fd68a54eb..08b533453 100644 --- a/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -2,9 +2,9 @@ title: Suspicious Interactive PowerShell as SYSTEM id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2 status: experimental description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context -author: Florian Roth references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm +author: Florian Roth date: 2021/12/07 modified: 2022/08/13 logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_task_write.yml b/rules/windows/file/file_event/file_event_win_susp_task_write.yml index c2cee9c49..cf1572edd 100644 --- a/rules/windows/file/file_event/file_event_win_susp_task_write.yml +++ b/rules/windows/file/file_event/file_event_win_susp_task_write.yml @@ -10,14 +10,14 @@ modified: 2022/01/12 tags: - attack.persistence - attack.execution - - attack.t1053 + - attack.t1053 logsource: product: windows category: file_event detection: selection: TargetFilename|contains: '\Windows\System32\Tasks' - Image|contains: + Image|contains: - '\AppData\' - 'C:\PerfLogs' - '\Windows\System32\config\systemprofile' diff --git a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml index f85738a13..9821a9b7d 100644 --- a/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -5,10 +5,14 @@ related: type: similar status: experimental description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence -author: Nasreddine Bencherchali references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 +author: Nasreddine Bencherchali date: 2022/08/24 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 logsource: product: windows category: file_event @@ -19,7 +23,3 @@ detection: falsepositives: - Legitimate use of the profile by developers or administrators level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.013 diff --git a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml b/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml index 996f384f5..67cafa273 100644 --- a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml +++ b/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml @@ -2,30 +2,30 @@ title: Creation In User Word Startup Folder id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d status: experimental description: Detects the creation of an file in user Word Startup -author: frack113 references: - - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ + - Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/ +author: frack113 date: 2022/06/05 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|contains: '\AppData\Roaming\Microsoft\Word\STARTUP\' - filter_ext: - TargetFilename|endswith: - - '.docx' # Word document - - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts - - '.dotx' # Word template - - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts - - '.docb' # Word binary document introduced in Microsoft Office 2007 - - '.pdf' # PDF documents - - '.wll' # Word add-in - - '.wwl' # Word add-in - condition: selection and not filter_ext -falsepositives: - - Addition of legitimate plugins -level: medium tags: - - attack.resource_development - - attack.t1587.001 + - attack.resource_development + - attack.t1587.001 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: '\AppData\Roaming\Microsoft\Word\STARTUP\' + filter_ext: + TargetFilename|endswith: + - '.docx' # Word document + - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts + - '.dotx' # Word template + - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts + - '.docb' # Word binary document introduced in Microsoft Office 2007 + - '.pdf' # PDF documents + - '.wll' # Word add-in + - '.wwl' # Word add-in + condition: selection and not filter_ext +falsepositives: + - Addition of legitimate plugins +level: medium diff --git a/rules/windows/file/file_event/file_event_win_tool_psexec.yml b/rules/windows/file/file_event/file_event_win_tool_psexec.yml index 2dc596b5f..10f71ef15 100644 --- a/rules/windows/file/file_event/file_event_win_tool_psexec.yml +++ b/rules/windows/file/file_event/file_event_win_tool_psexec.yml @@ -22,9 +22,6 @@ detection: selection: TargetFilename|endswith: '\PSEXESVC.exe' condition: selection -falsepositives: - - Unknown -level: low fields: - EventID - CommandLine @@ -33,3 +30,6 @@ fields: - ServiceFileName - TargetFilename - PipeName +falsepositives: + - Unknown +level: low diff --git a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml index fe5396e87..27662b783 100755 --- a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -5,6 +5,9 @@ description: Detects the usage of tsclient share to place a backdoor on the RDP author: Samir Bousseaden date: 2019/02/21 modified: 2021/11/27 +tags: + - attack.command_and_control + - attack.t1219 logsource: product: windows category: file_event @@ -16,6 +19,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.command_and_control - - attack.t1219 diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml index 172b6ff44..9919a5fac 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml @@ -1,13 +1,13 @@ title: UAC Bypass Using EventVwr id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43 -description: Detects the pattern of a UAC bypass using Windows Event Viewer -author: Antonio Cocomazzi (idea), Florian Roth (rule) -date: 2022/04/27 -modified: 2022/04/27 status: experimental +description: Detects the pattern of a UAC bypass using Windows Event Viewer references: - https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw - https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g +author: Antonio Cocomazzi (idea), Florian Roth (rule) +date: 2022/04/27 +modified: 2022/04/27 tags: - attack.defense_evasion - attack.privilege_escalation diff --git a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml index 2f255e227..ef4e93f2b 100644 --- a/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml +++ b/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml @@ -2,10 +2,15 @@ title: UAC Bypass Using IDiagnostic Profile - File id: 48ea844d-19b1-4642-944e-fe39c2cc1fec status: experimental description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique -author: Nasreddine Bencherchali references: - https://github.com/Wh04m1001/IDiagnosticProfileUAC +author: Nasreddine Bencherchali date: 2022/07/03 +tags: + - attack.execution + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 logsource: product: windows category: file_event @@ -18,8 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 diff --git a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml index 5d246108f..04382061c 100755 --- a/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml @@ -2,41 +2,41 @@ title: Windows Webshell Creation id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9 status: test description: Possible webshell file creation on a static web site -author: Beyu Denis, oscd.community, Tim Shelton references: - - PT ESC rule and personal experience + - PT ESC rule and personal experience +author: Beyu Denis, oscd.community, Tim Shelton date: 2019/10/22 modified: 2022/09/18 -logsource: - product: windows - category: file_event -detection: - selection_wwwroot: - TargetFilename|contains: '\inetpub\wwwroot\' - selection_ext1: - TargetFilename|contains: - - '.asp' - - '.ashx' - - '.ph' - selection_static: - TargetFilename|contains: - - '\www\' - - '\htdocs\' - - '\html\' - selection_ext2: - TargetFilename|contains: '.ph' - false_positive1: # false positives when unpacking some executables in $TEMP - TargetFilename|contains: - - '\AppData\Local\Temp\' - - '\Windows\Temp\' - false_positive_system: - Image: 'System' # fp : backup/restore from drivers - false_positive_legitimate: - TargetFilename|contains: '\xampp' - condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive* -falsepositives: - - Legitimate administrator or developer creating legitimate executable files in a web application folder -level: high tags: - - attack.persistence - - attack.t1505.003 + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + category: file_event +detection: + selection_wwwroot: + TargetFilename|contains: '\inetpub\wwwroot\' + selection_ext1: + TargetFilename|contains: + - '.asp' + - '.ashx' + - '.ph' + selection_static: + TargetFilename|contains: + - '\www\' + - '\htdocs\' + - '\html\' + selection_ext2: + TargetFilename|contains: '.ph' + false_positive1: # false positives when unpacking some executables in $TEMP + TargetFilename|contains: + - '\AppData\Local\Temp\' + - '\Windows\Temp\' + false_positive_system: + Image: 'System' # fp : backup/restore from drivers + false_positive_legitimate: + TargetFilename|contains: '\xampp' + condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive* +falsepositives: + - Legitimate administrator or developer creating legitimate executable files in a web application folder +level: high diff --git a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml index a089cd21e..7bc9aae54 100644 --- a/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml @@ -2,28 +2,28 @@ title: Creation of an WerFault.exe in Unusual Folder id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 status: experimental description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking -author: frack113 references: - - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ + - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ +author: frack113 date: 2022/05/09 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|endswith: - - '\WerFault.exe' - - '\wer.dll' - filter_whitelist: - TargetFilename|contains: - - '\System32\' - - '\SysWOW64\' - - '\WinSxS\' - condition: selection and not filter_whitelist -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.defense_evasion - - attack.t1574.001 + - attack.persistence + - attack.defense_evasion + - attack.t1574.001 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '\WerFault.exe' + - '\wer.dll' + filter_whitelist: + TargetFilename|contains: + - '\System32\' + - '\SysWOW64\' + - '\WinSxS\' + condition: selection and not filter_whitelist +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml index b28196367..3f2a81958 100644 --- a/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_win_cscript_wscript_dropper.yml @@ -1,10 +1,10 @@ title: WScript or CScript Dropper id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 -status: experimental -description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe -related: +related: - id: cea72823-df4d-4567-950c-0b579eaf0846 type: derived +status: experimental +description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton @@ -18,10 +18,10 @@ detection: Image|endswith: - '\wscript.exe' - '\cscript.exe' - TargetFilename|startswith: + TargetFilename|startswith: - 'C:\Users\' - 'C:\ProgramData' - TargetFilename|endswith: + TargetFilename|endswith: - '.jse' - '.vbe' - '.js' diff --git a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml b/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml index 4cf12df6c..314b3d8bb 100644 --- a/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml +++ b/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml @@ -1,13 +1,16 @@ title: Suspicious Word Cab File Write CVE-2021-40444 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5 -description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 status: experimental +description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 references: - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20 - https://twitter.com/vanitasnk/status/1437329511142420483?s=21 author: Florian Roth, Sittikorn S date: 2021/09/10 modified: 2022/06/17 +tags: + - attack.resource_development + - attack.t1587 logsource: product: windows category: file_event @@ -31,6 +34,3 @@ fields: falsepositives: - Unknown level: high -tags: - - attack.resource_development - - attack.t1587 diff --git a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml index 4265bccba..a3bc9e875 100755 --- a/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml +++ b/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml @@ -2,21 +2,21 @@ title: WMI Persistence - Script Event Consumer File Write id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4 status: test description: Detects file writes of WMI script event consumer -author: Thomas Patzke references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +author: Thomas Patzke date: 2018/03/07 modified: 2021/11/27 -logsource: - product: windows - category: file_event -detection: - selection: - Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' - condition: selection -falsepositives: - - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) -level: high tags: - - attack.t1546.003 - - attack.persistence + - attack.t1546.003 + - attack.persistence +logsource: + product: windows + category: file_event +detection: + selection: + Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' + condition: selection +falsepositives: + - Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe) +level: high diff --git a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml index daa4a4a85..1fdcb431b 100644 --- a/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml +++ b/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml @@ -2,10 +2,10 @@ title: Wmiexec Default Output File id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb status: experimental description: Detects the creation of the default output filename used by the wmicexec tool -author: Nasreddine Bencherchali -date: 2022/06/02 references: - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ +author: Nasreddine Bencherchali +date: 2022/06/02 tags: - attack.lateral_movement - attack.t1047 diff --git a/rules/windows/file/file_event/file_event_win_word_template_creation.yml b/rules/windows/file/file_event/file_event_win_word_template_creation.yml index a94a226da..10fa79b03 100644 --- a/rules/windows/file/file_event/file_event_win_word_template_creation.yml +++ b/rules/windows/file/file_event/file_event_win_word_template_creation.yml @@ -2,39 +2,39 @@ title: Office Template Creation id: 0e20c89d-2264-44ae-8238-aeeaba609ece status: experimental description: Detects creation of template files for Microsoft Office from outside Office +references: + - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies author: Max Altgelt date: 2022/06/02 -references: - - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies tags: - - attack.persistence - - attack.t1137 + - attack.persistence + - attack.t1137 logsource: - category: file_event - product: windows + category: file_event + product: windows detection: - selection_word: - TargetFilename|endswith: - - .dot - - .dotm - - .doc - - .docm - - .docx - - .rtf - TargetFilename|contains: '\Microsoft\Word\Startup' - selection_excel: - TargetFilename|endswith: - - .xlt - - .xltm - - .xls - - .xlsm - - .xlsx - TargetFilename|contains: '\Microsoft\Excel\Startup' - filter_office: - Image|endswith: - - \WINWORD.exe - - \EXCEL.exe - condition: 1 of selection* and not filter_office + selection_word: + TargetFilename|endswith: + - .dot + - .dotm + - .doc + - .docm + - .docx + - .rtf + TargetFilename|contains: '\Microsoft\Word\Startup' + selection_excel: + TargetFilename|endswith: + - .xlt + - .xltm + - .xls + - .xlsm + - .xlsx + TargetFilename|contains: '\Microsoft\Excel\Startup' + filter_office: + Image|endswith: + - \WINWORD.exe + - \EXCEL.exe + condition: 1 of selection* and not filter_office falsepositives: - Loading a user environment from a backup or a domain controller - Synchronization of templates diff --git a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml index d8e44ab95..1ae74c2cf 100644 --- a/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml @@ -2,11 +2,11 @@ title: UEFI Persistence Via Wpbbin - FileCreation id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f status: experimental description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method -author: Nasreddine Bencherchali -date: 2022/07/18 references: - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c - https://persistence-info.github.io/Data/wpbbin.html +author: Nasreddine Bencherchali +date: 2022/07/18 tags: - attack.persistence - attack.defense_evasion diff --git a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml index 70d5d569f..9e1ef1673 100644 --- a/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml @@ -4,11 +4,14 @@ status: experimental description: | Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks. -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share +author: frack113 date: 2022/01/01 modified: 2022/08/13 +tags: + - attack.lateral_movement + - attack.t1546.002 logsource: product: windows category: file_event @@ -21,6 +24,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.lateral_movement - - attack.t1546.002 diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml index f00cc7c3c..3ca0d7b34 100644 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml @@ -11,7 +11,7 @@ modified: 2022/10/15 logsource: product: windows category: file_rename - definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source + definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source detection: to_dll: TargetFilename|endswith: '.dll' diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index 1d395bda8..92d986cdd 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: file_rename - definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source + definition: Use the WinEventLog:Microsoft-Windows-Kernel-File/KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH ETW source detection: selection: OriginalFilename|endswith: From 940f89d43dbac5b7108610a5bde47cda0d2a643b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 26 Oct 2022 06:16:55 +0200 Subject: [PATCH 12/14] Order yaml field --- ...egistry_add_amsi_providers_persistence.yml | 6 +- ...gon_scripts_userinitmprlogonscript_reg.yml | 10 +- .../registry_add/registry_add_mal_netwire.yml | 17 ++- .../registry_add_persistence_key_linking.yml | 6 +- ...add_renamed_sysinternals_eula_accepted.yml | 8 +- ...ry_add_susp_sysinternals_eula_accepted.yml | 8 +- ...egistry_add_sysinternals_eula_accepted.yml | 8 +- ...add_sysinternals_sdelete_registry_keys.yml | 14 +-- ..._cleanup_handler_new_entry_persistence.yml | 16 +-- ...delete_exploit_guard_protected_folders.yml | 12 +-- .../registry_delete_mstsc_history_cleared.yml | 8 +- ...istry_delete_removal_amsi_registry_key.yml | 14 +-- ...ete_removal_com_hijacking_registry_key.yml | 3 +- ...emoval_index_value_scheduled_task_hide.yml | 12 +-- ...e_removal_sd_value_scheduled_task_hide.yml | 12 +-- .../registry_event_add_local_hidden_user.yml | 8 +- .../registry_event_apt_pandemic.yml | 6 +- .../registry_event_bypass_via_wsreset.yml | 42 ++++---- ...stry_event_cmstp_execution_by_registry.yml | 30 +++--- ...y_events_logging_adding_reg_key_minint.yml | 48 ++++----- ...event_disable_wdigest_credential_guard.yml | 33 +++--- ...entutl_volume_shadow_copy_service_keys.yml | 8 +- .../registry_event_hack_wce_reg.yml | 30 +++--- ...t_hybridconnectionmgr_svc_installation.yml | 10 +- .../registry_event_mal_azorult.yml | 44 ++++---- ...y_event_modify_screensaver_binary_path.yml | 10 +- ...ry_event_narrator_feedback_persistance.yml | 36 +++---- ..._dll_added_to_appcertdlls_registry_key.yml | 50 ++++----- ...dll_added_to_appinit_dlls_registry_key.yml | 23 ++-- ...registry_event_persistence_recycle_bin.yml | 8 +- .../registry_event_redmimicry_winnti_reg.yml | 28 ++--- .../registry_event_runkey_winekey.yml | 38 +++---- .../registry_event_runonce_persistence.yml | 8 +- ...try_event_shell_open_keys_manipulation.yml | 12 +-- ...registry_event_silentprocessexit_lsass.yml | 4 +- .../registry_event_ssp_added_lsa_config.yml | 8 +- ...registry_event_stickykey_like_backdoor.yml | 15 ++- .../registry_event_susp_atbroker_change.yml | 4 +- .../registry_event_susp_download_run_key.yml | 36 +++---- .../registry_event_susp_lsass_dll_load.yml | 46 ++++---- ...gistry_event_trust_record_modification.yml | 30 +++--- ...sing_windows_telemetry_for_persistence.yml | 27 ++--- .../registry_set_add_hidden_user.yml | 12 +-- ...stry_set_add_load_service_in_safe_mode.yml | 14 +-- .../registry_set_add_port_monitor.yml | 12 +-- .../registry_set_aedebug_persistence.yml | 10 +- ...et_allow_rdp_remote_assistance_feature.yml | 12 +-- ...set_asep_reg_keys_modification_classes.yml | 8 +- ..._set_asep_reg_keys_modification_common.yml | 8 +- ...eg_keys_modification_currentcontrolset.yml | 8 +- ...eg_keys_modification_currentversion_nt.yml | 8 +- ...eg_keys_modification_internet_explorer.yml | 8 +- ..._set_asep_reg_keys_modification_office.yml | 12 +-- ..._reg_keys_modification_session_manager.yml | 10 +- ...p_reg_keys_modification_system_scripts.yml | 8 +- ...et_asep_reg_keys_modification_winsock2.yml | 8 +- ...asep_reg_keys_modification_wow6432node.yml | 8 +- ..._keys_modification_wow6432node_classes.yml | 8 +- ...odification_wow6432node_currentversion.yml | 8 +- .../registry_set_blackbyte_ransomware.yml | 18 ++-- ...y_set_bypass_uac_using_delegateexecute.yml | 16 +-- ...istry_set_bypass_uac_using_eventviewer.yml | 14 +-- ...et_bypass_uac_using_silentcleanup_task.yml | 16 +-- .../registry_set_change_rdp_port.yml | 12 +-- .../registry_set_change_security_zones.yml | 14 +-- ...stry_set_change_sysmon_driver_altitude.yml | 14 +-- ...gistry_set_change_winevt_channelaccess.yml | 16 +-- .../registry_set_chm_persistence.yml | 10 +- .../registry_set_chrome_extension.yml | 12 +-- ...stry_set_cobaltstrike_service_installs.yml | 27 ++--- .../registry_set_comhijack_sdclt.yml | 34 +++--- .../registry_set_crashdump_disabled.yml | 10 +- ...istry_set_creation_service_susp_folder.yml | 12 +-- ...y_set_creation_service_uncommon_folder.yml | 14 +-- ...file_open_handler_powershell_execution.yml | 12 +-- ...try_set_cve_2020_1048_new_printer_port.yml | 46 ++++---- ...cve_2021_31979_cve_2021_33771_exploits.yml | 8 +- ...try_set_dbgmanageddebugger_persistence.yml | 12 +-- .../registry_set_defender_exclusions.yml | 14 +-- .../registry_set_dhcp_calloutdll.yml | 40 +++---- ...istry_set_disable_administrative_share.yml | 12 +-- ...gistry_set_disable_autologger_sessions.yml | 6 +- ...registry_set_disable_defender_firewall.yml | 12 +-- .../registry_set_disable_function_user.yml | 6 +- ...ble_microsoft_office_security_features.yml | 14 +-- ...et_disable_privacy_settings_experience.yml | 6 +- ..._disable_security_center_notifications.yml | 12 +-- .../registry_set_disable_system_restore.yml | 12 +-- .../registry_set_disable_uac_registry.yml | 14 +-- ...y_set_disable_windows_defender_service.yml | 12 +-- .../registry_set_disable_windows_firewall.yml | 12 +-- .../registry_set_disable_winevt_logging.yml | 14 +-- ...it_guard_net_protection_on_ms_defender.yml | 14 +-- ...t_disabled_microsoft_defender_eventlog.yml | 12 +-- ...d_pua_protection_on_microsoft_defender.yml | 14 +-- ...amper_protection_on_microsoft_defender.yml | 14 +-- .../registry_set_disallowrun_execution.yml | 12 +-- ...sk_cleanup_handler_autorun_persistence.yml | 18 ++-- .../registry_set_dns_over_https_enabled.yml | 21 ++-- .../registry_set_dns_serverlevelplugindll.yml | 5 +- ...et_enabling_cor_profiler_env_variables.yml | 38 +++---- .../registry_set_enabling_turnoffcheck.yml | 14 +-- .../registry_set_etw_disabled.yml | 48 ++++----- ...ry_set_exploit_guard_susp_allowed_apps.yml | 12 +-- .../registry_set_fax_change_service_user.yml | 6 +- .../registry_set_fax_dll_persistance.yml | 6 +- .../registry_set_file_association_exefile.yml | 10 +- .../registry_set_globalflags_persistence.yml | 14 +-- ...egistry_set_hangs_debugger_persistence.yml | 10 +- .../registry_set_hhctrl_persistence.yml | 10 +- .../registry_set_hidden_extention.yml | 14 +-- .../registry_set/registry_set_hide_file.yml | 12 +-- .../registry_set_hide_function_user.yml | 6 +- ...t_hide_scheduled_task_via_index_tamper.yml | 14 +-- .../registry_set_ie_persistence.yml | 14 +-- .../registry_set_ifilter_persistence.yml | 10 +- ...stry_set_install_root_or_ca_certificat.yml | 14 +-- ...y_set_lolbin_onedrivestandaloneupdater.yml | 36 +++---- ...registry_set_lsa_extension_persistence.yml | 10 +- .../registry_set/registry_set_mal_adwind.yml | 8 +- .../registry_set_mal_blue_mockingbird.yml | 28 ++--- .../registry_set_mpnotify_persistence.yml | 11 +- ...registry_set_new_application_appcompat.yml | 36 +++---- .../registry_set_new_network_provider.yml | 14 +-- .../registry_set_office_enable_dde.yml | 14 +-- .../registry_set_office_security.yml | 12 +-- .../registry_set_office_vsto_persistence.yml | 18 ++-- .../registry_set_outlook_c2_registry_key.yml | 14 +-- ...egistry_set_outlook_registry_todaypage.yml | 58 +++++----- .../registry_set_outlook_registry_webview.yml | 50 ++++----- .../registry_set_outlook_security.yml | 14 +-- ...registry_set_persistence_appx_debugger.yml | 10 +- .../registry_set_persistence_autodial_dll.yml | 10 +- ...rsistence_com_hijacking_susp_locations.yml | 6 +- .../registry_set_persistence_mycomputer.yml | 10 +- .../registry_set_persistence_search_order.yml | 6 +- .../registry_set_persistence_typed_paths.yml | 10 +- ...istry_set_policies_associations_tamper.yml | 6 +- ...gistry_set_policies_attachments_tamper.yml | 6 +- .../registry_set_powershell_as_service.yml | 12 +-- .../registry_set_powershell_in_run_keys.yml | 6 +- ...gistry_set_powershell_logging_disabled.yml | 12 +-- ...y_set_register_custom_protocol_handler.yml | 6 +- ...set_renamed_sysinternals_eula_accepted.yml | 8 +- ...stry_set_scr_file_executed_by_rundll32.yml | 20 ++-- .../registry_set_scrobj_dll_persistence.yml | 12 +-- .../registry_set_servicedll_hijack.yml | 16 +-- .../registry_set_set_nopolicies_user.yml | 6 +- ...egistry_set_shim_databases_persistence.yml | 14 +-- .../registry_set_silentprocessexit.yml | 10 +- .../registry_set_sip_persistence.yml | 16 +-- .../registry_set_sophos_av_tamaper.yml | 12 +-- .../registry_set_special_accounts.yml | 12 +-- ...ry_set_suppress_defender_notifications.yml | 12 +-- ...egistry_set_susp_app_paths_persistence.yml | 10 +- ...registry_set_susp_keyboard_layout_load.yml | 46 ++++---- .../registry_set_susp_printer_driver.yml | 50 ++++----- ...stry_set_susp_reg_persist_explorer_run.yml | 56 +++++----- .../registry_set_susp_run_key_img_folder.yml | 6 +- .../registry_set_susp_service_installed.yml | 54 +++++----- .../registry_set_susp_user_shell_folders.yml | 14 +-- .../registry_set_taskcache_entry.yml | 100 +++++++++--------- .../registry_set_telemetry_persistence.yml | 46 ++++---- ...egistry_set_terminal_server_suspicious.yml | 10 +- ...registry_set_terminal_server_tampering.yml | 10 +- .../registry_set_timeproviders_dllname.yml | 16 +-- .../registry_set_treatas_persistence.yml | 12 +-- .../registry_set_uac_bypass_eventvwr.yml | 10 +- .../registry_set_uac_bypass_sdclt.yml | 14 +-- .../registry_set_uac_bypass_winsat.yml | 14 +-- .../registry_set_uac_bypass_wmp.yml | 14 +-- .../registry_set_vbs_payload_stored.yml | 18 ++-- .../registry_set_wab_dllpath_reg_change.yml | 10 +- ..._set_wdigest_enable_uselogoncredential.yml | 16 +-- .../registry_set_windows_defender_tamper.yml | 12 +-- ...set_winlogon_allow_multiple_tssessions.yml | 13 ++- .../registry_set_winlogon_notify_key.yml | 12 +-- ...sitry_set_natural_language_persistence.yml | 10 +- 178 files changed, 1489 insertions(+), 1468 deletions(-) diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml index 44e62d088..20c31d6f8 100644 --- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml @@ -2,11 +2,13 @@ title: Persistence Via New AMSI Providers id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705 status: experimental description: Detects when an attacker registers a new AMSI provider in order to achieve persistence -author: Nasreddine Bencherchali references: - https://persistence-info.github.io/Data/amsi.html - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c +author: Nasreddine Bencherchali date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_add product: windows @@ -22,5 +24,3 @@ detection: falsepositives: - Legitimate security products adding their own AMSI providers level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml index 2d2669d26..5d914dce6 100644 --- a/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml @@ -2,12 +2,16 @@ title: Logon Scripts Creation in UserInitMprLogonScript Registry id: 9ace0707-b560-49b8-b6ca-5148b42f39fb status: test description: Detects creation of UserInitMprLogonScript persistence method -author: Tom Ueltschi (@c_APT_ure) references: - https://attack.mitre.org/techniques/T1037/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md +author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 modified: 2022/06/26 +tags: + - attack.t1037.001 + - attack.persistence + - attack.lateral_movement logsource: category: registry_add product: windows @@ -19,7 +23,3 @@ detection: falsepositives: - Exclude legitimate logon scripts level: high -tags: - - attack.t1037.001 - - attack.persistence - - attack.lateral_movement diff --git a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml b/rules/windows/registry/registry_add/registry_add_mal_netwire.yml index 94dfc6975..62e50e652 100644 --- a/rules/windows/registry/registry_add/registry_add_mal_netwire.yml +++ b/rules/windows/registry/registry_add/registry_add_mal_netwire.yml @@ -1,21 +1,19 @@ title: NetWire RAT Registry Key id: 1d218616-71b0-4c40-855b-9dbe75510f7f -description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire -Note: You likely will have to change the sysmon configuration file. - Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, - or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" - Therefore I set netwire in my configuration. status: experimental +description: Attempts to detect registry events for common NetWire key HKCU\Software\NetWire references: - https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing - https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/ - https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/ - https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ +author: Christopher Peacock date: 2021/10/07 modified: 2022/06/26 -author: Christopher Peacock -level: high +tags: + - attack.defense_evasion + - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary logsource: product: windows category: registry_add @@ -26,6 +24,5 @@ detection: condition: selection falsepositives: - Unknown -tags: - - attack.defense_evasion - - attack.t1112 #The configuration information is usually stored under HKCU:\Software\Netwire - RedCanary \ No newline at end of file +level: high +Note: You likely will have to change the sysmon configuration file. Per SwiftOnSecurity "Because Sysmon runs as a service, it has no filtering ability for, or concept of, HKCU or HKEY_CURRENT_USER. Use "contains" or "end with" to get around this limitation" Therefore I set netwire in my configuration. diff --git a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml index a6e6506f3..18fe8717e 100755 --- a/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml +++ b/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml @@ -7,6 +7,9 @@ references: author: Kutepov Anton, oscd.community date: 2019/10/23 modified: 2022/09/29 +tags: + - attack.persistence + - attack.t1546.015 logsource: category: registry_add product: windows @@ -25,6 +28,3 @@ detection: falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium -tags: - - attack.persistence - - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml index 217a21292..0bf48f7de 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -9,8 +9,11 @@ status: experimental description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools references: - Internal Research -date: 2022/08/24 author: Nasreddine Bencherchali +date: 2022/08/24 +tags: + - attack.resource_development + - attack.t1588.002 logsource: product: windows category: registry_add @@ -49,6 +52,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.resource_development - - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml index e1f5fddaa..e441962d1 100644 --- a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml @@ -7,8 +7,11 @@ status: experimental description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry references: - https://twitter.com/Moti_B/status/1008587936735035392 -date: 2022/08/24 author: Nasreddine Bencherchali +date: 2022/08/24 +tags: + - attack.resource_development + - attack.t1588.002 logsource: product: windows category: registry_add @@ -30,6 +33,3 @@ detection: falsepositives: - Legitimate use of SysInternals tools level: medium -tags: - - attack.resource_development - - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml index ce209be72..06cd58376 100755 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml @@ -4,9 +4,12 @@ status: experimental description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry references: - https://twitter.com/Moti_B/status/1008587936735035392 +author: Markus Neis date: 2017/08/28 modified: 2022/06/26 -author: Markus Neis +tags: + - attack.resource_development + - attack.t1588.002 logsource: product: windows category: registry_add @@ -19,6 +22,3 @@ falsepositives: - Legitimate use of SysInternals tools - Programs that use the same Registry Key level: low -tags: - - attack.resource_development - - attack.t1588.002 \ No newline at end of file diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml index 7d197391c..8e31f3caf 100644 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml @@ -1,13 +1,16 @@ title: Sysinternals SDelete Registry Keys id: 9841b233-8df8-4ad7-9133-b0b4402a9014 -description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental -date: 2020/05/02 -modified: 2022/06/26 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/05/02 +modified: 2022/06/26 +tags: + - attack.defense_evasion + - attack.t1070.004 logsource: product: windows category: registry_add @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1070.004 \ No newline at end of file diff --git a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml index b7c5e2eeb..82894f1c9 100644 --- a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml +++ b/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml @@ -1,14 +1,20 @@ title: Persistence Via Disk Cleanup Handler - NewEntry id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a +status: experimental description: | Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. - The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. -author: Nasreddine Bencherchali -date: 2022/07/21 -status: experimental + The disk cleanup manager is part of the operating system. It displays the dialog box […] + The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. + Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. + Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. + Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: product: windows category: registry_add @@ -55,5 +61,3 @@ detection: falsepositives: - Legitimate new entry added by windows level: medium -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml index 8380c295f..aee728d58 100644 --- a/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml +++ b/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml @@ -1,11 +1,14 @@ title: Removal Of Folder From ProtectedFolders In Exploit Guard id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40 -description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process status: experimental -date: 2022/08/05 -author: Nasreddine Bencherchali +description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ +author: Nasreddine Bencherchali +date: 2022/08/05 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_delete product: windows @@ -17,6 +20,3 @@ detection: falsepositives: - Legitimate administrators removing applications (should always be monitored) level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml index 56b9aa375..5ebbcf43b 100644 --- a/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml +++ b/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml @@ -1,17 +1,17 @@ title: Terminal Server Client Connection History Cleared id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d +status: experimental description: Detects the deletion of registry keys containing the MSTSC connection history references: - https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer - http://woshub.com/how-to-clear-rdp-connections-history/ +author: Christian Burkard +date: 2021/10/19 +modified: 2022/03/26 tags: - attack.defense_evasion - attack.t1070 - attack.t1112 -author: Christian Burkard -status: experimental -date: 2021/10/19 -modified: 2022/03/26 logsource: category: registry_delete product: windows diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index aad5fc1ed..e2225c984 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -1,13 +1,16 @@ title: Removal Of Amsi Provider Reg Key id: 41d1058a-aea7-4952-9293-29eaaf516465 -description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection status: experimental -date: 2021/06/07 -modified: 2022/03/26 -author: frack113 +description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://seclists.org/fulldisclosure/2020/Mar/45 +author: frack113 +date: 2021/06/07 +modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: registry_delete @@ -22,6 +25,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index f716aa97c..f2b6f5703 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -2,13 +2,13 @@ title: Removal of Potential COM Hijacking Registry Keys id: 96f697b0-b499-4e5d-9908-a67bec11cdb6 status: test description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html - https://docs.microsoft.com/en-us/windows/win32/shell/launch - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 modified: 2022/10/20 tags: @@ -55,4 +55,3 @@ detection: falsepositives: - Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered level: medium - diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml index 32e9770c7..486c1ae92 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml @@ -5,12 +5,15 @@ related: type: similar - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61 type: similar -description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" status: experimental -date: 2022/08/26 -author: Nasreddine Bencherchali +description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments +author: Nasreddine Bencherchali +date: 2022/08/26 +tags: + - attack.defense_evasion + - attack.t1562 logsource: product: windows category: registry_delete @@ -24,6 +27,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1562 diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml b/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml index cae8fa327..a0cdb326d 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml @@ -5,12 +5,15 @@ related: type: similar - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar -description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware status: experimental -date: 2022/04/15 -author: Sittikorn S +description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware references: - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ +author: Sittikorn S +date: 2022/04/15 +tags: + - attack.defense_evasion + - attack.t1562 logsource: product: windows category: registry_delete @@ -25,6 +28,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1562 diff --git a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml index a88ce15cf..72bd1813c 100644 --- a/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml +++ b/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml @@ -1,15 +1,15 @@ title: Creation of a Local Hidden User Account by Registry id: 460479f3-80b7-42da-9c43-2cc1d54dbccd -description: Sysmon registry detection of a local hidden user account. status: experimental +description: Sysmon registry detection of a local hidden user account. +references: + - https://twitter.com/SBousseaden/status/1387530414185664538 +author: Christian Burkard date: 2021/05/03 modified: 2022/08/05 -author: Christian Burkard tags: - attack.persistence - attack.t1136.001 -references: - - https://twitter.com/SBousseaden/status/1387530414185664538 logsource: product: windows category: registry_event diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index 51ec57316..ab3b5c255 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -18,9 +18,6 @@ detection: selection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: selection -falsepositives: - - Unknown -level: critical fields: - EventID - CommandLine @@ -28,3 +25,6 @@ fields: - Image - User - TargetObject +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml index 39233ad58..b53df547a 100644 --- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -2,28 +2,28 @@ title: UAC Bypass Via Wsreset id: 6ea3bf32-9680-422d-9f50-e90716b12a66 status: test description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. -author: oscd.community, Dmitry Uchakin references: - - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - - https://lolbas-project.github.io/lolbas/Binaries/Wsreset + - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset +author: oscd.community, Dmitry Uchakin date: 2020/10/07 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' - condition: selection -fields: - - ComputerName - - Image - - EventType - - TargetObject -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' + condition: selection +fields: + - ComputerName + - Image + - EventType + - TargetObject +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml index 782a2365c..74ce8d30a 100755 --- a/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml @@ -2,18 +2,17 @@ title: CMSTP Execution Registry Event id: b6d235fc-1d38-4b12-adbe-325f06728f37 status: stable description: Detects various indicators of Microsoft Connection Manager Profile Installer execution +references: + - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ author: Nik Seetharaman date: 2018/07/16 modified: 2020/12/23 -references: - - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ -fields: - - CommandLine - - ParentCommandLine - - Details -falsepositives: - - Legitimate CMSTP use (unlikely in modern enterprise environments) -level: high +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.003 + - attack.g0069 + - car.2019-04-001 logsource: category: registry_event product: windows @@ -21,9 +20,10 @@ detection: selection: TargetObject|contains: '\cmmgr32.exe' condition: selection -tags: - - attack.defense_evasion - - attack.execution - - attack.t1218.003 - - attack.g0069 - - car.2019-04-001 \ No newline at end of file +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate CMSTP use (unlikely in modern enterprise environments) +level: high diff --git a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml index 8adfe4acc..daf5c3715 100755 --- a/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml @@ -2,31 +2,31 @@ title: Disable Security Events Logging Adding Reg Key MiniNt id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044 status: test description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. -author: Ilyas Ochkov, oscd.community references: - - https://twitter.com/0gtweet/status/1182516740955226112 + - https://twitter.com/0gtweet/status/1182516740955226112 +author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - EventType: 'CreateKey' # we don't want deletekey - # key rename - - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' - condition: selection -fields: - - EventID - - Image - - TargetObject - - NewName -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.t1562.001 - - attack.t1112 + - attack.defense_evasion + - attack.t1562.001 + - attack.t1112 +logsource: + category: registry_event + product: windows +detection: + selection: + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' + EventType: 'CreateKey' # we don't want deletekey + # key rename + - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml index eded7cdd9..4414184fd 100644 --- a/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml +++ b/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml @@ -1,22 +1,25 @@ title: Wdigest CredGuard Registry Modification id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd status: test -description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +description: | + Detects potential malicious modification of the property value of IsCredGuardEnabled from + HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. + This is usually used with UseLogonCredential to manipulate the caching credentials. references: - - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ + - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/08/25 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject|endswith: '\IsCredGuardEnabled' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\IsCredGuardEnabled' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml index a83c14a01..b272bc6a5 100644 --- a/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml +++ b/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml @@ -1,15 +1,15 @@ title: Esentutl Volume Shadow Copy Service Keys id: 5aad0995-46ab-41bd-a9ff-724f41114971 -description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. status: experimental +description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/20 modified: 2021/12/08 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access - attack.t1003.002 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy logsource: category: registry_event product: windows diff --git a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml index 884564b3e..625d0cf95 100755 --- a/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml @@ -2,22 +2,22 @@ title: Windows Credential Editor Registry id: a6b33c02-8305-488f-8585-03cb2a7763f2 status: test description: Detects the use of Windows Credential Editor (WCE) -author: Florian Roth references: - - https://www.ampliasecurity.com/research/windows-credentials-editor/ + - https://www.ampliasecurity.com/research/windows-credentials-editor/ +author: Florian Roth date: 2019/12/31 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject|contains: Services\WCESERVICE\Start - condition: selection -falsepositives: - - Unknown -level: critical tags: - - attack.credential_access - - attack.t1003.001 - - attack.s0005 + - attack.credential_access + - attack.t1003.001 + - attack.s0005 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: Services\WCESERVICE\Start + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml index 3dbb8e686..a8cbe4848 100644 --- a/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml @@ -1,15 +1,15 @@ title: HybridConnectionManager Service Installation id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 -description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. status: experimental +description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. +references: + - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2021/04/12 modified: 2022/01/13 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.resource_development - attack.t1608 -references: - - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 logsource: category: registry_event product: windows @@ -17,7 +17,7 @@ detection: selection1: TargetObject|contains: '\Services\HybridConnectionManager' selection2: - EventType: SetValue + EventType: SetValue Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe' condition: selection1 or selection2 falsepositives: diff --git a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml index 6762965f6..b20358d36 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_azorult.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_azorult.yml @@ -2,29 +2,29 @@ title: Registry Entries For Azorult Malware id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 status: test description: Detects the presence of a registry key created during Azorult execution -author: Trent Liffick references: - - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a + - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a +author: Trent Liffick date: 2020/05/08 modified: 2021/11/27 -logsource: - product: windows - category: registry_event -detection: - selection: - EventID: - - 12 - - 13 - TargetObject|contains: 'SYSTEM\' - TargetObject|endswith: '\services\localNETService' - condition: selection -fields: - - Image - - TargetObject - - TargetDetails -falsepositives: - - Unknown -level: critical tags: - - attack.execution - - attack.t1112 + - attack.execution + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection: + EventID: + - 12 + - 13 + TargetObject|contains: 'SYSTEM\' + TargetObject|endswith: '\services\localNETService' + condition: selection +fields: + - Image + - TargetObject + - TargetDetails +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml index 336978e71..06320c02f 100644 --- a/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml +++ b/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml @@ -2,12 +2,16 @@ title: Path To Screensaver Binary Modified id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 status: test description: Detects value modification of registry key containing path to binary used as screensaver. -author: Bartlomiej Czyz @bczyz1, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +author: Bartlomiej Czyz @bczyz1, oscd.community date: 2020/10/11 modified: 2021/11/27 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.002 logsource: category: registry_event product: windows @@ -22,7 +26,3 @@ detection: falsepositives: - Legitimate modification of screensaver level: medium -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.002 diff --git a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml index a630578fc..27264ac15 100755 --- a/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml +++ b/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml @@ -2,25 +2,25 @@ title: Narrator's Feedback-Hub Persistence id: f663a6d9-9d1b-49b8-b2b1-0637914d199a status: test description: Detects abusing Windows 10 Narrator's Feedback-Hub -author: Dmitriy Lifanov, oscd.community references: - - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html +author: Dmitriy Lifanov, oscd.community date: 2019/10/25 modified: 2022/03/26 -logsource: - category: registry_event - product: windows -detection: - selection1: - EventType: DeleteValue - TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' - selection2: - TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' - #add the payload in the (Default) - condition: 1 of selection* -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.t1547.001 + - attack.persistence + - attack.t1547.001 +logsource: + category: registry_event + product: windows +detection: + selection1: + EventType: DeleteValue + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' + selection2: + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' + #add the payload in the (Default) + condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml index 2e4d32e44..982ed0066 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml @@ -1,31 +1,33 @@ title: New DLL Added to AppCertDlls Registry Key id: 6aa1d992-5925-4e9f-a49b-845e51d1de01 status: test -description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. -author: Ilyas Ochkov, oscd.community +description: | + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation + by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. references: - - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one - - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' - # key rename - - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' - condition: selection -fields: - - EventID - - Image - - TargetObject - - NewName -falsepositives: - - Unknown -level: medium tags: - - attack.persistence - - attack.t1546.009 + - attack.persistence + - attack.t1546.009 +logsource: + category: registry_event + product: windows +detection: + selection: + # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one + - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' + # key rename + - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml index 08baeb45e..ddbbfd7d8 100755 --- a/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml @@ -1,27 +1,29 @@ title: New DLL Added to AppInit_DLLs Registry Key id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d status: experimental -description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll - into every process that loads user32.dll +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll references: - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html author: Ilyas Ochkov, oscd.community, Tim Shelton date: 2019/10/25 modified: 2021/11/11 +tags: + - attack.persistence + - attack.t1546.010 logsource: category: registry_event product: windows detection: selection: - - TargetObject|endswith: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - TargetObject|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' #key rename - - NewName|endswith: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - NewName|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' filter: - Details: '(Empty)' + Details: '(Empty)' condition: selection and not filter fields: - EventID @@ -31,6 +33,3 @@ fields: falsepositives: - Unknown level: medium -tags: - - attack.persistence - - attack.t1546.010 \ No newline at end of file diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index 01591d068..c60319ecb 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -4,8 +4,11 @@ status: experimental description: Detects persistence registry keys for Recycle Bin references: - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf -date: 2021/11/18 author: frack113 +date: 2021/11/18 +tags: + - attack.persistence + - attack.t1547 logsource: category: registry_event product: windows @@ -17,9 +20,6 @@ detection: EventType: SetValue TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) condition: 1 of selection_* -tags: - - attack.persistence - - attack.t1547 falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml index 7e00f57ee..61dc1ff80 100644 --- a/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml +++ b/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml @@ -2,21 +2,21 @@ title: RedMimicry Winnti Playbook Registry Manipulation id: 5b175490-b652-4b02-b1de-5b5b4083c5f8 status: test description: Detects actions caused by the RedMimicry Winnti playbook -author: Alexander Rausch references: - - https://redmimicry.com + - https://redmimicry.com +author: Alexander Rausch date: 2020/06/24 modified: 2021/11/27 -logsource: - product: windows - category: registry_event -detection: - selection: - TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml index 1e891ab5f..3a4efef7c 100644 --- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml +++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml @@ -2,26 +2,26 @@ title: WINEKEY Registry Modification id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5 status: test description: Detects potential malicious modification of run keys by winekey or team9 backdoor -author: omkar72 references: - - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html + - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +author: omkar72 date: 2020/10/30 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' - condition: selection -fields: - - ComputerName - - Image - - EventType - - TargetObject -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.t1547 + - attack.persistence + - attack.t1547 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' + condition: selection +fields: + - ComputerName + - Image + - EventType + - TargetObject +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index 1fc7bde2f..13736f4a1 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -2,12 +2,15 @@ title: Run Once Task Configuration in Registry id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff status: test description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup -author: 'Avneet Singh @v3t0_, oscd.community' references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ +author: 'Avneet Singh @v3t0_, oscd.community' date: 2020/11/15 modified: 2022/04/04 +tags: + - attack.defense_evasion + - attack.t1112 logsource: product: windows category: registry_event @@ -27,6 +30,3 @@ detection: falsepositives: - Legitimate modification of the registry key by legitimate program level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml index cb73fa4c4..1986b53a0 100644 --- a/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml +++ b/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml @@ -1,15 +1,15 @@ title: Shell Open Registry Keys Manipulation id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 -description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) -author: Christian Burkard -date: 2021/08/30 -modified: 2022/01/13 status: experimental +description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) references: - https://github.com/hfiref0x/UACME - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ - https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] +author: Christian Burkard +date: 2021/08/30 +modified: 2022/01/13 tags: - attack.defense_evasion - attack.privilege_escalation @@ -20,14 +20,14 @@ logsource: product: windows detection: selection1: - EventType: SetValue + EventType: SetValue TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'Classes\ms-settings\shell\open\command\(Default)' - 'Classes\exefile\shell\open\command\(Default)' filter_sel3: diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index b1a0279f3..6b5f69270 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -3,12 +3,12 @@ id: 55e29995-75e7-451a-bef0-6225e2f13597 related: - id: 1f24c7c1-0b71-4e4e-8a6d-f863c9d8aa4a type: similar -description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process status: experimental -author: Florian Roth +description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process references: - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +author: Florian Roth date: 2021/02/26 modified: 2022/09/07 tags: diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml index 021550b27..bfcc87c45 100755 --- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -2,11 +2,14 @@ title: Security Support Provider (SSP) Added to LSA Configuration id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc status: test description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. -author: iwillkeepwatch references: - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ +author: iwillkeepwatch date: 2019/01/18 modified: 2022/08/09 +tags: + - attack.persistence + - attack.t1547.005 logsource: category: registry_event product: windows @@ -23,6 +26,3 @@ detection: falsepositives: - Unlikely level: critical -tags: - - attack.persistence - - attack.t1547.005 diff --git a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml index 411041b6e..b06d3bffc 100755 --- a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -1,14 +1,19 @@ title: Sticky Key Like Backdoor Usage id: baca5663-583c-45f9-b5dc-ea96a22ce542 -description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login - screen status: experimental +description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 modified: 2022/08/06 +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1546.008 + - car.2014-11-003 + - car.2014-11-008 logsource: category: registry_event product: windows @@ -27,9 +32,3 @@ detection: falsepositives: - Unlikely level: critical -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1546.008 - - car.2014-11-003 - - car.2014-11-008 \ No newline at end of file diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index f3cb1b87c..efb7e3aed 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,11 +1,11 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' status: experimental -author: Mateusz Wydra, oscd.community +description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ +author: Mateusz Wydra, oscd.community date: 2020/10/13 modified: 2022/09/21 tags: diff --git a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml index 42eeaf985..f46485a59 100755 --- a/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml @@ -2,25 +2,25 @@ title: Suspicious Run Key from Download id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be status: test description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories -author: Florian Roth references: - - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ + - https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ +author: Florian Roth date: 2019/10/01 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - Image|contains: - - '\Downloads\' - - '\Temporary Internet Files\Content.Outlook\' - - '\Local Settings\Temporary Internet Files\' - TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - condition: selection -falsepositives: - - Software installers downloaded and used by users -level: high tags: - - attack.persistence - - attack.t1547.001 + - attack.persistence + - attack.t1547.001 +logsource: + category: registry_event + product: windows +detection: + selection: + Image|contains: + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' + condition: selection +falsepositives: + - Software installers downloaded and used by users +level: high diff --git a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml index a59066260..5d8f745cd 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml @@ -2,30 +2,30 @@ title: DLL Load via LSASS id: b3503044-60ce-4bf4-bbcb-e3db98788823 status: test description: Detects a method to load DLL via LSASS process using an undocumented Registry key -author: Florian Roth references: - - https://blog.xpnsec.com/exploring-mimikatz-part-1/ - - https://twitter.com/SBousseaden/status/1183745981189427200 + - https://blog.xpnsec.com/exploring-mimikatz-part-1/ + - https://twitter.com/SBousseaden/status/1183745981189427200 +author: Florian Roth date: 2019/10/16 modified: 2022/04/21 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject|contains: - - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt' - - '\CurrentControlSet\Services\NTDS\LsaDbExtPt' - filter_domain_controller: - Image: 'C:\Windows\system32\lsass.exe' - Details: - - '%%systemroot%%\system32\ntdsa.dll' - - '%%systemroot%%\system32\lsadb.dll' - condition: selection and not 1 of filter_* -falsepositives: - - Unknown -level: high tags: - - attack.execution - - attack.persistence - - attack.t1547.008 + - attack.execution + - attack.persistence + - attack.t1547.008 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: + - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt' + - '\CurrentControlSet\Services\NTDS\LsaDbExtPt' + filter_domain_controller: + Image: 'C:\Windows\system32\lsass.exe' + Details: + - '%%systemroot%%\system32\ntdsa.dll' + - '%%systemroot%%\system32\lsadb.dll' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml b/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml index 1ab4d22be..d26fdce5f 100755 --- a/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml +++ b/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml @@ -2,22 +2,22 @@ title: Windows Registry Trust Record Modification id: 295a59c1-7b79-4b47-a930-df12c15fc9c2 status: test description: Alerts on trust record modification within the registry, indicating usage of macros -author: Antonlovesdnb references: - - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ - - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html + - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/ + - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html +author: Antonlovesdnb date: 2020/02/19 modified: 2021/11/27 -logsource: - category: registry_event - product: windows -detection: - selection: - TargetObject|contains: 'TrustRecords' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: medium tags: - - attack.initial_access - - attack.t1566.001 + - attack.initial_access + - attack.t1566.001 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'TrustRecords' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml index f6b74bfaa..a24c688bb 100644 --- a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -1,17 +1,20 @@ title: Abusing Windows Telemetry For Persistence id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 status: experimental -description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. +description: | + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman date: 2020/09/29 modified: 2022/03/26 -fields: - - EventID - - CommandLine - - TargetObject - - Details +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 + - attack.t1053 logsource: product: windows category: registry_set @@ -19,7 +22,7 @@ detection: selection: EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - Details|endswith: + Details|endswith: - .sh - .exe - .dll @@ -34,11 +37,11 @@ detection: - .msi - .vbs condition: selection +fields: + - EventID + - CommandLine + - TargetObject + - Details falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1112 - - attack.t1053 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml b/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml index b496ddbc6..01cacc89f 100644 --- a/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml +++ b/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml @@ -1,11 +1,14 @@ title: User Account Hidden By Registry id: 8a58209c-7ae6-4027-afb0-307a78e4589a -description: Detect modification for a specific user to prevent that user from being listed on the logon screen status: experimental -date: 2022/08/20 -author: frack113 +description: Detect modification for a specific user to prevent that user from being listed on the logon screen references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md +author: frack113 +date: 2022/08/20 +tags: + - attack.defense_evasion + - attack.t1564.002 logsource: product: windows category: registry_set @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1564.002 diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index fd07b7e81..461a84752 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -1,13 +1,16 @@ title: Registry Persitence via Service in Safe Mode id: 1547e27c-3974-43e2-a7d7-7f484fb928ec -description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. -author: frack113 -date: 2022/04/04 -modified: 2022/06/26 status: experimental +description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network +author: frack113 +date: 2022/04/04 +modified: 2022/06/26 +tags: + - attack.defense_evasion + - attack.t1564.001 logsource: category: registry_set product: windows @@ -28,6 +31,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1564.001 diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 5b66ed84b..1c5ce69c8 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -1,14 +1,17 @@ title: Add Port Monitor Persistence in Registry id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e +status: experimental description: | Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md author: frack113 date: 2021/12/30 modified: 2022/09/18 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md +tags: + - attack.persistence + - attack.t1547.010 logsource: category: registry_set product: windows @@ -35,6 +38,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml index 5c806f084..5270e6600 100644 --- a/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml @@ -1,12 +1,14 @@ title: Add Debugger Entry To AeDebug For Persistence id: 092af964-4233-4373-b4ba-d86ea2890288 -description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes -author: Nasreddine Bencherchali -date: 2022/07/21 status: experimental +description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/aedebug.html - https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -21,5 +23,3 @@ detection: falsepositives: - Legitimate use of the key to setup a debugger. Which is often the case on developers machines level: medium -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index d6fe350c8..22241a0af 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -1,11 +1,14 @@ title: Allow RDP Remote Assistance Feature id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b -description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine -author: frack113 -date: 2022/08/19 status: experimental +description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md +author: frack113 +date: 2022/08/19 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Legitmate use of the feature (alerts should be investigated either way) level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index 874009427..cb01e74e1 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/06/04 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -53,6 +56,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index d605c7e6b..73c9c3ce6 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -5,14 +5,17 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) date: 2019/10/25 modified: 2022/04/04 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -75,6 +78,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 608a3071b..4a251912d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/09/20 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -62,6 +65,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 82a226146..57591152e 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/07/05 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -83,6 +86,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index 879e1c62c..a2a4508c4 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -49,6 +52,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index da07b1a40..d627b0384 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/06/10 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -58,8 +61,8 @@ detection: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' filter_avg: - Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' - TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' + Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: office and office_details and not 1 of filter_* fields: - SecurityID @@ -70,6 +73,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 95aed74c3..6f6cc6e2a 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -5,13 +5,17 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1547.001 + - attack.t1546.009 logsource: category: registry_set product: windows @@ -39,7 +43,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 - - attack.t1546.009 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 0835d87f6..1d1b33595 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -37,6 +40,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml index 651577c2f..23d2b2d08 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -37,6 +40,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 31626072c..19c92301e 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -5,14 +5,17 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/09/21 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -85,6 +88,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index ff76d31f4..d0221d76f 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -45,6 +48,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 8d31fa4c6..21b046d56 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. -author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -38,6 +41,3 @@ falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml index a8504a2b4..7b5987064 100644 --- a/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml +++ b/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml @@ -1,28 +1,28 @@ title: Blackbyte Ransomware Registry id: 83314318-052a-4c90-a1ad-660ece38d276 -description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption -author: frack113 -date: 2022/01/24 -modified: 2022/03/26 status: experimental +description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption references: - https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ +author: frack113 +date: 2022/01/24 +modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows detection: selection: EventType: SetValue - TargetObject: + TargetObject: - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections - - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled + - HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled Details: DWORD (0x00000001) condition: selection falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index e4a73cafd..28e76b9a4 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -1,14 +1,18 @@ title: Bypass UAC Using DelegateExecute id: 46dd5308-4572-4d12-aa43-8938f0184d4f -description: Bypasses User Account Control using a fileless method -author: frack113 -date: 2022/01/05 -modified: 2022/03/26 status: experimental +description: Bypasses User Account Control using a fileless method references: - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute +author: frack113 +date: 2022/01/05 +modified: 2022/03/26 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 logsource: category: registry_set product: windows @@ -21,7 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml index 6fcac7a54..2576a4a3b 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml @@ -1,13 +1,16 @@ title: Bypass UAC Using Event Viewer id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af -description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification -author: frack113 -date: 2022/01/05 -modified: 2022/10/05 status: experimental +description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification references: - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd +author: frack113 +date: 2022/01/05 +modified: 2022/10/05 +tags: + - attack.persistence + - attack.t1547.010 logsource: category: registry_set product: windows @@ -21,6 +24,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 2ca3cbce3..8a7a00c46 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -1,13 +1,17 @@ title: Bypass UAC Using SilentCleanup Task id: 724ea201-6514-4f38-9739-e5973c34f49a -description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC -author: frack113 -date: 2022/01/06 -modified: 2022/03/26 status: experimental +description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ +author: frack113 +date: 2022/01/06 +modified: 2022/03/26 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 logsource: category: registry_set product: windows @@ -20,7 +24,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 diff --git a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml index fba5705d5..eaf45f3af 100644 --- a/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml +++ b/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml @@ -1,15 +1,18 @@ title: Changing RDP Port to Non Standard Number id: 509e84b9-a71a-40e0-834f-05470369bd1e +status: experimental description: | Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller author: frack113 date: 2022/01/01 modified: 2022/03/26 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller +tags: + - attack.persistence + - attack.t1547.010 logsource: category: registry_set product: windows @@ -23,6 +26,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1547.010 diff --git a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml index 1d95d769a..241d4cc46 100644 --- a/rules/windows/registry/registry_set/registry_set_change_security_zones.yml +++ b/rules/windows/registry/registry_set/registry_set_change_security_zones.yml @@ -1,13 +1,16 @@ title: IE Change Domain Zone id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393 -description: Hides the file extension through modification of the registry -author: frack113 -date: 2022/01/22 -modified: 2022/04/04 status: experimental +description: Hides the file extension through modification of the registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone - https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries +author: frack113 +date: 2022/01/22 +modified: 2022/04/04 +tags: + - attack.persistence + - attack.t1137 logsource: category: registry_set product: windows @@ -24,6 +27,3 @@ detection: falsepositives: - Administrative scripts level: medium -tags: - - attack.persistence - - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml index e2a62b6e4..341022fff 100644 --- a/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml +++ b/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml @@ -5,20 +5,20 @@ description: Detects changes in Sysmon driver altitude. If the Sysmon driver is references: - https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650 - https://youtu.be/zSihR3lTf7g +author: B.Talebi +date: 2022/07/28 tags: - attack.defense_evasion - attack.t1562.001 -author: B.Talebi -date: 2022/07/28 logsource: category: registry_set product: windows detection: - selection: - EventType: SetValue - TargetObject|startswith: 'HKLM\SYSTEM\CurrentControlSet\' - TargetObject|endswith: '\Instances\Sysmon Instance\Altitude' - condition: selection + selection: + EventType: SetValue + TargetObject|startswith: 'HKLM\SYSTEM\CurrentControlSet\' + TargetObject|endswith: '\Instances\Sysmon Instance\Altitude' + condition: selection falsepositives: - Legitimate driver altitude change to hide sysmon level: high diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index 02b5704aa..b38ee9706 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,14 +1,17 @@ title: Change Winevt Event Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c -description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel -author: frack113 -date: 2022/09/17 -modified: 2022/09/29 status: experimental +description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ +author: frack113 +date: 2022/09/17 +modified: 2022/09/29 +tags: + - attack.defense_evasion + - attack.t1562.002 logsource: category: registry_set product: windows @@ -18,7 +21,7 @@ detection: TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\' TargetObject|endswith: '\ChannelAccess' # Add more interesting combinations if you found them - Details|contains: + Details|contains: - '(A;;0x1;;;SY)' # Local System having GENERIC ALL - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL @@ -30,6 +33,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1562.002 diff --git a/rules/windows/registry/registry_set/registry_set_chm_persistence.yml b/rules/windows/registry/registry_set/registry_set_chm_persistence.yml index 73e69e004..ede89b64d 100644 --- a/rules/windows/registry/registry_set/registry_set_chm_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_chm_persistence.yml @@ -1,12 +1,14 @@ title: CHM Helper DLL Persistence id: 976dd1f2-a484-45ec-aa1d-0e87e882262b -description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence -author: Nasreddine Bencherchali -date: 2022/07/21 status: experimental +description: Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence references: - https://persistence-info.github.io/Data/htmlhelpauthor.html - https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -20,5 +22,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml index 3034c7f70..93d275074 100644 --- a/rules/windows/registry/registry_set/registry_set_chrome_extension.yml +++ b/rules/windows/registry/registry_set/registry_set_chrome_extension.yml @@ -1,12 +1,15 @@ title: Running Chrome VPN Extensions via the Registry 2 VPN Extension id: b64a026b-8deb-4c1d-92fd-98893209dff1 +status: experimental description: Running Chrome VPN Extensions via the Registry install 2 vpn extension +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension author: frack113 date: 2021/12/28 modified: 2022/03/26 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension +tags: + - attack.persistence + - attack.t1133 logsource: category: registry_set product: windows @@ -127,6 +130,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1133 diff --git a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml index c85b40813..b15fe777c 100644 --- a/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml +++ b/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml @@ -1,14 +1,22 @@ title: CobaltStrike Service Installations in Registry id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 -description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. - We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) - In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. status: experimental -date: 2021/06/29 -modified: 2022/03/26 -author: Wojciech Lesicki +description: | + Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. + We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) + In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. references: - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 +author: Wojciech Lesicki +date: 2021/06/29 +modified: 2022/03/26 +tags: + - attack.execution + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1543.003 + - attack.t1569.002 logsource: category: registry_set product: windows @@ -29,10 +37,3 @@ detection: falsepositives: - Unknown level: critical -tags: - - attack.execution - - attack.privilege_escalation - - attack.lateral_movement - - attack.t1021.002 - - attack.t1543.003 - - attack.t1569.002 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml index 92114070e..d43dbae98 100644 --- a/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml @@ -2,24 +2,24 @@ title: COM Hijack via Sdclt id: 07743f65-7ec9-404a-a519-913db7118a8d status: test description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' -author: Omkar Gudhate references: - - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass - - https://www.exploit-db.com/exploits/47696 + - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass + - https://www.exploit-db.com/exploits/47696 +author: Omkar Gudhate date: 2020/09/27 modified: 2022/06/26 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: Setvalue - TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.privilege_escalation - - attack.t1546 - - attack.t1548 + - attack.privilege_escalation + - attack.t1546 + - attack.t1548 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: Setvalue + TargetObject: 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index a3c75e5a4..8ab969495 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -2,11 +2,14 @@ title: CrashControl CrashDump Disabled id: 2ff692c2-4594-41ec-8fcb-46587de769e0 status: experimental description: Detects disabling the CrashDump per registry (as used by HermeticWiper) +references: + - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ author: Tobias Michalski date: 2022/02/24 modified: 2022/08/23 -references: - - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ +tags: + - attack.t1564 + - attack.t1112 logsource: product: windows category: registry_set @@ -19,6 +22,3 @@ detection: falsepositives: - Legitimate disabling of crashdumps level: medium -tags: - - attack.t1564 - - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 72c157e9d..0777c27a4 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -3,12 +3,15 @@ id: a07f0359-4c90-4dc4-a681-8ffea40b4f47 related: - id: c0abc838-36b0-47c9-b3b3-a90c39455382 type: obsoletes -description: Detect the creation of a service with a service binary located in a suspicious directory status: experimental -date: 2022/05/02 -author: Florian Roth, frack113 +description: Detect the creation of a service with a service binary located in a suspicious directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md +author: Florian Roth, frack113 +date: 2022/05/02 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -40,6 +43,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml index a9e7f644f..e51e48614 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml @@ -1,12 +1,15 @@ title: Service Binary in Uncommon Folder id: 277dc340-0540-42e7-8efb-5ff460045e07 -description: Detect the creation of a service with a service binary located in a uncommon directory status: experimental -date: 2022/05/02 -modified: 2022/05/04 -author: Florian Roth +description: Detect the creation of a service with a service binary located in a uncommon directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md +author: Florian Roth +date: 2022/05/02 +modified: 2022/05/04 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -41,6 +44,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml index c13f6736d..aba00a2fd 100644 --- a/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml @@ -1,11 +1,14 @@ title: Custom File Open Handler Executes PowerShell id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc -description: Detects the abuse of custom file open handler, executing powershell -author: CD_R0M_ -date: 2022/06/11 status: experimental +description: Detects the abuse of custom file open handler, executing powershell references: - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 +author: CD_R0M_ +date: 2022/06/11 +tags: + - attack.defense_evasion + - attack.t1202 logsource: category: registry_set product: windows @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1202 diff --git a/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml b/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml index ee73d996a..313a32ba4 100644 --- a/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml +++ b/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml @@ -2,30 +2,30 @@ title: Suspicious New Printer Ports in Registry (CVE-2020-1048) id: 7ec912f2-5175-4868-b811-ec13ad0f8567 status: test description: Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048 -author: EagleEye Team, Florian Roth, NVISO references: - - https://windows-internals.com/printdemon-cve-2020-1048/ + - https://windows-internals.com/printdemon-cve-2020-1048/ +author: EagleEye Team, Florian Roth, NVISO date: 2020/05/13 modified: 2022/01/13 -logsource: - product: windows - category: registry_set -detection: - selection: - EventType: SetValue - TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' - Details|contains: - - '.dll' - - '.exe' - - '.bat' - - '.com' - - 'C:' - condition: selection -falsepositives: - - New printer port install on host -level: high tags: - - attack.persistence - - attack.execution - - attack.defense_evasion - - attack.t1112 + - attack.persistence + - attack.execution + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' + Details|contains: + - '.dll' + - '.exe' + - '.bat' + - '.com' + - 'C:' + condition: selection +falsepositives: + - New printer port install on host +level: high diff --git a/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 7a9c52e09..07e50a3c8 100644 --- a/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -2,12 +2,12 @@ title: CVE-2021-31979 CVE-2021-33771 Exploits id: 32b5db62-cb5f-4266-9639-0fa48376ac00 status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum -author: Sittikorn S, frack113 -date: 2021/07/16 -modified: 2022/08/23 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ +author: Sittikorn S, frack113 +date: 2021/07/16 +modified: 2022/08/23 tags: - attack.credential_access - attack.t1566 @@ -31,4 +31,4 @@ detection: condition: selection and not filter falsepositives: - Unlikely -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index 36c464935..f214e54f8 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -1,12 +1,15 @@ title: Add Debugger Entry To DbgManagedDebugger For Persistence id: 9827ae57-3802-418f-994b-d5ecf5cd974b -description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes -author: frack113 -date: 2022/08/07 status: experimental +description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://github.com/last-byte/PersistenceSniper +author: frack113 +date: 2022/08/07 +tags: + - attack.persistence + - attack.t1574 logsource: category: registry_set product: windows @@ -20,6 +23,3 @@ detection: falsepositives: - Legitimate use of the key to setup a debugger. Which is often the case on developers machines level: medium -tags: - - attack.persistence - - attack.t1574 diff --git a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml index d938019a3..c8d29604a 100644 --- a/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml +++ b/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml @@ -3,13 +3,16 @@ id: a982fc9c-6333-4ffb-a51d-addb04e8b529 related: - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f type: derived +status: test description: Detects the Setting of Windows Defender Exclusions -date: 2021/07/06 -modified: 2022/03/26 -author: Christian Burkard references: - https://twitter.com/_nullbind/status/1204923340810543109 -status: test +author: Christian Burkard +date: 2021/07/06 +modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: registry_set @@ -22,6 +25,3 @@ detection: falsepositives: - Administrator actions level: medium -tags: - - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml index 565fffe53..a749c5311 100755 --- a/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml +++ b/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml @@ -2,27 +2,27 @@ title: DHCP Callout DLL Installation id: 9d3436ef-9476-4c43-acca-90ce06bdf33a status: test description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) -author: Dimitrios Slamaris references: - - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html - - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx - - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx + - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html + - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx + - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx +author: Dimitrios Slamaris date: 2017/05/15 modified: 2022/06/26 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: Setvalue - TargetObject|endswith: - - '\Services\DHCPServer\Parameters\CalloutDlls' - - '\Services\DHCPServer\Parameters\CalloutEnabled' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.t1574.002 - - attack.t1112 + - attack.defense_evasion + - attack.t1574.002 + - attack.t1112 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: Setvalue + TargetObject|endswith: + - '\Services\DHCPServer\Parameters\CalloutDlls' + - '\Services\DHCPServer\Parameters\CalloutEnabled' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 3c26e4b6f..bd7d5bfd8 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -1,12 +1,15 @@ title: Disable Administrative Share Creation at Startup id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e +status: experimental description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup author: frack113 date: 2022/01/16 modified: 2022/03/26 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup +tags: + - attack.defense_evasion + - attack.t1070.005 logsource: category: registry_set product: windows @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1070.005 diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 72d5abdd5..38c4c79fa 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -2,12 +2,14 @@ title: AutoLogger Sessions Tamper id: f37b4bce-49d0-4087-9f5b-58bffda77316 status: experimental description: Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging -author: Nasreddine Bencherchali references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +author: Nasreddine Bencherchali date: 2022/08/01 modified: 2022/09/18 +tags: + - attack.defense_evasion logsource: category: registry_set product: windows @@ -29,5 +31,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index 30c87d624..2cd58a900 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -1,12 +1,15 @@ title: Disable Microsoft Defender Firewall via Registry id: 974515da-6cc5-4c95-ae65-f97f9150ec7f +status: experimental description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry author: frack113 date: 2022/01/09 modified: 2022/03/26 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: category: registry_set product: windows @@ -23,6 +26,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1562.004 diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 3563aa1a2..cd043992c 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -8,6 +8,9 @@ references: author: frack113, Nasreddine Bencherchali date: 2022/03/18 modified: 2022/06/03 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -35,6 +38,3 @@ detection: falsepositives: - Legitimate admin script level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml b/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml index bd77d09d8..55df5be1e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml @@ -1,14 +1,17 @@ title: Disable Microsoft Office Security Features id: 7c637634-c95d-4bbf-b26c-a82510874b34 -description: Disable Microsoft Office Security Features by registry status: experimental -date: 2021/06/08 -modified: 2022/03/26 -author: frack113 +description: Disable Microsoft Office Security Features by registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ +author: frack113 +date: 2021/06/08 +modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: registry_set @@ -32,6 +35,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml index c61f90cd5..c1cc47836 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml @@ -6,6 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md author: frack113 date: 2022/10/02 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Legitimate admin script level: medium -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index e6c0e3d8e..ba278b9b2 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -1,11 +1,14 @@ title: Disable Windows Security Center Notifications id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 -description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification -author: frack113 -date: 2022/08/19 status: experimental +description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md +author: frack113 +date: 2022/08/19 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index 5e3e00f86..0bb5dc998 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -1,12 +1,15 @@ title: Registry Disable System Restore id: 5de03871-5d46-4539-a82d-3aa992a69a83 +status: experimental description: Detects the modification of the registry to disable a system restore on the computer +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry author: frack113 date: 2022/04/04 modified: 2022/09/09 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry +tags: + - attack.impact + - attack.t1490 logsource: category: registry_set product: windows @@ -24,6 +27,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.impact - - attack.t1490 diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml index 99a22abb6..205c5afca 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,12 +1,16 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 +status: experimental description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe author: frack113 date: 2022/01/05 modified: 2022/08/06 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 logsource: category: registry_set product: windows @@ -19,7 +23,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1548.002 diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml index 5df7a8b5a..88fdf579f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml @@ -1,12 +1,15 @@ title: Windows Defender Service Disabled id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a +status: experimental description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry -date: 2022/08/01 -author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 -status: experimental +author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali +date: 2022/08/01 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: registry_set @@ -19,6 +22,3 @@ detection: falsepositives: - Administrator actions level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml index 8db7a6082..9efca0a3e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -1,11 +1,14 @@ title: Disable Windows Firewall by Registry id: e78c408a-e2ea-43cd-b5ea-51975cf358c0 -description: Detect set EnableFirewall to 0 to disable the windows firewall -author: frack113 -date: 2022/08/19 status: experimental +description: Detect set EnableFirewall to 0 to disable the windows firewall references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md +author: frack113 +date: 2022/08/19 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: category: registry_set product: windows @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1562.004 diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index cd739dbf1..25d02b959 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,13 +1,16 @@ title: Disable Winevt Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 -description: Detects tampering with the "Enabled" registry key in order to disable windows logging of a windows event channel -author: frack113, Nasreddine Bencherchali -date: 2022/07/04 -modified: 2022/10/11 status: experimental +description: Detects tampering with the "Enabled" registry key in order to disable windows logging of a windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp +author: frack113, Nasreddine Bencherchali +date: 2022/07/04 +modified: 2022/10/11 +tags: + - attack.defense_evasion + - attack.t1562.002 logsource: category: registry_set product: windows @@ -40,6 +43,3 @@ detection: falsepositives: - Legitimate administrators disabling specific event log for troubleshooting level: high -tags: - - attack.defense_evasion - - attack.t1562.002 diff --git a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml index c97fa0429..b45bd63e4 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml @@ -1,12 +1,15 @@ title: Disable Exploit Guard Network Protection on Windows Defender id: bf9e1387-b040-4393-9851-1598f8ecfae9 -description: Detects disabling Windows Defender Exploit Guard Network Protection status: experimental -date: 2021/08/04 -modified: 2022/08/05 -author: Austin Songer @austinsonger +description: Detects disabling Windows Defender Exploit Guard Network Protection references: - https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html +author: Austin Songer @austinsonger +date: 2021/08/04 +modified: 2022/08/05 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_set product: windows @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml index 7b61cd8de..d19be98cf 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -1,11 +1,14 @@ title: Disabled Windows Defender Eventlog id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 -description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections status: experimental -date: 2022/07/04 -author: Florian Roth +description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections references: - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 +author: Florian Roth +date: 2022/07/04 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Other Antivirus software installations could cause Windows to disable that eventlog (unknown) level: high -tags: - - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index 2124509d3..7fc338391 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -1,12 +1,15 @@ title: Disable PUA Protection on Windows Defender id: 8ffc5407-52e3-478f-9596-0a7371eafe13 -description: Detects disabling Windows Defender PUA protection status: experimental -date: 2021/08/04 -modified: 2022/07/04 -author: Austin Songer @austinsonger +description: Detects disabling Windows Defender PUA protection references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html +author: Austin Songer @austinsonger +date: 2021/08/04 +modified: 2022/07/04 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_set product: windows @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml index 5904adb45..6cf89f826 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml @@ -1,12 +1,15 @@ title: Disable Tamper Protection on Windows Defender id: 93d298a1-d28f-47f1-a468-d971e7796679 -description: Detects disabling Windows Defender Tamper Protection status: experimental -date: 2021/08/04 -modified: 2022/04/21 -author: Austin Songer @austinsonger +description: Detects disabling Windows Defender Tamper Protection references: - https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html +author: Austin Songer @austinsonger +date: 2021/08/04 +modified: 2022/04/21 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_set product: windows @@ -24,6 +27,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index 322cf5715..19ed848e4 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -1,11 +1,14 @@ title: Add DisallowRun Execution to Registry id: 275641a5-a492-45e2-a817-7c81e9d9d3e9 -description: Detect set DisallowRun to 1 to prevent user running specific computer program -author: frack113 -date: 2022/08/19 status: experimental +description: Detect set DisallowRun to 1 to prevent user running specific computer program references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md +author: frack113 +date: 2022/08/19 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml index 3b115c0b4..e324577e5 100644 --- a/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml @@ -1,15 +1,21 @@ title: Persistence Via Disk Cleanup Handler - Autorun id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc +status: experimental description: | Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. - The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. -author: Nasreddine Bencherchali -date: 2022/07/21 -modified: 2022/10/21 -status: experimental + The disk cleanup manager is part of the operating system. + It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. + Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. + Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. + Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. references: - https://persistence-info.github.io/Data/diskcleanuphandler.html - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ +author: Nasreddine Bencherchali +date: 2022/07/21 +modified: 2022/10/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -41,5 +47,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml index 032cf6788..fd00f69ae 100644 --- a/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml @@ -1,18 +1,25 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 status: experimental -description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. -author: Austin Songer +description: | + Detects when a user enables DNS-over-HTTPS. + This can be used to hide internet activity or be used to hide the process of exfiltrating data. + With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS +author: Austin Songer date: 2021/07/22 modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1112 logsource: - product: windows - category: registry_set + product: windows + category: registry_set detection: selection_edge: EventType: SetValue @@ -28,9 +35,5 @@ detection: Details: DWORD (0x00000001) condition: 1 of selection_* falsepositives: -- Unlikely + - Unlikely level: medium -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml index 38ea828ff..03c53eb59 100755 --- a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml @@ -1,13 +1,12 @@ title: DNS ServerLevelPluginDll Install id: e61e8a88-59a9-451c-874e-70fcc9740d67 status: experimental -description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server - (restart required) +description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 +author: Florian Roth date: 2017/05/08 modified: 2022/08/23 -author: Florian Roth tags: - attack.defense_evasion - attack.t1574.002 diff --git a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml index e6caec211..7ebdf090b 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml @@ -2,26 +2,26 @@ title: Enabling COR Profiler Environment Variables id: ad89044a-8f49-4673-9a55-cbd88a1b374f status: test description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured. -author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) references: - - https://twitter.com/jamieantisocial/status/1304520651248668673 - - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors - - https://www.sans.org/cyber-security-summit/archives + - https://twitter.com/jamieantisocial/status/1304520651248668673 + - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors + - https://www.sans.org/cyber-security-summit/archives +author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) date: 2020/09/10 modified: 2022/06/26 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: Setvalue - TargetObject|endswith: - - '\COR_ENABLE_PROFILING' - - '\COR_PROFILER' - condition: selection -level: high tags: - - attack.persistence - - attack.privilege_escalation - - attack.defense_evasion - - attack.t1574.012 + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.012 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: Setvalue + TargetObject|endswith: + - '\COR_ENABLE_PROFILING' + - '\COR_PROFILER' + condition: selection +level: high diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index 5fe588e2a..7eca6ab9a 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -1,12 +1,15 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 +status: experimental description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability -date: 2022/06/15 -modified: 2022/09/09 -author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw -status: experimental +author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' +date: 2022/06/15 +modified: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: registry_set @@ -19,6 +22,3 @@ detection: falsepositives: - Administrator actions level: medium -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml index 582540079..14481ee9a 100644 --- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml @@ -2,31 +2,31 @@ title: COMPlus_ETWEnabled Registry Modification id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://twitter.com/_xpn_/status/1268712093928378368 - - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr - - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables - - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38 - - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39 - - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_ - - https://bunnyinside.com/?term=f71e8cb9c76a - - http://managed670.rssing.com/chan-5590147/all_p1.html - - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://twitter.com/_xpn_/status/1268712093928378368 + - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr + - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables + - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38 + - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39 + - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_ + - https://bunnyinside.com/?term=f71e8cb9c76a + - http://managed670.rssing.com/chan-5590147/all_p1.html + - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 modified: 2022/03/26 -logsource: - product: windows - category: registry_set -detection: - selection: - EventType: SetValue - TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' - Details: 'DWORD (0x00000000)' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml index 74dd927cd..8d9b52fa7 100644 --- a/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml +++ b/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml @@ -1,11 +1,14 @@ title: Suspicious Application Allowed Through Exploit Guard id: 42205c73-75c8-4a63-9db1-e3782e06fda0 -description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings status: experimental -date: 2022/08/05 -author: Nasreddine Bencherchali +description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings references: - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ +author: Nasreddine Bencherchali +date: 2022/08/05 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_set product: windows @@ -25,6 +28,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml index c3f66f11a..67414d7d6 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml @@ -1,15 +1,15 @@ title: Change User Account Associated with the FAX Service id: e3fdf743-f05b-4051-990a-b66919be1743 -description: Detect change of the user account associated with the FAX service to avoid the escalation problem. status: experimental +description: Detect change of the user account associated with the FAX service to avoid the escalation problem. references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf -date: 2022/07/17 author: frack113 +date: 2022/07/17 tags: - attack.defense_evasion - - attack.t1112 + - attack.t1112 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index 7b1dd6c2c..8a908a175 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -1,15 +1,15 @@ title: Change the Fax Dll id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513 -description: Detect possible persistence using Fax DLL load when service restart status: experimental +description: Detect possible persistence using Fax DLL load when service restart references: - https://twitter.com/dottor_morte/status/1544652325570191361 - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf -date: 2022/07/17 author: frack113 +date: 2022/07/17 tags: - attack.defense_evasion - - attack.t1112 + - attack.t1112 logsource: product: windows category: registry_set diff --git a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml index 09fff0992..23e016a48 100644 --- a/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml +++ b/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml @@ -1,12 +1,14 @@ title: New File Association Using Exefile id: 44a22d59-b175-4f13-8c16-cbaef5b581ff +status: experimental description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products. +references: + - https://twitter.com/mrd0x/status/1461041276514623491 author: Andreas Hunkeler (@Karneades) date: 2021/11/19 modified: 2022/03/26 -status: experimental -references: - - https://twitter.com/mrd0x/status/1461041276514623491 +tags: + - attack.defense_evasion logsource: category: registry_set product: windows @@ -19,5 +21,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index 1837b12e6..831bbfecd 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -2,11 +2,17 @@ title: GlobalFlags Registry Persistence Mechanisms id: 36803969-5421-41ec-b92f-8500f79c23b0 status: test description: Detects persistence using GlobalFlags in image file execution options -author: Karneades, Jonhnathan Ribeiro references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +author: Karneades, Jonhnathan Ribeiro date: 2018/04/11 modified: 2022/09/07 +tags: + - attack.privilege_escalation + - attack.persistence + - attack.defense_evasion + - attack.t1546.012 + - car.2013-01-002 logsource: category: registry_set product: windows @@ -27,9 +33,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.persistence - - attack.defense_evasion - - attack.t1546.012 - - car.2013-01-002 diff --git a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml index 1cca25fec..eacc10205 100644 --- a/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml @@ -1,12 +1,14 @@ title: Add Debugger Entry To Hangs Key For Persistence id: 833ef470-fa01-4631-a79b-6f291c9ac498 -description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes -author: Nasreddine Bencherchali -date: 2022/07/21 status: experimental +description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes references: - https://persistence-info.github.io/Data/wer_debugger.html - https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -18,5 +20,3 @@ detection: falsepositives: - This value is not set by default but could be rarly used by administrators level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index f2d1a1811..fe4dba8a2 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -1,12 +1,14 @@ title: Persistence Via Hhctrl.ocx id: f10ed525-97fe-4fed-be7c-2feecca941b1 -description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary -author: Nasreddine Bencherchali -date: 2022/07/21 status: experimental +description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary references: - https://persistence-info.github.io/Data/hhctrl.html - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -20,5 +22,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml index 4690ef61e..487ab6ea2 100644 --- a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml +++ b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml @@ -1,14 +1,17 @@ title: Registry Modification to Hidden File Extension id: 5df86130-4e95-4a54-90f7-26541b40aec2 -description: Hides the file extension through modification of the registry -author: frack113 -date: 2022/01/22 -modified: 2022/03/26 status: experimental +description: Hides the file extension through modification of the registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd - https://unit42.paloaltonetworks.com/ransomware-families/ - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A +author: frack113 +date: 2022/01/22 +modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1137 logsource: category: registry_set product: windows @@ -25,6 +28,3 @@ detection: falsepositives: - Administrative scripts level: medium -tags: - - attack.persistence - - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_hide_file.yml b/rules/windows/registry/registry_set/registry_set_hide_file.yml index 90602874d..897b88988 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_file.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_file.yml @@ -1,12 +1,15 @@ title: Modification of Explorer Hidden Keys id: 5a5152f1-463f-436b-b2f5-8eceb3964b42 +status: experimental description: Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry author: frack113 date: 2022/04/02 modified: 2022/06/26 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry +tags: + - attack.defense_evasion + - attack.t1564.001 logsource: category: registry_set product: windows @@ -21,6 +24,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1564.001 diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index d96729b30..bae6bf817 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -7,6 +7,9 @@ references: author: frack113 date: 2022/03/18 modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -30,6 +33,3 @@ detection: falsepositives: - Legitimate admin script level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml index 7bc8185e4..f6c8144fd 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml @@ -5,12 +5,17 @@ related: type: similar - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec type: similar -description: Detects when the "index" value of a scheduled task is modified from the registry. Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) status: experimental -date: 2022/08/26 -author: Nasreddine Bencherchali +description: | + Detects when the "index" value of a scheduled task is modified from the registry + Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) references: - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments +author: Nasreddine Bencherchali +date: 2022/08/26 +tags: + - attack.defense_evasion + - attack.t1562 logsource: category: registry_set product: windows @@ -25,6 +30,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.defense_evasion - - attack.t1562 diff --git a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml index 6e9968124..62ff81e87 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml @@ -1,12 +1,15 @@ title: Modification of IE Registry Settings id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 +status: experimental description: Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry author: frack113 date: 2022/01/22 modified: 2022/03/29 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -31,7 +34,4 @@ detection: condition: selection_domains and not 1 of filter_* falsepositives: - Unknown -level: low # as unknow false positives -tags: - - attack.defense_evasion - - attack.t1112 +level: low diff --git a/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml b/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml index 6f4aa3c76..80f4ae4b0 100644 --- a/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml @@ -1,14 +1,16 @@ title: Register New IFiltre For Persistence id: b23818c7-e575-4d13-8012-332075ec0a2b -description: Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files -author: Nasreddine Bencherchali -date: 2022/07/21 status: experimental +description: Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files references: - https://persistence-info.github.io/Data/ifilters.html - https://twitter.com/0gtweet/status/1468548924600459267 - https://github.com/gtworek/PSBits/tree/master/IFilter - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308 +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -29,5 +31,3 @@ detection: falsepositives: - Legitimate registration of IFilters by the OS or software level: medium -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index 8da757bce..23e2569ad 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -1,13 +1,16 @@ title: New Root or CA or AuthRoot Certificate to Store id: d223b46b-5621-4037-88fe-fda32eead684 -description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry -author: frack113 -date: 2022/04/04 -modified: 2022/06/26 status: experimental +description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec +author: frack113 +date: 2022/04/04 +modified: 2022/06/26 +tags: + - attack.impact + - attack.t1490 logsource: category: registry_set product: windows @@ -30,6 +33,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.impact - - attack.t1490 diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index 24ad1a6f4..dfc7c2b27 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -1,24 +1,24 @@ title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d -description: | - Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any - anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json status: experimental -date: 2022/05/28 +description: | + Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any + anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json references: - - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ + - https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ author: frack113 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: SetValue - TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC' - condition: selection -falsepositives: - - Unknown -level: high +date: 2022/05/28 tags: - - attack.command_and_control - - attack.t1105 + - attack.command_and_control + - attack.t1105 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml b/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml index e5f0469d4..55e464bd0 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml @@ -1,14 +1,16 @@ title: Persistence Via LSA Extensions id: 41f6531d-af6e-4c6e-918f-b946f2b85a36 +status: experimental description: | Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. -author: Nasreddine Bencherchali -date: 2022/07/21 -status: experimental references: - https://persistence-info.github.io/Data/lsaaextension.html - https://twitter.com/0gtweet/status/1476286368385019906 +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -20,5 +22,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml index 27e863f79..9c7599907 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml @@ -11,6 +11,10 @@ references: author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 modified: 2022/03/26 +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 logsource: category: registry_set product: windows @@ -21,7 +25,3 @@ detection: Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection level: high -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml index 9931e5066..320207644 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml @@ -3,25 +3,25 @@ id: 92b0b372-a939-44ed-a11b-5136cf680e27 related: - id: c3198a27-23a0-4c2c-af19-e5328d49680e type: derived -date: 2020/05/14 -modified: 2022/06/26 status: experimental description: Attempts to detect system changes made by Blue Mockingbird references: - https://redcanary.com/blog/blue-mockingbird-cryptominer/ author: Trent Liffick (@tliffick) -logsource: - product: windows - category: registry_set -detection: - selection: - EventType: Setvalue - TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' - condition: selection -falsepositives: - - Unknown -level: high +date: 2020/05/14 +modified: 2022/06/26 tags: - attack.execution - attack.t1112 - - attack.t1047 \ No newline at end of file + - attack.t1047 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: Setvalue + TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml index 07e929f64..a94aa9444 100644 --- a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml @@ -1,12 +1,14 @@ title: Persistence Via Mpnotify id: 92772523-d9c1-4c93-9547-b0ca500baba3 -description: Detects when an attacker register a new SIP provider for persistence and defense evasion -author: Nasreddine Bencherchali -date: 2022/07/21 status: experimental +description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/mpnotify.html - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -18,6 +20,3 @@ detection: falsepositives: - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way level: high -tags: - - attack.persistence - diff --git a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml index a15053708..742342140 100644 --- a/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml +++ b/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml @@ -2,25 +2,25 @@ title: New Application in AppCompat id: 60936b49-fca0-4f32-993d-7415edcf9a5d status: test description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/1 - - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/1 + - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 modified: 2022/06/26 -logsource: - product: windows - category: registry_set -detection: - selection: - EventType: Setvalue - TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' - condition: selection -falsepositives: - - This rule is to explore new applications on an endpoint. False positives depends on the organization. - - Newly setup system. - - Legitimate installation of new application. -level: informational tags: - - attack.execution - - attack.t1204.002 + - attack.execution + - attack.t1204.002 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: Setvalue + TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' + condition: selection +falsepositives: + - This rule is to explore new applications on an endpoint. False positives depends on the organization. + - Newly setup system. + - Legitimate installation of new application. +level: informational diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index b356a4de5..ad7d6be77 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -3,14 +3,17 @@ id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 related: - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 type: similar -description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it -author: Nasreddine Bencherchali -date: 2022/08/23 -modified: 2022/09/18 status: experimental +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy +author: Nasreddine Bencherchali +date: 2022/08/23 +modified: 2022/09/18 +tags: + - attack.credential_access + - attack.t1003 logsource: category: registry_set product: windows @@ -32,6 +35,3 @@ detection: falsepositives: - Other legitimate network providers used and not filtred in this rule level: high -tags: - - attack.credential_access - - attack.t1003 diff --git a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml index ddc1c6bf9..faa02b90f 100644 --- a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml +++ b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml @@ -1,12 +1,15 @@ title: Enable Microsoft Dynamic Data Exchange id: 63647769-326d-4dde-a419-b925cc0caf42 +status: experimental description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. +references: + - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 author: frack113 date: 2022/02/26 modified: 2022/03/26 -status: experimental -references: - - https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 +tags: + - attack.execution + - attack.t1559.002 logsource: category: registry_set product: windows @@ -14,7 +17,7 @@ detection: selection_word: EventType: SetValue TargetObject|endswith: '\Word\Security\AllowDDE' - Details: + Details: - 'DWORD (0x00000001)' - 'DWORD (0x00000002)' selection_excel: @@ -27,6 +30,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.execution - - attack.t1559.002 diff --git a/rules/windows/registry/registry_set/registry_set_office_security.yml b/rules/windows/registry/registry_set/registry_set_office_security.yml index fe5e28dba..b54ec0047 100644 --- a/rules/windows/registry/registry_set/registry_set_office_security.yml +++ b/rules/windows/registry/registry_set/registry_set_office_security.yml @@ -2,13 +2,16 @@ title: Office Security Settings Changed id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd status: experimental description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) -author: Trent Liffick (@tliffick) -date: 2020/05/22 -modified: 2022/06/26 references: - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ +author: Trent Liffick (@tliffick) +date: 2020/05/22 +modified: 2022/06/26 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -23,6 +26,3 @@ detection: falsepositives: - Valid Macros and/or internal documents level: high -tags: - - attack.defense_evasion - - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml index d3c9a0508..5c9e48ff6 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml @@ -8,6 +8,9 @@ references: author: Bhabesh Raj date: 2021/01/10 modified: 2022/06/10 +tags: + - attack.t1137.006 + - attack.persistence logsource: category: registry_set product: windows @@ -15,11 +18,11 @@ detection: selection: EventType: SetValue TargetObject|contains: - - '\Software\Microsoft\Office\Outlook\Addins\' - - '\Software\Microsoft\Office\Word\Addins\' - - '\Software\Microsoft\Office\Excel\Addins\' - - '\Software\Microsoft\Office\Powerpoint\Addins\' - - '\Software\Microsoft\VSTO\Security\Inclusion\' + - '\Software\Microsoft\Office\Outlook\Addins\' + - '\Software\Microsoft\Office\Word\Addins\' + - '\Software\Microsoft\Office\Excel\Addins\' + - '\Software\Microsoft\Office\Powerpoint\Addins\' + - '\Software\Microsoft\VSTO\Security\Inclusion\' filter_image: Image|endswith: - '\msiexec.exe' @@ -35,8 +38,5 @@ detection: TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: selection and not 1 of filter_* falsepositives: - - Legitimate Addin Installation + - Legitimate Addin Installation level: medium -tags: - - attack.t1137.006 - - attack.persistence \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml b/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml index b4be180c9..bf17b61cb 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml @@ -7,21 +7,21 @@ references: author: '@ScoubiMtl' date: 2021/04/05 modified: 2022/03/26 +tags: + - attack.persistence + - attack.command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 logsource: category: registry_set product: windows detection: selection_registry: - EventType: SetValue + EventType: SetValue TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level' Details|contains: '0x00000001' condition: selection_registry falsepositives: - Unlikely level: medium -tags: - - attack.persistence - - attack.command_and_control - - attack.t1137 - - attack.t1008 - - attack.t1546 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml index 0d9630a45..e153b7de0 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml @@ -1,37 +1,37 @@ title: Persistent Outlook Landing Pages id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 -description: Detects the manipulation of persistent URLs which could execute malicious code status: experimental +description: Detects the manipulation of persistent URLs which could execute malicious code references: - - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 modified: 2022/06/26 -logsource: - product: windows - category: registry_set -detection: - selection1: - EventType: SetValue - TargetObject|contains: - - 'Software\Microsoft\Office\' - - '\Outlook\Today\' - selectionStamp: - TargetObject|endswith: 'Stamp' - Details: 'DWORD (0x00000001)' - selectionUserDefined: - TargetObject|endswith: 'UserDefinedUrl' - filter_office: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' - condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_* -fields: - - Details -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.t1112 \ No newline at end of file + - attack.persistence + - attack.t1112 +logsource: + product: windows + category: registry_set +detection: + selection1: + EventType: SetValue + TargetObject|contains: + - 'Software\Microsoft\Office\' + - '\Outlook\Today\' + selectionStamp: + TargetObject|endswith: 'Stamp' + Details: 'DWORD (0x00000001)' + selectionUserDefined: + TargetObject|endswith: 'UserDefinedUrl' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_* +fields: + - Details +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml index 3b9382b7a..7674417cc 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml @@ -1,33 +1,33 @@ title: Persistent Outlook Landing Pages id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 -description: Detects the manipulation of persistent URLs which can be malicious status: experimental +description: Detects the manipulation of persistent URLs which can be malicious references: - - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 - - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 + - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us author: Tobias Michalski date: 2021/06/09 modified: 2022/06/26 -logsource: - product: windows - category: registry_set -detection: - selection_1: - EventType: SetValue - TargetObject|contains: - - '\Software\Microsoft\Office\' - - '\Outlook\WebView\' - TargetObject|endswith: '\URL' - selection_2: - TargetObject|contains: - - '\Calendar\' - - '\Inbox\' - condition: all of selection_* -fields: - - Details -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.t1112 \ No newline at end of file + - attack.persistence + - attack.t1112 +logsource: + product: windows + category: registry_set +detection: + selection_1: + EventType: SetValue + TargetObject|contains: + - '\Software\Microsoft\Office\' + - '\Outlook\WebView\' + TargetObject|endswith: '\URL' + selection_2: + TargetObject|contains: + - '\Calendar\' + - '\Inbox\' + condition: all of selection_* +fields: + - Details +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_outlook_security.yml b/rules/windows/registry/registry_set/registry_set_outlook_security.yml index ce4094cdb..4dcb31de2 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_security.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_security.yml @@ -1,13 +1,16 @@ title: Change Outlook Security Setting in Registry id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a -description: Change outlook email security settings -author: frack113 -date: 2021/12/28 -modified: 2022/03/26 status: experimental +description: Change outlook email security settings references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md - https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings +author: frack113 +date: 2021/12/28 +modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1137 logsource: category: registry_set product: windows @@ -21,6 +24,3 @@ detection: falsepositives: - Administrative scripts level: medium -tags: - - attack.persistence - - attack.t1137 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml index 5a6c841ae..6acc5562a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml @@ -7,15 +7,18 @@ references: - https://github.com/rootm0s/WinPwnage author: frack113 date: 2022/07/27 +tags: + - attack.persistence + - attack.t1546.015 logsource: category: registry_set product: windows detection: - selection_debug: + selection_debug: EventType: SetValue TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.' TargetObject|endswith: '\DebugPath' - selection_default: + selection_default: EventType: SetValue TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.' TargetObject|endswith: '\(Default)' @@ -23,6 +26,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.persistence - - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index ecaac87d7..5c4e72d43 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -1,12 +1,14 @@ title: Persistence Via AutodialDLL id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3 -description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library status: experimental -author: Nasreddine Bencherchali -date: 2022/08/10 +description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ - https://persistence-info.github.io/Data/autodialdll.html +author: Nasreddine Bencherchali +date: 2022/08/10 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -18,5 +20,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index b68f4b1eb..a8cae2014 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -7,6 +7,9 @@ references: author: Nasreddine Bencherchali date: 2022/07/28 modified: 2022/09/13 +tags: + - attack.persistence + - attack.t1546.015 logsource: category: registry_set product: windows @@ -36,6 +39,3 @@ detection: falsepositives: - Probable legitimate applications. If you find these please add them to an exclusion list level: high -tags: - - attack.persistence - - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml index 4836d2feb..5e1fc84ff 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -1,11 +1,13 @@ title: Persistence Via MyComputer Key and SubKeys id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 -description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) status: experimental -author: Nasreddine Bencherchali -date: 2022/08/09 +description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) references: - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +author: Nasreddine Bencherchali +date: 2022/08/09 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -18,5 +20,3 @@ detection: falsepositives: - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index dce4cc2a3..ea12562cf 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -8,6 +8,9 @@ references: author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 modified: 2022/09/20 +tags: + - attack.persistence + - attack.t1546.015 logsource: category: registry_set product: windows @@ -88,6 +91,3 @@ detection: falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium -tags: - - attack.persistence - - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml index ffa22e52a..e96278cab 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml @@ -1,12 +1,14 @@ title: Persistence Via TypedPaths id: 086ae989-9ca6-4fe7-895a-759c5544f247 -description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt status: experimental -author: Nasreddine Bencherchali -date: 2022/08/22 +description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt references: - https://twitter.com/dez_/status/1560101453150257154 - https://forensafe.com/blogs/typedpaths.html +author: Nasreddine Bencherchali +date: 2022/08/22 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -22,5 +24,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml index 12b416168..637f46cb2 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml @@ -2,11 +2,13 @@ title: Modify Attachment Manager Settings - Associations id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47 status: experimental description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) -author: Nasreddine Bencherchali references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 +author: Nasreddine Bencherchali date: 2022/08/01 +tags: + - attack.defense_evasion logsource: category: registry_set product: windows @@ -34,5 +36,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml index 244958054..d55e60452 100644 --- a/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml @@ -2,11 +2,13 @@ title: Modify Attachment Manager Settings - Attachments id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a status: experimental description: Detects tampering with attachment manager settings policies attachments (See reference for more information) -author: Nasreddine Bencherchali references: - https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738 - https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 +author: Nasreddine Bencherchali date: 2022/08/01 +tags: + - attack.defense_evasion logsource: category: registry_set product: windows @@ -27,5 +29,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml index f3c05aed5..f23087434 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml @@ -1,12 +1,15 @@ title: PowerShell as a Service in Registry id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d -description: Detects that a powershell code is written to the registry as a service. status: experimental +description: Detects that a powershell code is written to the registry as a service. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova date: 2020/10/06 modified: 2022/03/26 -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1569.002 logsource: category: registry_set product: windows @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1569.002 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index d68048b45..17dc150ed 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -7,6 +7,9 @@ references: author: frack113, Florian Roth date: 2022/03/17 modified: 2022/10/06 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -30,6 +33,3 @@ detection: falsepositives: - Legitimate admin or third party scripts level: medium -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml index 3d3148d0f..15582a589 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml @@ -1,12 +1,15 @@ title: PowerShell Logging Disabled id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7 +status: experimental description: Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled author: frack113 date: 2022/04/02 modified: 2022/06/26 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled +tags: + - attack.defense_evasion + - attack.t1564.001 logsource: category: registry_set product: windows @@ -23,6 +26,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1564.001 diff --git a/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml b/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml index e3bf63b89..dccdbd3b7 100644 --- a/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml +++ b/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml @@ -1,11 +1,11 @@ title: Newly Registered Protocol Handler id: fdbf0b9d-0182-4c43-893b-a1eaab92d085 -description: Detects when a new custom protocole handler is registered status: experimental -date: 2022/05/30 -author: Nasreddine Bencherchali +description: Detects when a new custom protocole handler is registered references: - https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ +author: Nasreddine Bencherchali +date: 2022/05/30 tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml index a32ab7cc3..6563c590e 100644 --- a/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml @@ -9,8 +9,11 @@ status: experimental description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution references: - Internal Research -date: 2022/08/24 author: Nasreddine Bencherchali +date: 2022/08/24 +tags: + - attack.resource_development + - attack.t1588.002 logsource: product: windows category: registry_set @@ -49,6 +52,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.resource_development - - attack.t1588.002 diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 83eb3a245..ee1ff1de0 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -1,14 +1,17 @@ title: ScreenSaver Registry Key Set id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce -description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl status: experimental -date: 2022/05/04 -modified: 2022/05/04 -author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl references: - https://twitter.com/VakninHai/status/1517027824984547329 - https://twitter.com/pabraeken/status/998627081360695297 - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files +author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +date: 2022/05/04 +modified: 2022/05/04 +tags: + - attack.defense_evasion + - attack.t1218.011 logsource: product: windows category: registry_set @@ -20,13 +23,10 @@ detection: TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE' Details|endswith: '.scr' filter: - Details|contains: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' + Details|contains: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' condition: selection and registry and not filter falsepositives: - Legitimate use of screen saver level: medium -tags: - - attack.defense_evasion - - attack.t1218.011 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml b/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml index 71ba74583..b169d151a 100644 --- a/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml @@ -1,11 +1,14 @@ title: Scrobj.dll COM Hijacking id: fe20dda1-6f37-4379-bbe0-a98d400cae90 -description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute -author: frack113 -date: 2022/08/20 status: experimental +description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md +author: frack113 +date: 2022/08/20 +tags: + - attack.persistence + - attack.t1546.015 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Legitimate use of the dll. level: medium -tags: - - attack.persistence - - attack.t1546.015 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 5ce063496..073a94c69 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,13 +1,17 @@ title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 -description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. -author: frack113 -date: 2022/02/04 -modified: 2022/09/20 status: experimental +description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ +author: frack113 +date: 2022/02/04 +modified: 2022/09/20 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 logsource: category: registry_set product: windows @@ -29,7 +33,3 @@ falsepositives: - Administrative scripts - Installation of a service level: medium -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index 59f340799..ea6679173 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -7,6 +7,9 @@ references: author: frack113 date: 2022/03/18 modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -29,6 +32,3 @@ detection: falsepositives: - Legitimate admin script level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml b/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml index bcb530f08..25dc6febc 100644 --- a/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml @@ -1,15 +1,18 @@ title: Registry Key Creation or Modification for Shim DataBase id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45 +status: experimental description: | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time -author: frack113 -date: 2021/12/30 -modified: 2022/03/26 -status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +author: frack113 +date: 2021/12/30 +modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1546.011 logsource: category: registry_set product: windows @@ -25,6 +28,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.persistence - - attack.t1546.011 diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml index 8d398a926..19f3c96d0 100644 --- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml @@ -1,13 +1,16 @@ title: SilentProcessExit Monitor Registration id: c81fe886-cac0-4913-a511-2822d72ff505 -description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process status: experimental -author: Florian Roth +description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ +author: Florian Roth date: 2021/02/26 modified: 2022/03/26 +tags: + - attack.persistence + - attack.t1546.012 logsource: category: registry_set product: windows @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1546.012 diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 3af8eef6b..37986564d 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -1,14 +1,18 @@ title: Persistence Via New SIP Provider id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 -description: Detects when an attacker register a new SIP provider for persistence and defense evasion -author: Nasreddine Bencherchali -date: 2022/07/21 -modified: 2022/09/21 status: experimental +description: Detects when an attacker register a new SIP provider for persistence and defense evasion references: - https://persistence-info.github.io/Data/codesigning.html - https://github.com/gtworek/PSBits/tree/master/SIP - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf +author: Nasreddine Bencherchali +date: 2022/07/21 +modified: 2022/09/21 +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1553.003 logsource: category: registry_set product: windows @@ -37,7 +41,3 @@ detection: falsepositives: - Legitimate SIP being registered by the OS or different software. level: medium -tags: - - attack.persistence - - attack.defense_evasion - - attack.t1553.003 diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml index cc87fa1ba..94507a655 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml @@ -1,11 +1,14 @@ title: Tamper With Sophos AV Registry Keys id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101 -description: Detects tamper attempts to sophos av functionality via registry key modification -author: Nasreddine Bencherchali -date: 2022/09/02 status: experimental +description: Detects tamper attempts to sophos av functionality via registry key modification references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ +author: Nasreddine Bencherchali +date: 2022/09/02 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: category: registry_set product: windows @@ -21,6 +24,3 @@ detection: falsepositives: - Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml index ad1d7f9b1..3af8edd81 100644 --- a/rules/windows/registry/registry_set/registry_set_special_accounts.yml +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -1,11 +1,14 @@ title: Hide User Account Via Special Accounts Reg Key id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd -description: Detects when an attacker set the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" to "0" in order to hide user account. -author: Nasreddine Bencherchali -date: 2022/07/12 status: experimental +description: Detects when an attacker set the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" to "0" in order to hide user account. references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +author: Nasreddine Bencherchali +date: 2022/07/12 +tags: + - attack.defense_evasion + - attack.t1564.002 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1564.002 diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index 6c539be1f..46292cf7c 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -1,11 +1,14 @@ title: Disable Windows Security Center Notifications id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 -description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification -author: frack113 -date: 2022/08/19 status: experimental +description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md +author: frack113 +date: 2022/08/19 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml index 58cc3cf87..8e16b0203 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml @@ -1,17 +1,20 @@ title: Suspicious Values In App Paths Default Property id: 707e097c-e20f-4f67-8807-1f72ff4500d6 +status: experimental description: | Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to pre-pend information to the PATH environment variable on a per-application, per-process basis. -status: experimental -author: Nasreddine Bencherchali references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN +author: Nasreddine Bencherchali date: 2022/08/10 modified: 2022/09/13 +tags: + - attack.persistence + - attack.t1546.012 logsource: category: registry_set product: windows @@ -46,6 +49,3 @@ detection: falsepositives: - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) level: high -tags: - - attack.persistence - - attack.t1546.012 diff --git a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml index 99b08e747..276bafc8b 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml @@ -2,30 +2,30 @@ title: Suspicious Keyboard Layout Load id: 34aa0252-6039-40ff-951f-939fd6ce47d8 status: test description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only -author: Florian Roth references: - - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files + - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index + - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files +author: Florian Roth date: 2019/10/12 modified: 2022/03/26 -logsource: - category: registry_set - product: windows - definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' -detection: - selection_registry: - EventType: SetValue - TargetObject|contains: - - '\Keyboard Layout\Preload\' - - '\Keyboard Layout\Substitutes\' - Details|contains: - - 00000429 # Persian (Iran) - - 00050429 # Persian (Iran) - - 0000042a # Vietnamese - condition: selection_registry -falsepositives: - - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) -level: medium tags: - - attack.resource_development - - attack.t1588.002 + - attack.resource_development + - attack.t1588.002 +logsource: + category: registry_set + product: windows + definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' +detection: + selection_registry: + EventType: SetValue + TargetObject|contains: + - '\Keyboard Layout\Preload\' + - '\Keyboard Layout\Substitutes\' + Details|contains: + - 00000429 # Persian (Iran) + - 00050429 # Persian (Iran) + - 0000042a # Vietnamese + condition: selection_registry +falsepositives: + - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base) +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 691ef5e8c..2860f1e97 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -2,32 +2,32 @@ title: Suspicious Printer Driver Empty Manufacturer id: e0813366-0407-449a-9869-a2db1119dc41 status: test description: Detects a suspicious printer driver installation with an empty Manufacturer value -author: Florian Roth references: - - https://twitter.com/SBousseaden/status/1410545674773467140 + - https://twitter.com/SBousseaden/status/1410545674773467140 +author: Florian Roth date: 2020/07/01 modified: 2022/09/21 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: SetValue - TargetObject|contains|all: - - '\Control\Print\Environments\Windows x64\Drivers' - - '\Manufacturer' - Details: '(Empty)' - filter_cutepdf: - TargetObject|contains: '\CutePDF Writer v4.0\' - filter_vnc: - TargetObject|contains: - - '\VNC Printer (PS)\' - - '\VNC Printer (UD)\' - condition: selection and not 1 of filter_* -falsepositives: - - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value -level: high tags: - - attack.privilege_escalation - - attack.t1574 - - cve.2021.1675 + - attack.privilege_escalation + - attack.t1574 + - cve.2021.1675 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains|all: + - '\Control\Print\Environments\Windows x64\Drivers' + - '\Manufacturer' + Details: '(Empty)' + filter_cutepdf: + TargetObject|contains: '\CutePDF Writer v4.0\' + filter_vnc: + TargetObject|contains: + - '\VNC Printer (PS)\' + - '\VNC Printer (UD)\' + condition: selection and not 1 of filter_* +falsepositives: + - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value +level: high diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index 79344ac32..a288c972d 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -2,35 +2,35 @@ title: Registry Persistence via Explorer Run Key id: b7916c2a-fa2f-4795-9477-32b731f70f11 status: test description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -author: Florian Roth, oscd.community references: - - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ + - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ +author: Florian Roth, oscd.community date: 2018/07/18 modified: 2022/03/26 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: SetValue - TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - selection2: - - Details|startswith: - - 'C:\Windows\Temp\' - - 'C:\ProgramData\' - - 'C:\$Recycle.bin\' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Users\Default\' - - Details|contains: - - '\AppData\' - condition: selection and selection2 -fields: - - Image - - ParentImage -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.t1547.001 + - attack.persistence + - attack.t1547.001 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + selection2: + - Details|startswith: + - 'C:\Windows\Temp\' + - 'C:\ProgramData\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - Details|contains: + - '\AppData\' + condition: selection and selection2 +fields: + - Image + - ParentImage +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index ede76c2ee..9cad28208 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -7,6 +7,9 @@ references: author: Florian Roth, Markus Neis, Sander Wiebing date: 2018/08/25 modified: 2022/09/13 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows @@ -37,6 +40,3 @@ fields: falsepositives: - Software using weird folders for updates level: high -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index b1eb7f852..b1ac2de91 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -1,33 +1,35 @@ title: Suspicious Service Installed id: f2485272-a156-4773-82d7-1d178bc4905b status: test -description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) -author: xknow (@xknow_infosec), xorxes (@xor_xes) +description: | + Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. + Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ +author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 modified: 2022/03/26 -logsource: - category: registry_set - product: windows -detection: - selection_1: - EventType: SetValue - TargetObject: - - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' - selection_2: - Image|endswith: - - '\procexp64.exe' - - '\procexp.exe' - - '\procmon64.exe' - - '\procmon.exe' - selection_3: - Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' - condition: selection_1 and not selection_2 and not selection_3 -falsepositives: - - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. -level: medium tags: - - attack.t1562.001 - - attack.defense_evasion + - attack.t1562.001 + - attack.defense_evasion +logsource: + category: registry_set + product: windows +detection: + selection_1: + EventType: SetValue + TargetObject: + - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' + - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' + selection_2: + Image|endswith: + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' + selection_3: + Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' + condition: selection_1 and not selection_2 and not selection_3 +falsepositives: + - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml index e3220eb05..ea77413a4 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml @@ -1,11 +1,15 @@ title: Modify User Shell Folders Startup Value id: 9c226817-8dc9-46c2-a58d-66655aafd7dc -description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup status: experimental -date: 2022/10/01 -author: frack113 +description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup references: - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md +author: frack113 +date: 2022/10/01 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1547.001 logsource: product: windows category: registry_set @@ -19,7 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 2813c718e..bc0be2442 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -1,56 +1,56 @@ title: Scheduled TaskCache Change by Uncommon Program id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d -description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental +description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://labs.f-secure.com/blog/scheduled-task-tampering/ +author: Syed Hasan (@syedhasan009) date: 2021/06/18 modified: 2022/10/21 -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://labs.f-secure.com/blog/scheduled-task-tampering/ -author: Syed Hasan (@syedhasan009) -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: SetValue - TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\' - filter: - TargetObject|contains: - - 'Microsoft\Windows\UpdateOrchestrator' - - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index' - - 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index' - filter_tiworker: - Image|startswith: 'C:\Windows\' - Image|endswith: '\TiWorker.exe' - filter_svchost: - Image: 'C:\WINDOWS\system32\svchost.exe' - filter_ngen: - Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\ - Image|endswith: '\ngen.exe' - TargetObject|contains: - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN' - filter_office_click_to_run: - Image: - - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' - - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe' - filter_msiexec: - Image: 'C:\Windows\System32\msiexec.exe' - filter_dropbox_updater: - Image: - - 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe' - - 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe' - filter_explorer: - Image: 'C:\Windows\explorer.exe' - TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\' - filter_system: - Image: 'System' - condition: selection and not 1 of filter* -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.t1053 - - attack.t1053.005 + - attack.persistence + - attack.t1053 + - attack.t1053.005 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\' + filter: + TargetObject|contains: + - 'Microsoft\Windows\UpdateOrchestrator' + - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index' + - 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index' + filter_tiworker: + Image|startswith: 'C:\Windows\' + Image|endswith: '\TiWorker.exe' + filter_svchost: + Image: 'C:\WINDOWS\system32\svchost.exe' + filter_ngen: + Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\ + Image|endswith: '\ngen.exe' + TargetObject|contains: + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN' + filter_office_click_to_run: + Image: + - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe' + filter_msiexec: + Image: 'C:\Windows\System32\msiexec.exe' + filter_dropbox_updater: + Image: + - 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe' + - 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe' + filter_explorer: + Image: 'C:\Windows\explorer.exe' + TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\' + filter_system: + Image: 'System' + condition: selection and not 1 of filter* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index 25cfce045..dfc509f1a 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -2,30 +2,30 @@ title: Registry Persistence Mechanism via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 status: test description: Detects persistence method using windows telemetry -author: Lednyov Alexey, oscd.community references: - - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +author: Lednyov Alexey, oscd.community date: 2020/10/16 modified: 2022/03/26 -logsource: - category: registry_set - product: windows - definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' -detection: - selection: - EventType: SetValue - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - - '\Command' - Details|contains: '.exe' - filter: - Details|contains: - - '\system32\CompatTelRunner.exe' - - '\system32\DeviceCensus.exe' - condition: selection and not filter -falsepositives: - - Unknown -level: critical tags: - - attack.persistence - - attack.t1053.005 + - attack.persistence + - attack.t1053.005 +logsource: + category: registry_set + product: windows + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' +detection: + selection: + EventType: SetValue + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + - '\Command' + Details|contains: '.exe' + filter: + Details|contains: + - '\system32\CompatTelRunner.exe' + - '\system32\DeviceCensus.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml index 8d8c3eb24..7e45c4761 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -5,7 +5,6 @@ related: type: similar status: test description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc -author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali references: - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique @@ -14,7 +13,12 @@ references: - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali date: 2022/09/29 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 logsource: category: registry_set product: windows @@ -29,7 +33,3 @@ detection: falsepositives: - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: medium -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index f14fc77fe..a7bc5b6ca 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -9,7 +9,6 @@ related: type: similar status: test description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc -author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali references: - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique @@ -18,8 +17,13 @@ references: - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali date: 2022/08/06 modified: 2022/09/29 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 logsource: category: registry_set product: windows @@ -57,7 +61,3 @@ detection: falsepositives: - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: high -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml index bae0d5932..0db4e4be1 100644 --- a/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml +++ b/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml @@ -2,11 +2,17 @@ title: Set TimeProviders DllName id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85 status: experimental description: | - Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. -author: frack113 -date: 2022/06/19 + Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. + Adversaries may abuse time providers to execute DLLs when the system boots. + The Windows Time service (W32Time) enables time synchronization across and within domains. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md +author: frack113 +date: 2022/06/19 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1547.003 logsource: category: registry_set product: windows @@ -21,7 +27,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1547.003 diff --git a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml index 6b453e15e..a7ec76dc0 100644 --- a/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml @@ -1,12 +1,15 @@ title: COM Hijacking via TreatAs id: dc5c24af-6995-49b2-86eb-a9ff62199e82 -description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command -author: frack113 -date: 2022/08/28 status: experimental +description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md - https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s +author: frack113 +date: 2022/08/28 +tags: + - attack.persistence + - attack.t1546.015 logsource: category: registry_set product: windows @@ -28,6 +31,3 @@ detection: falsepositives: - Legitimate use level: medium -tags: - - attack.persistence - - attack.t1546.015 diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml index a8577c8f6..fab13cd6c 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml @@ -8,6 +8,11 @@ references: author: Florian Roth date: 2017/03/19 modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 logsource: product: windows category: registry_set @@ -19,8 +24,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 - - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 8c09aacb7..23c3d9908 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -8,23 +8,23 @@ references: author: Omer Yampel, Christian Burkard date: 2017/03/17 modified: 2022/06/26 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - car.2019-04-001 logsource: category: registry_set product: windows detection: selection1: - EventType: SetValue + EventType: SetValue TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand' selection2: - EventType: SetValue + EventType: SetValue TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue' Details|contains: '-1???\Software\Classes\' condition: 1 of selection* falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 - - car.2019-04-001 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml index 120ef0e9b..42cf141ec 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml @@ -1,12 +1,16 @@ title: UAC Bypass Abusing Winsat Path Parsing - Registry id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 +status: experimental description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) +references: + - https://github.com/hfiref0x/UACME author: Christian Burkard date: 2021/08/30 modified: 2022/03/26 -status: experimental -references: - - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 logsource: category: registry_set product: windows @@ -21,7 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml index 3aab4807b..e51352027 100644 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml @@ -1,12 +1,16 @@ title: UAC Bypass Using Windows Media Player - Registry id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 +status: experimental description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) +references: + - https://github.com/hfiref0x/UACME author: Christian Burkard date: 2021/08/23 modified: 2022/03/26 -status: experimental -references: - - https://github.com/hfiref0x/UACME +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 logsource: category: registry_set product: windows @@ -19,7 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 935988c83..5d8312511 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -1,18 +1,21 @@ title: VBScript Payload Stored in Registry id: 46490193-1b22-4c29-bdd6-5bf63907216f -description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental -date: 2021/03/05 -modified: 2022/09/19 -author: Florian Roth +description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth +date: 2021/03/05 +modified: 2022/09/19 +tags: + - attack.persistence + - attack.t1547.001 logsource: category: registry_set product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' Details|contains: - 'vbscript:' @@ -22,7 +25,7 @@ detection: - 'Execute(' - 'CreateObject' - 'window.close' - filter: + filter: TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' filter_dotnet: Image|endswith: '\msiexec.exe' @@ -36,6 +39,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml index 3ad28b0d2..d2a31655f 100644 --- a/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml +++ b/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml @@ -1,14 +1,17 @@ title: Execution DLL of Choice Using WAB.EXE id: fc014922-5def-4da9-a0fc-28c973f41bfb -description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. status: experimental +description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml - https://twitter.com/Hexacorn/status/991447379864932352 - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +author: oscd.community, Natalia Shornikova date: 2020/10/13 modified: 2022/03/26 -author: oscd.community, Natalia Shornikova +tags: + - attack.defense_evasion + - attack.t1218 logsource: category: registry_set product: windows @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1218 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml index b04bafc12..d404c2c77 100644 --- a/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml @@ -1,13 +1,16 @@ title: Wdigest Enable UseLogonCredential id: d6a9b252-c666-4de6-8806-5561bbbd3bdc -description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials status: experimental -date: 2019/09/12 -modified: 2022/03/26 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2019/09/12 +modified: 2022/03/26 +tags: + - attack.defense_evasion + - attack.t1112 logsource: category: registry_set product: windows @@ -15,11 +18,8 @@ detection: selection: EventType: SetValue TargetObject|endswith: 'WDigest\UseLogonCredential' - Details: DWORD (0x00000001) + Details: DWORD (0x00000001) condition: selection falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index d0a413eb6..887e5ad1a 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -5,15 +5,18 @@ related: type: obsoletes - id: fd115e64-97c7-491f-951c-fc8da7e042fa type: obsoletes +status: experimental description: Detects when attackers or tools disable Windows Defender functionalities via the windows registry -date: 2022/08/01 -author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker -status: experimental +author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali +date: 2022/08/01 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: registry_set @@ -43,6 +46,3 @@ detection: falsepositives: - Administrator actions level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml index 4fb70441a..a8276ee81 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -1,11 +1,16 @@ title: Winlogon AllowMultipleTSSessions Enable id: f7997770-92c3-4ec9-b112-774c4ef96f96 -description: Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users -author: Nasreddine Bencherchali -date: 2022/09/09 status: experimental +description: | + Detects when the 'AllowMultipleTSSessions' value is enabled. + Which allows for multiple Remote Desktop connection sessions to be opened at once. + This is often used by attacker as a way to connect to an RDP session without disconnecting the other users references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -18,5 +23,3 @@ detection: falsepositives: - Legitmate use of the multi session functionality level: medium -tags: - - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml index 2fb5ed352..04d54b9e7 100644 --- a/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml +++ b/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml @@ -1,14 +1,17 @@ title: Winlogon Notify Key Logon Persistence id: bbf59793-6efb-4fa1-95ca-a7d288e52c88 +status: experimental description: | Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell author: frack113 date: 2021/12/30 modified: 2022/03/26 -status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell +tags: + - attack.persistence + - attack.t1547.004 logsource: category: registry_set product: windows @@ -21,6 +24,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1547.004 diff --git a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml b/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml index cbf17b1ba..6a4ebe975 100644 --- a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml +++ b/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml @@ -1,12 +1,14 @@ title: Add DLLPathOverride Entry For Persistence id: a1b1fd53-9c4a-444c-bae0-34a330fc7aa8 -description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process -author: Nasreddine Bencherchali -date: 2022/07/21 status: experimental +description: Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process references: - https://persistence-info.github.io/Data/naturallanguage6.html - https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ +author: Nasreddine Bencherchali +date: 2022/07/21 +tags: + - attack.persistence logsource: category: registry_set product: windows @@ -28,5 +30,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence From a3eed2b760abddfd62014fcf9ae81f435b216473 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 26 Oct 2022 09:42:26 +0200 Subject: [PATCH 13/14] Order yaml field --- .../image_load_abusing_azure_browser_sso.yml | 15 ++- ..._alternate_powershell_hosts_moduleload.yml | 10 +- ...defender_load_dll_from_nondefault_path.yml | 14 +-- .../image_load_in_memory_powershell.yml | 6 +- ...image_load_mimikatz_inmemory_detection.yml | 68 +++++------ .../image_load/image_load_msdt_sdiageng.yml | 12 +- .../image_load_pingback_backdoor.yml | 8 +- ..._load_rundll32_loading_renamed_comsvcs.yml | 4 +- ...cons_imageload_wmi_scripteventconsumer.yml | 12 +- .../image_load_spoolsv_dll_load.yml | 14 +-- .../image_load_susp_advapi32_dll.yml | 52 ++++----- .../image_load/image_load_susp_cmstp.yml | 12 +- .../image_load_susp_dbghelp_dbgcore_load.yml | 13 ++- ...mage_load_susp_dll_load_system_process.yml | 2 +- .../image_load/image_load_susp_fax_dll.yml | 38 +++--- ...d_susp_office_dotnet_assembly_dll_load.yml | 38 +++--- ...e_load_susp_office_dotnet_clr_dll_load.yml | 38 +++--- ...e_load_susp_office_dotnet_gac_dll_load.yml | 38 +++--- ...mage_load_susp_office_dsparse_dll_load.yml | 38 +++--- ...age_load_susp_office_kerberos_dll_load.yml | 38 +++--- .../image_load_susp_python_image_load.yml | 14 +-- ...e_load_susp_script_dotnet_clr_dll_load.yml | 48 ++++---- .../image_load_susp_system_drawing_load.yml | 16 +-- .../image_load_susp_uncommon_image_load.yml | 8 +- .../image_load_susp_vss_ps_load.yml | 6 +- .../image_load_susp_winword_vbadll_load.yml | 44 +++---- ...e_load_svchost_dll_search_order_hijack.yml | 48 ++++---- ...image_load_sysmon_disable_sharpevtmute.yml | 6 +- .../image_load_uac_bypass_iscsicpl.yml | 10 +- .../image_load_uac_bypass_via_dism.yml | 6 +- .../image_load_uipromptforcreds_dlls.yml | 16 +-- ..._load_unsigned_image_loaded_into_lsass.yml | 30 ++--- ...are_xfer_load_dll_from_nondefault_path.yml | 4 +- .../image_load/image_load_wmi_module_load.yml | 13 +-- ...persistence_commandline_event_consumer.yml | 30 ++--- ...ge_load_wmic_remote_xsl_scripting_dlls.yml | 8 +- .../image_load_wsman_provider_image_load.yml | 26 ++--- .../net_connection_win_binary_github_com.yml | 46 ++++---- .../net_connection_win_binary_susp_com.yml | 8 +- .../net_connection_win_certutil.yml | 2 +- .../net_connection_win_crypto_mining.yml | 12 +- ...net_connection_win_dead_drop_resolvers.yml | 102 ++++++++--------- ...connection_win_dllhost_net_connections.yml | 12 +- .../net_connection_win_eqnedt.yml | 30 ++--- ..._win_excel_outbound_network_connection.yml | 8 +- .../net_connection_win_hh.yml | 4 +- .../net_connection_win_imewdbld.yml | 8 +- ...nnection_win_malware_backconnect_ports.yml | 108 +++++++++--------- .../net_connection_win_mega_nz.yml | 24 ++-- .../net_connection_win_msiexec.yml | 12 +- .../net_connection_win_ngrok_io.yml | 24 ++-- ...nection_win_notepad_network_connection.yml | 12 +- ...tion_win_powershell_network_connection.yml | 4 +- .../net_connection_win_python.yml | 8 +- ...nnection_win_regsvr32_network_activity.yml | 6 +- ..._win_remote_powershell_session_network.yml | 72 ++++++------ ...onnection_win_rundll32_net_connections.yml | 92 +++++++-------- .../net_connection_win_script.yml | 10 +- .../net_connection_win_script_wan.yml | 8 +- ..._silenttrinity_stager_msbuild_activity.yml | 8 +- ..._connection_win_susp_binary_no_cmdline.yml | 46 ++++---- .../net_connection_win_susp_cmstp.yml | 8 +- .../net_connection_win_susp_dropbox_api.yml | 28 ++--- .../net_connection_win_susp_epmap.yml | 6 +- ..._win_susp_outbound_kerberos_connection.yml | 48 ++++---- ...n_win_susp_outbound_mobsync_connection.yml | 12 +- ...ion_win_susp_outbound_smtp_connections.yml | 10 +- ..._susp_prog_location_network_connection.yml | 8 +- .../net_connection_win_susp_rdp.yml | 84 +++++++------- ...nection_win_wuauclt_network_connection.yml | 32 +++--- ...c_access_win_cmstp_execution_by_access.yml | 24 ++-- ...proc_access_win_cred_dump_lsass_access.yml | 7 +- ...ccess_win_direct_syscall_ntopenprocess.yml | 8 +- .../proc_access_win_hack_sysmonente.yml | 44 +++---- ...roc_access_win_handlekatz_lsass_access.yml | 12 +- ...ccess_win_in_memory_assembly_execution.yml | 28 +++-- .../proc_access_win_invoke_phantom.yml | 6 +- ...ess_win_lazagne_cred_dump_lsass_access.yml | 14 +-- ...ss_win_littlecorporal_generated_maldoc.yml | 10 +- ...ndocumented_autoelevated_com_interface.yml | 44 +++---- .../proc_access_win_lsass_memdump.yml | 6 +- .../proc_access_win_lsass_memdump_evasion.yml | 2 +- ...oc_access_win_lsass_memdump_indicators.yml | 2 +- ..._access_win_malware_verclsid_shellcode.yml | 48 ++++---- .../proc_access_win_mimikatz_trough_winrm.yml | 18 +-- ...proc_access_win_rare_proc_access_lsass.yml | 10 +- ...proc_access_win_susp_proc_access_lsass.yml | 10 +- ...win_susp_proc_access_lsass_susp_source.yml | 6 +- .../process_access_win_susp_seclogon.yml | 8 +- 89 files changed, 1014 insertions(+), 998 deletions(-) diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index af9ca8c56..d7c7b4b0c 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -1,19 +1,22 @@ title: Abusing Azure Browser SSO id: 50f852e6-af22-4c78-9ede-42ef36aa3453 -description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. -author: Den Iuzvyk +status: test +description: | + Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) + wanting to perform SSO authentication in the browser. + An attacker can use this to authenticate to Azure AD in a browser as that user. references: - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 +author: Den Iuzvyk date: 2020/07/15 modified: 2022/10/21 -logsource: - category: image_load - product: windows -status: test tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1574.002 +logsource: + category: image_load + product: windows detection: selection_dll: ImageLoaded|endswith: 'MicrosoftAccountTokenProvider.dll' diff --git a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml index ddd6e5490..457f311b0 100644 --- a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml @@ -1,15 +1,15 @@ title: Alternate PowerShell Hosts id: fe6e002f-f244-4278-9263-20e4b593827f -description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +references: + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/09/12 modified: 2022/02/21 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution - attack.t1059.001 -references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html logsource: product: windows category: image_load @@ -29,4 +29,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: low \ No newline at end of file +level: low diff --git a/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml b/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml index 874355424..ab39de622 100644 --- a/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml +++ b/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml @@ -2,11 +2,11 @@ title: Microsoft Defender Loading DLL from Nondefault Path id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc status: experimental description: Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL +references: + - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/02 modified: 2022/08/17 -references: - - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool tags: - attack.defense_evasion - attack.t1574.002 @@ -16,14 +16,14 @@ logsource: detection: selection: Image|endswith: - - '\MpCmdRun.exe' - - '\NisSrv.exe' + - '\MpCmdRun.exe' + - '\NisSrv.exe' ImageLoaded|endswith: '\mpclient.dll' filter: ImageLoaded|startswith: - - 'C:\Program Files\Windows Defender\' - - 'C:\Program Files (x86)\Windows Defender\' - - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\' + - 'C:\Program Files (x86)\Windows Defender\' + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' condition: selection and not filter falsepositives: - Very unlikely diff --git a/rules/windows/image_load/image_load_in_memory_powershell.yml b/rules/windows/image_load/image_load_in_memory_powershell.yml index 2eed58f5a..e6b359d2a 100755 --- a/rules/windows/image_load/image_load_in_memory_powershell.yml +++ b/rules/windows/image_load/image_load_in_memory_powershell.yml @@ -5,12 +5,12 @@ related: type: obsoletes status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. -author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton -date: 2019/11/14 -modified: 2022/10/10 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll +author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton +date: 2019/11/14 +modified: 2022/10/10 tags: - attack.t1059.001 - attack.execution diff --git a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml index 0b70fe7d7..3989ccd8a 100755 --- a/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml +++ b/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml @@ -2,41 +2,41 @@ title: Mimikatz In-Memory id: c0478ead-5336-46c2-bd5e-b4c84bc3a36e status: test description: Detects certain DLL loads when Mimikatz gets executed -author: sigma references: - - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ + - https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ +author: sigma date: 2017/03/13 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selector: - Image: 'C:\Windows\System32\rundll32.exe' - dllload1: - ImageLoaded|endswith: '\vaultcli.dll' - dllload2: - ImageLoaded|endswith: '\wlanapi.dll' - exclusion: - ImageLoaded: - - 'ntdsapi.dll' - - 'netapi32.dll' - - 'imm32.dll' - - 'samlib.dll' - - 'combase.dll' - - 'srvcli.dll' - - 'shcore.dll' - - 'ntasn1.dll' - - 'cryptdll.dll' - - 'logoncli.dll' - timeframe: 30s - condition: selector | near dllload1 and dllload2 and not exclusion -falsepositives: - - Unknown -level: medium tags: - - attack.s0002 - - attack.t1003 - - attack.lateral_movement - - attack.credential_access - - car.2019-04-004 + - attack.s0002 + - attack.t1003 + - attack.lateral_movement + - attack.credential_access + - car.2019-04-004 +logsource: + category: image_load + product: windows +detection: + selector: + Image: 'C:\Windows\System32\rundll32.exe' + dllload1: + ImageLoaded|endswith: '\vaultcli.dll' + dllload2: + ImageLoaded|endswith: '\wlanapi.dll' + exclusion: + ImageLoaded: + - 'ntdsapi.dll' + - 'netapi32.dll' + - 'imm32.dll' + - 'samlib.dll' + - 'combase.dll' + - 'srvcli.dll' + - 'shcore.dll' + - 'ntasn1.dll' + - 'cryptdll.dll' + - 'logoncli.dll' + timeframe: 30s + condition: selector | near dllload1 and dllload2 and not exclusion +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_msdt_sdiageng.yml b/rules/windows/image_load/image_load_msdt_sdiageng.yml index dbcb49246..aa861e40a 100644 --- a/rules/windows/image_load/image_load_msdt_sdiageng.yml +++ b/rules/windows/image_load/image_load_msdt_sdiageng.yml @@ -1,11 +1,15 @@ title: MSDT.exe Loading Diagnostic Library id: ec8c4047-fad9-416a-8c81-0f479353d7f6 status: experimental -description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary -author: Greg (rule) +description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary references: - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ +author: Greg (rule) date: 2022/06/17 +tags: + - attack.defense_evasion + - attack.t1202 + - cve.2022.30190 logsource: category: image_load product: windows @@ -17,7 +21,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1202 - - cve.2022.30190 diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml index 75f0206d0..7b8c90b68 100644 --- a/rules/windows/image_load/image_load_pingback_backdoor.yml +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -2,12 +2,12 @@ title: Pingback Backdoor id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report -author: Bhabesh Raj -date: 2021/05/05 -modified: 2022/08/14 references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +author: Bhabesh Raj +date: 2021/05/05 +modified: 2022/08/14 tags: - attack.persistence - attack.t1574.001 @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Very unlikely -level: high \ No newline at end of file +level: high diff --git a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml index 8c30f6338..80f0880dd 100644 --- a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml +++ b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml @@ -2,10 +2,10 @@ title: Rundll32 Loading Renamed Comsvcs DLL id: 8cde342c-ba48-4b74-b615-172c330f2e93 status: experimental description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory -author: Nasreddine Bencherchali -date: 2022/08/14 references: - https://twitter.com/sbousseaden/status/1555200155351228419 +author: Nasreddine Bencherchali +date: 2022/08/14 tags: - attack.credential_access - attack.defense_evasion diff --git a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml index c6d8763f3..0449c7eb6 100644 --- a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml +++ b/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml @@ -2,13 +2,18 @@ title: WMI Script Host Process Image Loaded id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 status: test description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://twitter.com/HunterPlaybook/status/1301207718355759107 - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/09/02 modified: 2022/10/11 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.persistence + - attack.t1546.003 logsource: category: image_load product: windows @@ -25,8 +30,3 @@ falsepositives: - Legitimate event consumers - Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button level: medium -tags: - - attack.lateral_movement - - attack.privilege_escalation - - attack.persistence - - attack.t1546.003 diff --git a/rules/windows/image_load/image_load_spoolsv_dll_load.yml b/rules/windows/image_load/image_load_spoolsv_dll_load.yml index 9d3a83290..be10dcbeb 100644 --- a/rules/windows/image_load/image_load_spoolsv_dll_load.yml +++ b/rules/windows/image_load/image_load_spoolsv_dll_load.yml @@ -8,6 +8,13 @@ references: author: FPT.EagleEye, Thomas Patzke (improvements) date: 2021/06/29 modified: 2022/06/02 +tags: + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574 + - cve.2021.1675 + - cve.2021.34527 logsource: category: image_load product: windows @@ -22,10 +29,3 @@ detection: falsepositives: - Loading of legitimate driver level: informational -tags: - - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1574 - - cve.2021.1675 - - cve.2021.34527 \ No newline at end of file diff --git a/rules/windows/image_load/image_load_susp_advapi32_dll.yml b/rules/windows/image_load/image_load_susp_advapi32_dll.yml index 4aafc2f71..861150931 100644 --- a/rules/windows/image_load/image_load_susp_advapi32_dll.yml +++ b/rules/windows/image_load/image_load_susp_advapi32_dll.yml @@ -2,33 +2,33 @@ title: Suspicious Load of Advapi31.dll id: d813d662-785b-42ca-8b4a-f7457d78d5a9 status: experimental description: Detects the load of advapi31.dll by a process running in an uncommon folder -author: frack113 references: - - https://github.com/hlldz/Phant0m + - https://github.com/hlldz/Phant0m +author: frack113 date: 2022/02/03 modified: 2022/02/11 -logsource: - product: windows - category: image_load -detection: - selection: - ImageLoaded|endswith: '\advapi32.dll' - filter_common: - Image|startswith: - - 'C:\Windows\' - - 'C:\Program Files (x86)\' - - 'C:\Program Files\' - filter_defender: - Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\platform\' - Image|endswith: '\MpCmdRun.exe' - filter_onedrive: - Image|startswith: 'C:\Users\' - Image|contains: '\AppData\Local\Microsoft\OneDrive\' - Image|endswith: 'FileCoAuth.exe' - condition: selection and not 1 of filter_* -falsepositives: - - Unknown -level: informational tags: - - attack.defense_evasion - - attack.t1070 + - attack.defense_evasion + - attack.t1070 +logsource: + product: windows + category: image_load +detection: + selection: + ImageLoaded|endswith: '\advapi32.dll' + filter_common: + Image|startswith: + - 'C:\Windows\' + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + filter_defender: + Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\platform\' + Image|endswith: '\MpCmdRun.exe' + filter_onedrive: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\Microsoft\OneDrive\' + Image|endswith: 'FileCoAuth.exe' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: informational diff --git a/rules/windows/image_load/image_load_susp_cmstp.yml b/rules/windows/image_load/image_load_susp_cmstp.yml index 6c5dea61b..b7784af32 100644 --- a/rules/windows/image_load/image_load_susp_cmstp.yml +++ b/rules/windows/image_load/image_load_susp_cmstp.yml @@ -2,13 +2,16 @@ title: Cmstp Suspicious DLL Load id: 75e508f7-932d-4ebc-af77-269237a84ce1 status: experimental description: Detects cmstp loading "dll" or "ocx" files from suspicious locations -author: Nasreddine Bencherchali references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml +author: Nasreddine Bencherchali date: 2022/08/30 +tags: + - attack.defense_evasion + - attack.t1218.003 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: selection: ImageLoaded|contains: @@ -25,6 +28,3 @@ detection: falsepositives: - Unikely level: high -tags: - - attack.defense_evasion - - attack.t1218.003 diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 2ff0422cc..bc7467c9c 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -1,14 +1,20 @@ title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: test -description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -author: Perez Diego (@darkquassar), oscd.community, Ecco +description: | + Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. + Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. + As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. references: - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 +author: Perez Diego (@darkquassar), oscd.community, Ecco date: 2019/10/27 modified: 2022/09/15 +tags: + - attack.credential_access + - attack.t1003.001 logsource: category: image_load product: windows @@ -66,6 +72,3 @@ fields: falsepositives: - Unknown level: high -tags: - - attack.credential_access - - attack.t1003.001 diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index bd92a5672..38f4572c2 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -2,9 +2,9 @@ title: DLL Load By System Process From Suspicious Locations id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c status: experimental description: Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp% -author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) +author: Nasreddine Bencherchali date: 2022/07/17 modified: 2022/10/12 tags: diff --git a/rules/windows/image_load/image_load_susp_fax_dll.yml b/rules/windows/image_load/image_load_susp_fax_dll.yml index 02d9c099c..f5055f218 100644 --- a/rules/windows/image_load/image_load_susp_fax_dll.yml +++ b/rules/windows/image_load/image_load_susp_fax_dll.yml @@ -2,26 +2,26 @@ title: Fax Service DLL Search Order Hijack id: 828af599-4c53-4ed2-ba4a-a9f835c434ea status: test description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. -author: NVISO references: - - https://windows-internals.com/faxing-your-way-to-system/ + - https://windows-internals.com/faxing-your-way-to-system/ +author: NVISO date: 2020/05/04 modified: 2022/06/02 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: '\fxssvc.exe' - ImageLoaded|endswith: 'ualapi.dll' - filter: - ImageLoaded|startswith: 'C:\Windows\WinSxS\' - condition: selection and not filter -falsepositives: - - Unlikely -level: high tags: - - attack.persistence - - attack.defense_evasion - - attack.t1574.001 - - attack.t1574.002 + - attack.persistence + - attack.defense_evasion + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\fxssvc.exe' + ImageLoaded|endswith: 'ualapi.dll' + filter: + ImageLoaded|startswith: 'C:\Windows\WinSxS\' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml index 39d6afed7..470a46f9a 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml @@ -2,26 +2,26 @@ title: dotNET DLL Loaded Via Office Applications id: ff0f2b05-09db-4095-b96d-1b75ca24894a status: test description: Detects any assembly DLL being loaded by an Office Product -author: Antonlovesdnb references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb date: 2020/02/19 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|startswith: 'C:\Windows\assembly\' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high tags: - - attack.execution - - attack.t1204.002 + - attack.execution + - attack.t1204.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: 'C:\Windows\assembly\' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml index 6c721153a..94fae3bad 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml @@ -2,26 +2,26 @@ title: CLR DLL Loaded Via Office Applications id: d13c43f0-f66b-4279-8b2c-5912077c1780 status: test description: Detects CLR DLL being loaded by an Office Product -author: Antonlovesdnb references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb date: 2020/02/19 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|contains: '\clr.dll' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high tags: - - attack.execution - - attack.t1204.002 + - attack.execution + - attack.t1204.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: '\clr.dll' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml index 4fb4fd360..7e12c6c15 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml @@ -2,26 +2,26 @@ title: GAC DLL Loaded Via Office Applications id: 90217a70-13fc-48e4-b3db-0d836c5824ac status: test description: Detects any GAC DLL being loaded by an Office Product -author: Antonlovesdnb references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb date: 2020/02/19 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high tags: - - attack.execution - - attack.t1204.002 + - attack.execution + - attack.t1204.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml index adcd6b0ab..3d5053f90 100755 --- a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml @@ -2,26 +2,26 @@ title: Active Directory Parsing DLL Loaded Via Office Applications id: a2a3b925-7bb0-433b-b508-db9003263cc4 status: test description: Detects DSParse DLL being loaded by an Office Product -author: Antonlovesdnb references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb date: 2020/02/19 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|contains: '\dsparse.dll' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high tags: - - attack.execution - - attack.t1204.002 + - attack.execution + - attack.t1204.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: '\dsparse.dll' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml index dd54239f2..96e87f71a 100755 --- a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml @@ -2,26 +2,26 @@ title: Active Directory Kerberos DLL Loaded Via Office Applications id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 status: test description: Detects Kerberos DLL being loaded by an Office Product -author: Antonlovesdnb references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb date: 2020/02/19 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|endswith: '\kerberos.dll' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high tags: - - attack.execution - - attack.t1204.002 + - attack.execution + - attack.t1204.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: '\kerberos.dll' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 9b071a802..0636f0e5d 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -1,16 +1,16 @@ title: Python Py2Exe Image Load id: cbb56d62-4060-40f7-9466-d8aaf3123f83 -description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental -date: 2020/05/03 -modified: 2022/09/21 -author: Patrick St. John, OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1027.002 +description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. references: - https://www.py2exe.org/ - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ +author: Patrick St. John, OTR (Open Threat Research) +date: 2020/05/03 +modified: 2022/09/21 +tags: + - attack.defense_evasion + - attack.t1027.002 logsource: product: windows category: image_load diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index fb56bfbfd..1ed3bffe5 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -2,31 +2,31 @@ title: CLR DLL Loaded Via Scripting Applications id: 4508a70e-97ef-4300-b62b-ff27992990ea status: test description: Detects CLR DLL being loaded by an scripting applications -author: omkar72, oscd.community references: - - https://github.com/tyranid/DotNetToJScript - - https://thewover.github.io/Introducing-Donut/ - - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + - https://github.com/tyranid/DotNetToJScript + - https://thewover.github.io/Introducing-Donut/ + - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +author: omkar72, oscd.community date: 2020/10/14 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - ImageLoaded|endswith: - - '\clr.dll' - - '\mscoree.dll' - - '\mscorlib.dll' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.execution - - attack.privilege_escalation - - attack.t1055 + - attack.execution + - attack.privilege_escalation + - attack.t1055 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + ImageLoaded|endswith: + - '\clr.dll' + - '\mscoree.dll' + - '\mscorlib.dll' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml index 01d5c3647..9120e4f7a 100644 --- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ b/rules/windows/image_load/image_load_susp_system_drawing_load.yml @@ -1,16 +1,16 @@ title: Suspicious System.Drawing Load id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c -description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental -date: 2020/05/02 -modified: 2022/08/13 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.collection - - attack.t1113 +description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/05/02 +modified: 2022/08/13 +tags: + - attack.collection + - attack.t1113 logsource: product: windows category: image_load @@ -36,4 +36,4 @@ detection: condition: selection and not 1 of filter* falsepositives: - Unknown -level: low # too many false positives \ No newline at end of file +level: low diff --git a/rules/windows/image_load/image_load_susp_uncommon_image_load.yml b/rules/windows/image_load/image_load_susp_uncommon_image_load.yml index b2aa2e1e8..488c84bcd 100644 --- a/rules/windows/image_load/image_load_susp_uncommon_image_load.yml +++ b/rules/windows/image_load/image_load_susp_uncommon_image_load.yml @@ -2,11 +2,14 @@ title: Possible Process Hollowing Image Loading id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7 status: test description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz -author: Markus Neis references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html +author: Markus Neis date: 2018/01/07 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1574.002 logsource: category: image_load product: windows @@ -20,6 +23,3 @@ detection: falsepositives: - Very likely, needs more tuning level: high -tags: - - attack.defense_evasion - - attack.t1574.002 diff --git a/rules/windows/image_load/image_load_susp_vss_ps_load.yml b/rules/windows/image_load/image_load_susp_vss_ps_load.yml index 8642c1ca1..29019948c 100644 --- a/rules/windows/image_load/image_load_susp_vss_ps_load.yml +++ b/rules/windows/image_load/image_load_susp_vss_ps_load.yml @@ -2,12 +2,12 @@ title: Image Load of VSS_PS.dll by Uncommon Executable id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 status: experimental description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint -author: Markus Neis, @markus_neis -date: 2021/07/07 -modified: 2022/07/27 references: - 1bd85e1caa1415ebdc8852c91e37bbb7 - https://twitter.com/am0nsec/status/1412232114980982787 +author: Markus Neis, @markus_neis +date: 2021/07/07 +modified: 2022/07/27 tags: - attack.defense_evasion - attack.impact diff --git a/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml b/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml index 5b31fa62a..7921423c7 100755 --- a/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml +++ b/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml @@ -2,29 +2,29 @@ title: VBA DLL Loaded Via Microsoft Word id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9 status: test description: Detects DLL's Loaded Via Word Containing VBA Macros -author: Antonlovesdnb references: - - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb date: 2020/02/19 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: - - '\winword.exe' - - '\powerpnt.exe' - - '\excel.exe' - - '\outlook.exe' - ImageLoaded|endswith: - - '\VBE7.DLL' - - '\VBEUI.DLL' - - '\VBE7INTL.DLL' - condition: selection -falsepositives: - - Alerts on legitimate macro usage as well, will need to filter as appropriate -level: high tags: - - attack.execution - - attack.t1204.002 + - attack.execution + - attack.t1204.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\VBE7.DLL' + - '\VBEUI.DLL' + - '\VBE7INTL.DLL' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high diff --git a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml index 626eb21ae..f20d30c40 100755 --- a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml @@ -1,30 +1,32 @@ title: Svchost DLL Search Order Hijack id: 602a1f13-c640-4d73-b053-be9a2fa58b77 status: test -description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. -author: SBousseaden +description: | + IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. + An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. references: - - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +author: SBousseaden date: 2019/10/28 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: '\svchost.exe' - ImageLoaded|endswith: - - '\tsmsisrv.dll' - - '\tsvipsrv.dll' - - '\wlbsctrl.dll' - filter: - ImageLoaded|startswith: 'C:\Windows\WinSxS\' - condition: selection and not filter -falsepositives: - - Unknown -level: high tags: - - attack.persistence - - attack.defense_evasion - - attack.t1574.002 - - attack.t1574.001 + - attack.persistence + - attack.defense_evasion + - attack.t1574.002 + - attack.t1574.001 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\svchost.exe' + ImageLoaded|endswith: + - '\tsmsisrv.dll' + - '\tsvipsrv.dll' + - '\wlbsctrl.dll' + filter: + ImageLoaded|startswith: 'C:\Windows\WinSxS\' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml index e9f0a45d6..86f8dca1f 100644 --- a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml @@ -4,11 +4,11 @@ status: experimental description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs references: - https://github.com/bats3c/EvtMute -tags: - - attack.defense_evasion - - attack.t1562.002 author: Florian Roth date: 2022/09/07 +tags: + - attack.defense_evasion + - attack.t1562.002 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml index 0a263546e..067d4917e 100644 --- a/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml +++ b/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml @@ -2,12 +2,16 @@ title: UAC Bypass Using Iscsicpl - ImageLoad id: 9ed5959a-c43c-4c59-84e3-d28628429456 status: experimental description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% -author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC - https://twitter.com/wdormann/status/1547583317410607110 +author: Nasreddine Bencherchali date: 2022/07/17 modified: 2022/07/25 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 logsource: product: windows category: image_load @@ -23,7 +27,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml index 595d310d5..825906ff5 100644 --- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml @@ -4,15 +4,15 @@ status: experimental description: Attempts to load dismcore.dll after dropping it references: - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility +author: oscd.community, Dmitry Uchakin +date: 2020/10/06 +modified: 2021/11/23 tags: - attack.persistence - attack.defense_evasion - attack.privilege_escalation - attack.t1548.002 - attack.t1574.002 -author: oscd.community, Dmitry Uchakin -date: 2020/10/06 -modified: 2021/11/23 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index ddd33eaa7..5c636e5d3 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -1,18 +1,18 @@ title: UIPromptForCredentials DLLs id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 -description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental -date: 2020/10/20 -modified: 2022/10/24 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.credential_access - - attack.collection - - attack.t1056.002 +description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. references: - https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/10/20 +modified: 2022/10/24 +tags: + - attack.credential_access + - attack.collection + - attack.t1056.002 logsource: category: image_load product: windows diff --git a/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml b/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml index 831d31022..41e5508b0 100755 --- a/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml +++ b/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml @@ -2,22 +2,22 @@ title: Unsigned Image Loaded Into LSASS Process id: 857c8db3-c89b-42fb-882b-f681c7cf4da2 status: test description: Loading unsigned image (DLL, EXE) into LSASS process -author: Teymur Kheirkhabarov, oscd.community references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image|endswith: '\lsass.exe' - Signed: 'false' - condition: selection -falsepositives: - - Valid user connecting using RDP -level: medium tags: - - attack.credential_access - - attack.t1003.001 + - attack.credential_access + - attack.t1003.001 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\lsass.exe' + Signed: 'false' + condition: selection +falsepositives: + - Valid user connecting using RDP +level: medium diff --git a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml index ad050897f..ce9aae974 100644 --- a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml +++ b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml @@ -2,10 +2,10 @@ title: VMware Xfer Loading DLL from Nondefault Path id: 9313dc13-d04c-46d8-af4a-a930cc55d93b status: experimental description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL -author: Nasreddine Bencherchali -date: 2022/08/02 references: - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ +author: Nasreddine Bencherchali +date: 2022/08/02 tags: - attack.defense_evasion - attack.t1574.002 diff --git a/rules/windows/image_load/image_load_wmi_module_load.yml b/rules/windows/image_load/image_load_wmi_module_load.yml index 971fdb340..c2023cc84 100755 --- a/rules/windows/image_load/image_load_wmi_module_load.yml +++ b/rules/windows/image_load/image_load_wmi_module_load.yml @@ -1,12 +1,12 @@ title: WMI Modules Loaded id: 671bb7e3-a020-4824-a00e-2ee5b55f385e -description: Detects non wmiprvse loading WMI modules status: experimental -date: 2019/08/10 -modified: 2022/01/12 -author: Roberto Rodriguez @Cyb3rWard0g +description: Detects non wmiprvse loading WMI modules references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html +author: Roberto Rodriguez @Cyb3rWard0g +date: 2019/08/10 +modified: 2022/01/12 tags: - attack.execution - attack.t1047 @@ -14,7 +14,7 @@ logsource: category: image_load product: windows detection: - selection: + selection: ImageLoaded|endswith: - '\wmiclnt.dll' - '\WmiApRpl.dll' @@ -62,5 +62,4 @@ fields: - ImageLoaded falsepositives: - Unknown -level: informational # too many false positives - +level: informational diff --git a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml index f0a9711a8..112e85ffe 100755 --- a/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml +++ b/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml @@ -2,22 +2,22 @@ title: WMI Persistence - Command Line Event Consumer id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6 status: test description: Detects WMI command line event consumers -author: Thomas Patzke references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +author: Thomas Patzke date: 2018/03/07 modified: 2021/11/27 -logsource: - category: image_load - product: windows -detection: - selection: - Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' - ImageLoaded|endswith: '\wbemcons.dll' - condition: selection -falsepositives: - - Unknown (data set is too small; further testing needed) -level: high tags: - - attack.t1546.003 - - attack.persistence + - attack.t1546.003 + - attack.persistence +logsource: + category: image_load + product: windows +detection: + selection: + Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe' + ImageLoaded|endswith: '\wbemcons.dll' + condition: selection +falsepositives: + - Unknown (data set is too small; further testing needed) +level: high diff --git a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml index fdb4d5c9a..dc780560f 100644 --- a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml @@ -2,13 +2,16 @@ title: WMIC Loading Scripting Libraries id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32 status: test description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html - https://twitter.com/dez_/status/986614411711442944 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/17 modified: 2022/10/13 +tags: + - attack.defense_evasion + - attack.t1220 logsource: category: image_load product: windows @@ -24,6 +27,3 @@ falsepositives: - The command wmic os get locale loads vbscript.dll - Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights level: medium -tags: - - attack.defense_evasion - - attack.t1220 diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index f7401507d..c70918dc6 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -1,20 +1,20 @@ title: Suspicious WSMAN Provider Image Loads id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 -description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental -date: 2020/06/24 -modified: 2022/10/07 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.execution - - attack.t1059.001 - - attack.lateral_movement - - attack.t1021.003 +description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. references: - https://twitter.com/chadtilbury/status/1275851297770610688 - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ - https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture - https://github.com/bohops/WSMan-WinRM +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/06/24 +modified: 2022/10/07 +tags: + - attack.execution + - attack.t1059.001 + - attack.lateral_movement + - attack.t1021.003 logsource: category: image_load product: windows @@ -32,23 +32,23 @@ detection: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' filter_general: - Image|endswith: + Image|endswith: - '\powershell.exe' - 'C:\Windows\System32\sdiagnhost.exe' - 'C:\Windows\System32\services.exe' filter_svchost: # not available in Sysmon data, but Aurora logs - CommandLine|contains: + CommandLine|contains: - 'svchost.exe -k netsvcs -p -s BITS' - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc' - 'svchost.exe -k NetworkService -p -s Wecsvc' - 'svchost.exe -k netsvcs' filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe - Image|startswith: + Image|startswith: - 'C:\Windows\Microsoft.NET\Framework64\v' - 'C:\Windows\Microsoft.NET\Framework\v' Image|endswith: '\mscorsvw.exe' filter_svr_2019: - Image: + Image: - 'C:\Windows\System32\Configure-SMRemoting.exe' - 'C:\Windows\System32\ServerManager.exe' filter_nextron: diff --git a/rules/windows/network_connection/net_connection_win_binary_github_com.yml b/rules/windows/network_connection/net_connection_win_binary_github_com.yml index 25cb76e05..4014699fc 100755 --- a/rules/windows/network_connection/net_connection_win_binary_github_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_github_com.yml @@ -2,30 +2,30 @@ title: Microsoft Binary Github Communication id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 status: test description: Detects an executable in the Windows folder accessing github.com -author: Michael Haag (idea), Florian Roth (rule) references: - - https://twitter.com/M_haggis/status/900741347035889665 - - https://twitter.com/M_haggis/status/1032799638213066752 - - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 + - https://twitter.com/M_haggis/status/900741347035889665 + - https://twitter.com/M_haggis/status/1032799638213066752 + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 +author: Michael Haag (idea), Florian Roth (rule) date: 2017/08/24 modified: 2021/11/27 -logsource: - category: network_connection - product: windows -detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: - - '.github.com' - - '.githubusercontent.com' - Image|startswith: 'C:\Windows\' - condition: selection -falsepositives: - - Unknown - - '@subTee in your network' -level: high tags: - - attack.lateral_movement - - attack.t1105 - - attack.exfiltration - - attack.t1567.001 + - attack.lateral_movement + - attack.t1105 + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: + - '.github.com' + - '.githubusercontent.com' + Image|startswith: 'C:\Windows\' + condition: selection +falsepositives: + - Unknown + - '@subTee in your network' +level: high diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index a2fe99fe6..0a98c4d82 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -2,13 +2,16 @@ title: Microsoft Binary Suspicious Communication Endpoint id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 status: test description: Detects an executable in the Windows folder accessing suspicious domains -author: Florian Roth references: - https://twitter.com/M_haggis/status/900741347035889665 - https://twitter.com/M_haggis/status/1032799638213066752 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker +author: Florian Roth date: 2018/08/30 modified: 2022/08/09 +tags: + - attack.lateral_movement + - attack.t1105 logsource: category: network_connection product: windows @@ -37,6 +40,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.lateral_movement - - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml index e27328c5d..ac97ef262 100644 --- a/rules/windows/network_connection/net_connection_win_certutil.yml +++ b/rules/windows/network_connection/net_connection_win_certutil.yml @@ -2,9 +2,9 @@ title: Certutil Initiated Connection id: 0dba975d-a193-4ed1-a067-424df57570d1 status: experimental description: Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools. -author: frack113, Florian Roth references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil +author: frack113, Florian Roth date: 2022/09/02 modified: 2022/10/04 tags: diff --git a/rules/windows/network_connection/net_connection_win_crypto_mining.yml b/rules/windows/network_connection/net_connection_win_crypto_mining.yml index 10fbd6fe1..e45637de6 100644 --- a/rules/windows/network_connection/net_connection_win_crypto_mining.yml +++ b/rules/windows/network_connection/net_connection_win_crypto_mining.yml @@ -3,15 +3,18 @@ id: fa5b1358-b040-4403-9868-15f7d9ab6329 status: stable description: Detects process connections to a Monero crypto mining pool references: - - https://www.poolwatch.io/coin/monero -date: 2021/10/26 + - https://www.poolwatch.io/coin/monero author: Florian Roth +date: 2021/10/26 +tags: + - attack.impact + - attack.t1496 logsource: category: network_connection product: windows detection: selection: - DestinationHostname: + DestinationHostname: - 'pool.minexmr.com' - 'fr.minexmr.com' - 'de.minexmr.com' @@ -38,6 +41,3 @@ detection: falsepositives: - Legitimate use of crypto miners level: high -tags: - - attack.impact - - attack.t1496 \ No newline at end of file diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml index a8e74f319..12e20a6d3 100644 --- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml @@ -2,58 +2,58 @@ title: Dead Drop Resolvers id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 status: test description: Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. -author: Sorina Ionescu references: - - https://content.fireeye.com/apt-41/rpt-apt41 - - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html + - https://content.fireeye.com/apt-41/rpt-apt41 + - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ + - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html +author: Sorina Ionescu date: 2022/08/17 modified: 2022/08/29 -logsource: - category: network_connection - product: windows -detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: - - 'cdn.discordapp.com' - - 'pastebin.com' - - 'youtube.com' - - 'technet.microsoft.com' - - 'facebook.com' - - '.cloudflare.com' - - 'docs.google.com' - - 'steamcommunity.com' - - 'reddit.com' - - 'fotolog.com' - - 'twitter.com' - - 'imgur.com' - - 'feeds.rapidfeeds.com' - - 'livejournal.com' - - '.githubusercontent.com' - filter_browsers: - Image|endswith: - - '\iexplore.exe' - - '\msedge.exe' - - '\edge.exe' - - '\opera.exe' - - '\brave.exe' - - '\vivaldi.exe' - - '\whale.exe' - - '\chrome.exe' - - '\firefox.exe' - filter_others: - Image|endswith: - - '\MsMpEng.exe' #Microsoft Defender executable - - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable - - '\PRTG Probe.exe' #Paessler's PRTG Network Monitor - - '\Engine.exe' #Process from qlik.com app - - '\msedgewebview2.exe' # related to Edge browser - condition: selection and not 1 of filter* -falsepositives: - - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. -level: high tags: - - attack.command_and_control - - attack.t1102 - - attack.t1102.001 + - attack.command_and_control + - attack.t1102 + - attack.t1102.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: + - 'cdn.discordapp.com' + - 'pastebin.com' + - 'youtube.com' + - 'technet.microsoft.com' + - 'facebook.com' + - '.cloudflare.com' + - 'docs.google.com' + - 'steamcommunity.com' + - 'reddit.com' + - 'fotolog.com' + - 'twitter.com' + - 'imgur.com' + - 'feeds.rapidfeeds.com' + - 'livejournal.com' + - '.githubusercontent.com' + filter_browsers: + Image|endswith: + - '\iexplore.exe' + - '\msedge.exe' + - '\edge.exe' + - '\opera.exe' + - '\brave.exe' + - '\vivaldi.exe' + - '\whale.exe' + - '\chrome.exe' + - '\firefox.exe' + filter_others: + Image|endswith: + - '\MsMpEng.exe' #Microsoft Defender executable + - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable + - '\PRTG Probe.exe' #Paessler's PRTG Network Monitor + - '\Engine.exe' #Process from qlik.com app + - '\msedgewebview2.exe' # related to Edge browser + condition: selection and not 1 of filter* +falsepositives: + - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. +level: high diff --git a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml index 87cd877d2..ad26de359 100644 --- a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml @@ -2,12 +2,17 @@ title: Dllhost Internet Connection id: cfed2f44-16df-4bf3-833a-79405198b277 status: test description: Detects Dllhost that communicates with public IP addresses -author: bartblaze references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 +author: bartblaze date: 2020/07/13 modified: 2022/04/21 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution + - attack.t1559.001 logsource: category: network_connection product: windows @@ -48,8 +53,3 @@ detection: falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces level: medium -tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution - - attack.t1559.001 diff --git a/rules/windows/network_connection/net_connection_win_eqnedt.yml b/rules/windows/network_connection/net_connection_win_eqnedt.yml index 6d835a98d..12ae5491e 100755 --- a/rules/windows/network_connection/net_connection_win_eqnedt.yml +++ b/rules/windows/network_connection/net_connection_win_eqnedt.yml @@ -2,21 +2,21 @@ title: Equation Editor Network Connection id: a66bc059-c370-472c-a0d7-f8fd1bf9d583 status: experimental description: Detects network connections from Equation Editor -author: Max Altgelt references: - - https://twitter.com/forensicitguy/status/1513538712986079238 - - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ + - https://twitter.com/forensicitguy/status/1513538712986079238 + - https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ +author: Max Altgelt date: 2022/04/14 -logsource: - category: network_connection - product: windows -detection: - selection: - Image|endswith: '\eqnedt32.exe' - condition: selection -falsepositives: - - Unknown -level: high tags: - - attack.execution - - attack.t1203 + - attack.execution + - attack.t1203 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\eqnedt32.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml b/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml index 42e932531..bd9b901e7 100644 --- a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml @@ -1,12 +1,14 @@ title: Excel Network Connections id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 status: experimental -description: Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. +description: | + Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. + You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. +references: + - https://corelight.com/blog/detecting-cve-2021-42292 author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton date: 2021/11/10 modified: 2022/06/27 -references: - - https://corelight.com/blog/detecting-cve-2021-42292 tags: - attack.execution - attack.t1203 diff --git a/rules/windows/network_connection/net_connection_win_hh.yml b/rules/windows/network_connection/net_connection_win_hh.yml index bde58609e..8c2734bcc 100644 --- a/rules/windows/network_connection/net_connection_win_hh.yml +++ b/rules/windows/network_connection/net_connection_win_hh.yml @@ -5,11 +5,11 @@ related: type: derived status: experimental description: Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files -author: Nasreddine Bencherchali -date: 2022/10/05 references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md +author: Nasreddine Bencherchali +date: 2022/10/05 tags: - attack.defense_evasion - attack.t1218.001 diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml index a40c00a16..ebd073af8 100644 --- a/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -2,11 +2,14 @@ title: Download a File with IMEWDBLD.exe id: 8d7e392e-9b28-49e1-831d-5949c6281228 status: experimental description: Use IMEWDBLD.exe (built-in to windows) to download a file -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ +author: frack113 date: 2022/01/22 +tags: + - attack.command_and_control + - attack.t1105 logsource: category: network_connection product: windows @@ -18,6 +21,3 @@ detection: falsepositives: - Legitimate script level: high -tags: - - attack.command_and_control - - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml index 5bbb8cd17..b52f0ede2 100755 --- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml @@ -2,11 +2,14 @@ title: Suspicious Typical Malware Back Connect Ports id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382 status: test description: Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases -author: Florian Roth references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +author: Florian Roth date: 2017/03/19 modified: 2022/10/05 +tags: + - attack.command_and_control + - attack.t1571 logsource: category: network_connection product: windows @@ -15,56 +18,56 @@ detection: selection: Initiated: 'true' DestinationPort: - - 4443 - - 2448 - - 8143 - - 1777 - - 1443 - - 243 - - 65535 - - 13506 - - 3360 - - 200 - - 198 - - 49180 - - 13507 - - 6625 - - 4444 - - 4438 - - 1904 - - 13505 - - 13504 - - 12102 - - 9631 - - 5445 - - 2443 - - 777 - - 13394 - - 13145 - - 12103 - - 5552 - - 3939 - - 3675 - - 666 - - 473 - - 5649 - - 4455 - - 4433 - - 1817 - - 100 - - 65520 - - 1960 - - 1515 - - 743 - - 700 - - 14154 - - 14103 - - 14102 - - 12322 - - 10101 - - 7210 - - 4040 - - 9943 + - 4443 + - 2448 + - 8143 + - 1777 + - 1443 + - 243 + - 65535 + - 13506 + - 3360 + - 200 + - 198 + - 49180 + - 13507 + - 6625 + - 4444 + - 4438 + - 1904 + - 13505 + - 13504 + - 12102 + - 9631 + - 5445 + - 2443 + - 777 + - 13394 + - 13145 + - 12103 + - 5552 + - 3939 + - 3675 + - 666 + - 473 + - 5649 + - 4455 + - 4433 + - 1817 + - 100 + - 65520 + - 1960 + - 1515 + - 743 + - 700 + - 14154 + - 14103 + - 14102 + - 12322 + - 10101 + - 7210 + - 4040 + - 9943 filter1: Image|contains: '\Program Files' filter2: @@ -92,6 +95,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.command_and_control - - attack.t1571 diff --git a/rules/windows/network_connection/net_connection_win_mega_nz.yml b/rules/windows/network_connection/net_connection_win_mega_nz.yml index 445d7c388..fc85be686 100644 --- a/rules/windows/network_connection/net_connection_win_mega_nz.yml +++ b/rules/windows/network_connection/net_connection_win_mega_nz.yml @@ -2,22 +2,22 @@ title: Communication To Mega.nz id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4 status: experimental description: Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors -author: Florian Roth references: - - https://megatools.megous.com/ - - https://www.mandiant.com/resources/russian-targeting-gov-business + - https://megatools.megous.com/ + - https://www.mandiant.com/resources/russian-targeting-gov-business +author: Florian Roth date: 2021/12/06 tags: - - attack.exfiltration - - attack.t1567.001 + - attack.exfiltration + - attack.t1567.001 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: 'api.mega.co.nz' - condition: selection + selection: + Initiated: 'true' + DestinationHostname|endswith: 'api.mega.co.nz' + condition: selection falsepositives: - - Legitimate use of mega.nz uploaders and tools + - Legitimate use of mega.nz uploaders and tools level: high diff --git a/rules/windows/network_connection/net_connection_win_msiexec.yml b/rules/windows/network_connection/net_connection_win_msiexec.yml index c6aaa7279..00bf5ae15 100644 --- a/rules/windows/network_connection/net_connection_win_msiexec.yml +++ b/rules/windows/network_connection/net_connection_win_msiexec.yml @@ -2,13 +2,16 @@ title: Msiexec Initiated Connection id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f status: experimental description: | - Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. - Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) -author: frack113 + Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. + Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md +author: frack113 date: 2022/01/16 +tags: + - attack.defense_evasion + - attack.t1218.007 logsource: category: network_connection product: windows @@ -20,6 +23,3 @@ detection: falsepositives: - Legitimate msiexec over networks level: medium -tags: - - attack.defense_evasion - - attack.t1218.007 diff --git a/rules/windows/network_connection/net_connection_win_ngrok_io.yml b/rules/windows/network_connection/net_connection_win_ngrok_io.yml index ac28daf97..3db0d9864 100644 --- a/rules/windows/network_connection/net_connection_win_ngrok_io.yml +++ b/rules/windows/network_connection/net_connection_win_ngrok_io.yml @@ -2,22 +2,22 @@ title: Communication To Ngrok.Io id: 18249279-932f-45e2-b37a-8925f2597670 status: experimental description: Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors -author: Florian Roth references: - - https://ngrok.com/ - - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ + - https://ngrok.com/ + - https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/ +author: Florian Roth date: 2022/07/16 tags: - - attack.exfiltration - - attack.t1567.001 + - attack.exfiltration + - attack.t1567.001 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: '.ngrok.io' - condition: selection + selection: + Initiated: 'true' + DestinationHostname|endswith: '.ngrok.io' + condition: selection falsepositives: - - Legitimate use of ngrok.io + - Legitimate use of ngrok.io level: high diff --git a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml index 3a6041a3e..3ab1760c8 100755 --- a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml @@ -2,12 +2,17 @@ title: Notepad Making Network Connection id: e81528db-fc02-45e8-8e98-4e84aba1f10b status: test description: Detects suspicious network connection by Notepad -author: EagleEye Team references: - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ +author: EagleEye Team date: 2020/05/14 modified: 2022/10/05 +tags: + - attack.command_and_control + - attack.execution + - attack.defense_evasion + - attack.t1055 logsource: category: network_connection product: windows @@ -20,8 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.command_and_control - - attack.execution - - attack.defense_evasion - - attack.t1055 diff --git a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml index 8715cf93b..669fc41cc 100755 --- a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -2,11 +2,11 @@ title: PowerShell Network Connections id: 1f21ec3f-810d-4b0e-8045-322202e22b4b status: experimental description: Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') +references: + - https://www.youtube.com/watch?v=DLtJTxMWZ2o author: Florian Roth date: 2017/03/13 modified: 2022/07/14 -references: - - https://www.youtube.com/watch?v=DLtJTxMWZ2o tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index bebc55259..f65ffdc19 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -2,12 +2,15 @@ title: Python Initiated Connection id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6 status: experimental description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ +author: frack113 date: 2021/12/10 modified: 2022/09/20 +tags: + - attack.discovery + - attack.t1046 logsource: category: network_connection product: windows @@ -35,6 +38,3 @@ detection: falsepositives: - Legitimate python script level: medium -tags: - - attack.discovery - - attack.t1046 \ No newline at end of file diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index e81321141..77e5a3eae 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -20,12 +20,12 @@ detection: selection: Image|endswith: '\regsvr32.exe' condition: selection -falsepositives: - - Unknown -level: high fields: - ComputerName - User - Image - DestinationIp - DestinationPort +falsepositives: + - Unknown +level: high diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index 0b2e6f4f2..12dbdd7ba 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -2,43 +2,43 @@ title: Remote PowerShell Session (Network) id: c539afac-c12a-46ed-b1bd-5a5567c9f045 status: test description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account. -author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html +author: Roberto Rodriguez @Cyb3rWard0g date: 2019/09/12 modified: 2022/08/24 -logsource: - category: network_connection - product: windows -detection: - selection: - DestinationPort: - - 5985 - - 5986 - Initiated: 'true' # only matches of the initiating system can be evaluated - filter: - - User|contains: # covers many language settings for Network Service, please expand - - 'NETWORK SERVICE' - - 'NETZWERKDIENST' - - 'SERVIZIO DI RETE' - - 'SERVICIO DE RED' - - User|contains|all: - - 'SERVICE R' - - 'SEAU' - - SourceIp|startswith: '0:0:' - - Image: - - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' - - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' - filter_localhost: - SourceIp: '::1' - DestinationIp: '::1' - condition: selection and not 1 of filter* -falsepositives: - - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. - - Network Service user name of a not-covered localization -level: high tags: - - attack.execution - - attack.t1059.001 - - attack.lateral_movement - - attack.t1021.006 + - attack.execution + - attack.t1059.001 + - attack.lateral_movement + - attack.t1021.006 +logsource: + category: network_connection + product: windows +detection: + selection: + DestinationPort: + - 5985 + - 5986 + Initiated: 'true' # only matches of the initiating system can be evaluated + filter: + - User|contains: # covers many language settings for Network Service, please expand + - 'NETWORK SERVICE' + - 'NETZWERKDIENST' + - 'SERVIZIO DI RETE' + - 'SERVICIO DE RED' + - User|contains|all: + - 'SERVICE R' + - 'SEAU' + - SourceIp|startswith: '0:0:' + - Image: + - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' + - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' + filter_localhost: + SourceIp: '::1' + DestinationIp: '::1' + condition: selection and not 1 of filter* +falsepositives: + - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. + - Network Service user name of a not-covered localization +level: high diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index c0db1e55f..72440a3e0 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -2,53 +2,53 @@ title: Rundll32 Internet Connection id: cdc8da7d-c303-42f8-b08c-b4ab47230263 status: test description: Detects a rundll32 that communicates with public IP addresses -author: Florian Roth references: - - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 + - https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 +author: Florian Roth date: 2017/11/04 modified: 2022/10/04 -logsource: - category: network_connection - product: windows -detection: - selection: - Image|endswith: '\rundll32.exe' - Initiated: 'true' - filter: - - DestinationIp|startswith: - - '10.' - - '192.168.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.' - - '20.' # Microsoft range, caused some FPs - - '51.103.' # Microsoft range, caused some FPs - - '51.104.' # Microsoft range, caused some FPs - - '51.105.' # Microsoft range, caused some FPs - - CommandLine|contains: - - 'PcaSvc.dll,PcaPatchSdbTask' - filter_update_processes: - ParentImage: 'C:\Windows\System32\svchost.exe' - RemoteAddress|endswith: ':443' - condition: selection and not 1 of filter* -falsepositives: - - Communication to other corporate systems that use IP addresses from public address spaces -level: medium tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.execution + - attack.defense_evasion + - attack.t1218.011 + - attack.execution +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + Initiated: 'true' + filter: + - DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' + - '20.' # Microsoft range, caused some FPs + - '51.103.' # Microsoft range, caused some FPs + - '51.104.' # Microsoft range, caused some FPs + - '51.105.' # Microsoft range, caused some FPs + - CommandLine|contains: + - 'PcaSvc.dll,PcaPatchSdbTask' + filter_update_processes: + ParentImage: 'C:\Windows\System32\svchost.exe' + RemoteAddress|endswith: ':443' + condition: selection and not 1 of filter* +falsepositives: + - Communication to other corporate systems that use IP addresses from public address spaces +level: medium diff --git a/rules/windows/network_connection/net_connection_win_script.yml b/rules/windows/network_connection/net_connection_win_script.yml index a5043c04d..ef3b7eb2e 100644 --- a/rules/windows/network_connection/net_connection_win_script.yml +++ b/rules/windows/network_connection/net_connection_win_script.yml @@ -2,23 +2,23 @@ title: Script Initiated Connection id: 08249dc0-a28d-4555-8ba5-9255a198e08c status: experimental description: Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads. -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md +author: frack113 date: 2022/08/28 +tags: + - attack.command_and_control + - attack.t1105 logsource: category: network_connection product: windows detection: selection: Initiated: 'true' - Image|endswith: + Image|endswith: - '\wscript.exe' - '\cscript.exe' condition: selection falsepositives: - Legitimate scripts level: medium -tags: - - attack.command_and_control - - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_script_wan.yml b/rules/windows/network_connection/net_connection_win_script_wan.yml index 4820282c7..2db420ed6 100644 --- a/rules/windows/network_connection/net_connection_win_script_wan.yml +++ b/rules/windows/network_connection/net_connection_win_script_wan.yml @@ -2,10 +2,13 @@ title: Script Initiated Connection to Non-Local Network id: 992a6cae-db6a-43c8-9cec-76d7195c96fc status: experimental description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads. -author: frack113, Florian Roth references: - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md +author: frack113, Florian Roth date: 2022/08/28 +tags: + - attack.command_and_control + - attack.t1105 logsource: category: network_connection product: windows @@ -40,6 +43,3 @@ detection: falsepositives: - Legitimate scripts level: high -tags: - - attack.command_and_control - - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml index 31eccd053..6e69126ad 100644 --- a/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml +++ b/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml @@ -2,11 +2,14 @@ title: Silenttrinity Stager Msbuild Activity id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 status: test description: Detects a possible remote connections to Silenttrinity c2 -author: Kiran kumar s, oscd.community references: - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ +author: Kiran kumar s, oscd.community date: 2020/10/11 modified: 2022/10/05 +tags: + - attack.execution + - attack.t1127.001 logsource: category: network_connection product: windows @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1127.001 diff --git a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml index 3070ecd6c..6845fe88a 100644 --- a/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml +++ b/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml @@ -2,31 +2,31 @@ title: Suspicious Network Connection Binary No CommandLine id: 20384606-a124-4fec-acbb-8bd373728613 status: experimental description: Detects suspicious network connections made by a well-known Windows binary run with no command line parameters -author: Florian Roth references: - https://redcanary.com/blog/raspberry-robin/ +author: Florian Roth date: 2022/07/03 -logsource: - category: network_connection - product: windows -detection: - selection: - Initiated: 'true' - Image|endswith: - - '\regsvr32.exe' - - '\rundll32.exe' - - '\dllhost.exe' - CommandLine|endswith: - - '\regsvr32.exe' - - '\rundll32.exe' - - '\dllhost.exe' - filter_no_cmdline: - CommandLine: '' - filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3 - CommandLine: null - condition: selection and not 1 of filter* -falsepositives: - - Unknown -level: high tags: - attack.defense_evasion +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + Image|endswith: + - '\regsvr32.exe' + - '\rundll32.exe' + - '\dllhost.exe' + CommandLine|endswith: + - '\regsvr32.exe' + - '\rundll32.exe' + - '\dllhost.exe' + filter_no_cmdline: + CommandLine: '' + filter_null: # e.g. Sysmon has no CommandLine field in network events with ID 3 + CommandLine: null + condition: selection and not 1 of filter* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml index 2b0927bb0..48daf9a9c 100644 --- a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml @@ -2,10 +2,13 @@ title: Cmstp Making Network Connection id: efafe0bf-4238-479e-af8f-797bd3490d2d status: experimental description: Detects suspicious network connection by Cmstp -author: Nasreddine Bencherchali references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ +author: Nasreddine Bencherchali date: 2022/08/30 +tags: + - attack.defense_evasion + - attack.t1218.003 logsource: category: network_connection product: windows @@ -17,6 +20,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1218.003 diff --git a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml index a683212c0..1c7822845 100644 --- a/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml +++ b/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml @@ -2,23 +2,23 @@ title: Suspicious Dropbox API Usage id: 25eabf56-22f0-4915-a1ed-056b8dae0a68 status: experimental description: Detects an executable that isn't dropbox but communicates with the Dropbox API -author: Florian Roth references: - - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb - - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east + - https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb + - https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east +author: Florian Roth date: 2022/04/20 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: - - 'api.dropboxapi.com' - - 'content.dropboxapi.com' - filter: - Image|contains: '\Dropbox' - condition: selection and not filter + selection: + Initiated: 'true' + DestinationHostname|endswith: + - 'api.dropboxapi.com' + - 'content.dropboxapi.com' + filter: + Image|contains: '\Dropbox' + condition: selection and not filter falsepositives: - - Legitimate use of the API with a tool that the author wasn't aware of + - Legitimate use of the API with a tool that the author wasn't aware of level: high diff --git a/rules/windows/network_connection/net_connection_win_susp_epmap.yml b/rules/windows/network_connection/net_connection_win_susp_epmap.yml index cb8eca222..2a0164d74 100644 --- a/rules/windows/network_connection/net_connection_win_susp_epmap.yml +++ b/rules/windows/network_connection/net_connection_win_susp_epmap.yml @@ -7,6 +7,8 @@ references: author: frack113, Tim Shelton (fps) date: 2022/07/14 modified: 2022/07/18 +tags: + - attack.lateral_movement logsource: category: network_connection product: windows @@ -17,12 +19,10 @@ detection: DestinationPort: 135 #DestinationPortName: epmap filter: - Image|startswith: + Image|startswith: - C:\Windows\ - C:\ProgramData\Amazon\SSM\Update\amazon-ssm-agent-updater condition: selection and not filter falsepositives: - Unknown level: high -tags: - - attack.lateral_movement diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml index fd7cba0ab..a70248780 100755 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml @@ -2,31 +2,31 @@ title: Suspicious Outbound Kerberos Connection id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74 status: test description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. -author: Ilyas Ochkov, oscd.community references: - - https://github.com/GhostPack/Rubeus + - https://github.com/GhostPack/Rubeus +author: Ilyas Ochkov, oscd.community date: 2019/10/24 modified: 2021/12/02 -logsource: - category: network_connection - product: windows -detection: - selection: - DestinationPort: 88 - Initiated: 'true' - filter: - Image|endswith: - - '\lsass.exe' - - '\opera.exe' - - '\chrome.exe' - - '\firefox.exe' - - '\tomcat\bin\tomcat8.exe' - condition: selection and not filter -falsepositives: - - Other browsers -level: high tags: - - attack.credential_access - - attack.t1558 - - attack.lateral_movement - - attack.t1550.003 + - attack.credential_access + - attack.t1558 + - attack.lateral_movement + - attack.t1550.003 +logsource: + category: network_connection + product: windows +detection: + selection: + DestinationPort: 88 + Initiated: 'true' + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\tomcat\bin\tomcat8.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml index 72f4d8d45..41b815a90 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml @@ -1,13 +1,17 @@ title: Microsoft Sync Center Suspicious Network Connections id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b status: experimental -level: medium description: Detects suspicious connections from Microsoft Sync Center to non-private IPs. references: - https://redcanary.com/blog/intelligence-insights-november-2021/ author: elhoim date: 2022/04/28 modified: 2022/06/02 +tags: + - attack.t1055 + - attack.t1218 + - attack.execution + - attack.defense_evasion logsource: product: windows category: network_connection @@ -38,8 +42,4 @@ detection: condition: selection_mobsync and not filter falsepositives: - Unknown -tags: - - attack.t1055 - - attack.t1218 - - attack.execution - - attack.defense_evasion +level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index 7612f4a7b..bced9cae1 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -2,14 +2,17 @@ title: Suspicious Outbound SMTP Connections id: 9976fa64-2804-423c-8a5b-646ade840773 status: experimental description: | - Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. - The data may also be sent to an alternate network location from the main command and control server. + Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. + The data may also be sent to an alternate network location from the main command and control server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022/01/07 modified: 2022/09/21 +tags: + - attack.exfiltration + - attack.t1048.003 logsource: category: network_connection product: windows @@ -34,6 +37,3 @@ detection: falsepositives: - Other SMTP tools level: medium -tags: - - attack.exfiltration - - attack.t1048.003 diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0df871e90..0c1c0c605 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -2,11 +2,14 @@ title: Suspicious Program Location with Network Connections id: 7b434893-c57d-4f41-908d-6a17bf1ae98f status: test description: Detects programs with network connections running in suspicious files system locations -author: Florian Roth, Tim Shelton references: - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo +author: Florian Roth, Tim Shelton date: 2017/03/19 modified: 2022/05/26 +tags: + - attack.command_and_control + - attack.t1105 logsource: category: network_connection product: windows @@ -34,6 +37,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.command_and_control - - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_susp_rdp.yml index fd89cf440..b33a326da 100755 --- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_rdp.yml @@ -2,53 +2,53 @@ title: Suspicious Outbound RDP Connections id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 status: test description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement -author: Markus Neis references: - - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 +author: Markus Neis date: 2019/05/15 modified: 2022/09/02 tags: - - attack.lateral_movement - - attack.t1021.001 - - car.2013-07-002 + - attack.lateral_movement + - attack.t1021.001 + - car.2013-07-002 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - DestinationPort: 3389 - Initiated: 'true' - filter: - - Image|endswith: - - '\mstsc.exe' - - '\RTSApp.exe' - - '\RTS2App.exe' - - '\RDCMan.exe' - - '\ws_TunnelService.exe' - - '\RSSensor.exe' - - '\RemoteDesktopManagerFree.exe' - - '\RemoteDesktopManager.exe' - - '\RemoteDesktopManager64.exe' - - '\mRemoteNG.exe' - - '\mRemote.exe' - - '\Terminals.exe' - - '\spiceworks-finder.exe' - - '\FSDiscovery.exe' - - '\FSAssessment.exe' - - '\MobaRTE.exe' - - '\chrome.exe' - - '\System32\dns.exe' - - '\thor.exe' - - '\thor64.exe' - - '\Passwordstate.exe' - - '\Avast Software\Avast\AvastSvc.exe' - - '\Ranger\SentinelRanger.exe' # sentinel one - - '\Avast\AvastSvc.exe' - - Image|startswith: - - 'C:\Program Files\SplunkUniversalForwarder\bin\' - - 'C:\Program Files\Mozilla Firefox\firefox.exe' - condition: selection and not filter + selection: + DestinationPort: 3389 + Initiated: 'true' + filter: + - Image|endswith: + - '\mstsc.exe' + - '\RTSApp.exe' + - '\RTS2App.exe' + - '\RDCMan.exe' + - '\ws_TunnelService.exe' + - '\RSSensor.exe' + - '\RemoteDesktopManagerFree.exe' + - '\RemoteDesktopManager.exe' + - '\RemoteDesktopManager64.exe' + - '\mRemoteNG.exe' + - '\mRemote.exe' + - '\Terminals.exe' + - '\spiceworks-finder.exe' + - '\FSDiscovery.exe' + - '\FSAssessment.exe' + - '\MobaRTE.exe' + - '\chrome.exe' + - '\System32\dns.exe' + - '\thor.exe' + - '\thor64.exe' + - '\Passwordstate.exe' + - '\Avast Software\Avast\AvastSvc.exe' + - '\Ranger\SentinelRanger.exe' # sentinel one + - '\Avast\AvastSvc.exe' + - Image|startswith: + - 'C:\Program Files\SplunkUniversalForwarder\bin\' + - 'C:\Program Files\Mozilla Firefox\firefox.exe' + condition: selection and not filter falsepositives: - - Other Remote Desktop RDP tools - - Domain controller using dns.exe + - Other Remote Desktop RDP tools + - Domain controller using dns.exe level: high diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index b52dceebf..772359d25 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,22 +1,24 @@ title: Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +description: | + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - - https://dtm.uk/wuauclt/ + - https://dtm.uk/wuauclt/ +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 modified: 2021/11/27 -logsource: - category: network_connection - product: windows -detection: - selection: - Image|contains: wuauclt - condition: selection -falsepositives: - - Legitimate use of wuauclt.exe over the network. -level: medium tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|contains: wuauclt + condition: selection +falsepositives: + - Legitimate use of wuauclt.exe over the network. +level: medium diff --git a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml index c16f73005..2b8d96bfe 100755 --- a/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml +++ b/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml @@ -2,6 +2,11 @@ title: CMSTP Execution Process Access id: 3b4b232a-af90-427c-a22f-30b0c0837b95 status: stable description: Detects various indicators of Microsoft Connection Manager Profile Installer execution +references: + - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ +author: Nik Seetharaman +date: 2018/07/16 +modified: 2021/06/27 tags: - attack.defense_evasion - attack.t1218.003 @@ -10,18 +15,6 @@ tags: - attack.g0069 - attack.g0080 - car.2019-04-001 -author: Nik Seetharaman -date: 2018/07/16 -modified: 2021/06/27 -references: - - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ -fields: - - CommandLine - - ParentCommandLine - - Details -falsepositives: - - Legitimate CMSTP use (unlikely in modern enterprise environments) -level: high logsource: product: windows category: process_access @@ -30,3 +23,10 @@ detection: selection: CallTrace|contains: 'cmlua.dll' condition: selection +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate CMSTP use (unlikely in modern enterprise environments) +level: high diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 3e6adfd2c..6940a8162 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -2,15 +2,14 @@ title: Credentials Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d status: experimental description: Detects process access LSASS memory which is typical for credentials dumping tools -author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, - oscd.community (update) -date: 2017/02/16 -modified: 2022/10/20 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) +date: 2017/02/16 +modified: 2022/10/20 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 6927b4a22..594109d69 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -1,12 +1,15 @@ title: Direct Syscall of NtOpenProcess id: 3f3f3506-1895-401b-9cc3-e86b16e630d0 +status: experimental description: Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF. references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 -status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 modified: 2022/10/05 +tags: + - attack.execution + - attack.t1106 logsource: category: process_access product: windows @@ -58,6 +61,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1106 diff --git a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml index 9b3776bcc..b09a8aeef 100644 --- a/rules/windows/process_access/proc_access_win_hack_sysmonente.yml +++ b/rules/windows/process_access/proc_access_win_hack_sysmonente.yml @@ -2,33 +2,33 @@ title: SysmonEnte Usage id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e status: experimental description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon -author: Florian Roth references: - - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html - - https://github.com/codewhitesec/SysmonEnte/ - - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png + - https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html + - https://github.com/codewhitesec/SysmonEnte/ + - https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png +author: Florian Roth date: 2022/09/07 modified: 2022/09/09 tags: - - attack.defense_evasion - - attack.t1562.002 + - attack.defense_evasion + - attack.t1562.002 logsource: - category: process_access - product: windows + category: process_access + product: windows detection: - selection_1: - TargetImage: 'C:\Windows\Sysmon64.exe' - GrantedAccess: '0x1400' - filter_1: - SourceImage|startswith: - - 'C:\Program Files' - - 'C:\Windows\System32\' - filter_msdefender: - SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - SourceImage|endswith: '\MsMpEng.exe' - selection_calltrace: - CallTrace: 'Ente' - condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace + selection_1: + TargetImage: 'C:\Windows\Sysmon64.exe' + GrantedAccess: '0x1400' + filter_1: + SourceImage|startswith: + - 'C:\Program Files' + - 'C:\Windows\System32\' + filter_msdefender: + SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + SourceImage|endswith: '\MsMpEng.exe' + selection_calltrace: + CallTrace: 'Ente' + condition: ( selection_1 and not 1 of filter_* ) or selection_calltrace falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml index a4e1b36f7..825b7aee5 100644 --- a/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml @@ -1,11 +1,16 @@ title: HandleKatz Duplicating LSASS Handle id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5 +status: experimental description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles references: - https://github.com/codewhitesec/HandleKatz -status: experimental author: Bhabesh Raj (rule), @thefLinkk date: 2022/06/27 +tags: + - attack.execution + - attack.t1106 + - attack.defense_evasion + - attack.t1003.001 logsource: category: process_access product: windows @@ -21,8 +26,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1106 - - attack.defense_evasion - - attack.t1003.001 diff --git a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml index 3e02c246a..c9b159c94 100644 --- a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml @@ -1,12 +1,18 @@ title: Suspicious In-Memory Module Execution id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 -description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental -date: 2019/10/27 -modified: 2022/03/16 -author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro +description: | + Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. + An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), + it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. + Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that + most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. + The latter should also be considered suspicious. references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ +author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro +date: 2019/10/27 +modified: 2022/03/16 tags: - attack.privilege_escalation - attack.defense_evasion @@ -18,14 +24,14 @@ logsource: detection: selection1: CallTrace|contains|all: - - 'C:\WINDOWS\SYSTEM32\ntdll.dll+' - - '|C:\WINDOWS\System32\KERNELBASE.dll+' - - '|UNKNOWN(' - - ')' + - 'C:\WINDOWS\SYSTEM32\ntdll.dll+' + - '|C:\WINDOWS\System32\KERNELBASE.dll+' + - '|UNKNOWN(' + - ')' selection2: CallTrace|contains|all: - - 'UNKNOWN(' - - ')|UNKNOWN(' + - 'UNKNOWN(' + - ')|UNKNOWN(' CallTrace|endswith: ')' selection3: CallTrace|contains: 'UNKNOWN' @@ -95,6 +101,6 @@ fields: - SourceImage - TargetImage - CallTrace -level: low # too many false positives, really sad, but the amount of false positives with all kinds of software is just too high falsepositives: - SysInternals Process Explorer +level: low diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index 79a21ccf6..0dbb54f4e 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -2,12 +2,12 @@ title: Suspect Svchost Memory Asccess id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde status: experimental description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. -author: Tim Burrell -date: 2020/01/02 -modified: 2021/10/21 references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 +author: Tim Burrell +date: 2020/01/02 +modified: 2021/10/21 tags: - attack.defense_evasion - attack.t1562.002 diff --git a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml index 2ee526a84..0e7884374 100644 --- a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml @@ -1,12 +1,12 @@ title: Credential Dumping by LaZagne id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 -description: Detects LSASS process access by LaZagne for credential dumping. status: stable -date: 2020/09/09 -modified: 2022/08/13 -author: Bhabesh Raj, Jonhnathan Ribeiro +description: Detects LSASS process access by LaZagne for credential dumping. references: - https://twitter.com/bh4b3sh/status/1303674603819081728 +author: Bhabesh Raj, Jonhnathan Ribeiro +date: 2020/09/09 +modified: 2022/08/13 tags: - attack.credential_access - attack.t1003.001 @@ -15,15 +15,15 @@ logsource: category: process_access product: windows detection: - selection: + selection: TargetImage|endswith: '\lsass.exe' - CallTrace|contains|all: + CallTrace|contains|all: - 'C:\Windows\SYSTEM32\ntdll.dll+' - '|C:\Windows\System32\KERNELBASE.dll+' - '_ctypes.pyd+' - 'python27.dll+' GrantedAccess: '0x1FFFFF' condition: selection -level: critical falsepositives: - Unknown +level: critical diff --git a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml index fe95401c7..3b6b39d63 100644 --- a/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml +++ b/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml @@ -1,12 +1,16 @@ title: LittleCorporal Generated Maldoc Injection id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac +status: experimental description: Detects the process injection of a LittleCorporal generated Maldoc. references: - https://github.com/connormcgarr/LittleCorporal -status: experimental author: Christian Burkard date: 2021/08/09 modified: 2022/06/02 +tags: + - attack.execution + - attack.t1204.002 + - attack.t1055.003 logsource: category: process_access product: windows @@ -20,7 +24,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1204.002 - - attack.t1055.003 diff --git a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml index e288ae455..dfc7bf951 100644 --- a/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml @@ -2,29 +2,29 @@ title: Load Undocumented Autoelevated COM Interface id: fb3722e4-1a06-46b6-b772-253e2e7db933 status: test description: COM interface (EditionUpgradeManager) that is not used by standard executables. -author: oscd.community, Dmitry Uchakin references: - - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 + - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ + - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 +author: oscd.community, Dmitry Uchakin date: 2020/10/07 modified: 2021/11/27 -logsource: - category: process_access - product: windows -detection: - selection: - CallTrace|contains: 'editionupgrademanagerobj.dll' - condition: selection -fields: - - ComputerName - - User - - SourceImage - - TargetImage - - CallTrace -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_access + product: windows +detection: + selection: + CallTrace|contains: 'editionupgrademanagerobj.dll' + condition: selection +fields: + - ComputerName + - User + - SourceImage + - TargetImage + - CallTrace +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index 0f20ccca4..21fc5e414 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -2,14 +2,14 @@ title: LSASS Memory Dump id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da status: experimental description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. -author: Samir Bousseaden, Michael Haag -date: 2019/04/03 -modified: 2022/09/29 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ +author: Samir Bousseaden, Michael Haag +date: 2019/04/03 +modified: 2022/09/29 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml index 1a3377113..3e06a84f2 100644 --- a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml @@ -2,11 +2,11 @@ title: LSASS Access from White-Listed Processes id: 4be8b654-0c01-4c9d-a10c-6b28467fc651 status: experimental description: Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference -author: Florian Roth references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz - https://twitter.com/mrd0x/status/1460597833917251595 +author: Florian Roth date: 2022/02/10 tags: - attack.credential_access diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml index 3942dce45..bfc38e152 100644 --- a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml @@ -2,10 +2,10 @@ title: LSASS Memory Access by Tool Named Dump id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3 status: experimental description: Detects a possible process memory dump based on a keyword in the file name of the accessing process -author: Florian Roth references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz +author: Florian Roth date: 2022/02/10 tags: - attack.credential_access diff --git a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml index 4d574d34f..c53dedfbb 100755 --- a/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml @@ -2,31 +2,31 @@ title: Malware Shellcode in Verclsid Target Process id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1 status: test description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro -author: John Lambert (tech), Florian Roth (rule) references: - - https://twitter.com/JohnLaTwC/status/837743453039534080 + - https://twitter.com/JohnLaTwC/status/837743453039534080 +author: John Lambert (tech), Florian Roth (rule) date: 2017/03/04 modified: 2021/11/27 -logsource: - category: process_access - product: windows - definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' -detection: - selection: - TargetImage|endswith: '\verclsid.exe' - GrantedAccess: '0x1FFFFF' - combination1: - CallTrace|contains|all: - - '|UNKNOWN(' - - 'VBE7.DLL' - combination2: - SourceImage|contains: '\Microsoft Office\' - CallTrace|contains: '|UNKNOWN' - condition: selection and 1 of combination* -falsepositives: - - Unknown -level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + category: process_access + product: windows + definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' +detection: + selection: + TargetImage|endswith: '\verclsid.exe' + GrantedAccess: '0x1FFFFF' + combination1: + CallTrace|contains|all: + - '|UNKNOWN(' + - 'VBE7.DLL' + combination2: + SourceImage|contains: '\Microsoft Office\' + CallTrace|contains: '|UNKNOWN' + condition: selection and 1 of combination* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml index d87221f9d..b323d50c9 100755 --- a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml @@ -1,12 +1,20 @@ title: Mimikatz through Windows Remote Management id: aa35a627-33fb-4d04-a165-d33b4afca3e8 +status: stable description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. references: - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ -status: stable author: Patryk Prauze - ING Tech date: 2019/05/20 modified: 2021/06/21 +tags: + - attack.credential_access + - attack.execution + - attack.t1003.001 + - attack.t1059.001 + - attack.lateral_movement + - attack.t1021.006 + - attack.s0002 logsource: category: process_access product: windows @@ -17,14 +25,6 @@ detection: filter: GrantedAccess: '0x80000000' condition: selection and not filter -tags: - - attack.credential_access - - attack.execution - - attack.t1003.001 - - attack.t1059.001 - - attack.lateral_movement - - attack.t1021.006 - - attack.s0002 falsepositives: - Unlikely level: high diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index fb12d0014..5b6884bf3 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -1,19 +1,19 @@ title: Rare GrantedAccess Flags on LSASS Access id: 678dfc63-fefb-47a5-a04c-26bcf8cc9f65 related: - - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d - type: obsoletes + - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d + type: obsoletes status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) -author: Florian Roth -date: 2022/03/13 -modified: 2022/10/25 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +author: Florian Roth +date: 2022/03/13 +modified: 2022/10/25 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index 244424d94..c6fe87bfa 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -1,19 +1,19 @@ title: Suspicious GrantedAccess Flags on LSASS Access id: a18dd26b-6450-46de-8c91-9659150cf088 related: - - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d - type: obsoletes + - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d + type: obsoletes status: experimental description: Detects process access to LSASS memory with suspicious access flags -author: Florian Roth -date: 2021/11/22 -modified: 2022/06/20 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +author: Florian Roth +date: 2021/11/22 +modified: 2022/06/20 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 473524037..95bd162f3 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -2,15 +2,15 @@ title: LSASS Access from Program in Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder -author: Florian Roth -date: 2021/11/27 -modified: 2022/10/25 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +author: Florian Roth +date: 2021/11/27 +modified: 2022/10/25 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_access/process_access_win_susp_seclogon.yml b/rules/windows/process_access/process_access_win_susp_seclogon.yml index 48afada97..efd557420 100644 --- a/rules/windows/process_access/process_access_win_susp_seclogon.yml +++ b/rules/windows/process_access/process_access_win_susp_seclogon.yml @@ -2,12 +2,15 @@ title: Suspicious LSASS Access Via MalSecLogon id: 472159c5-31b9-4f56-b794-b766faa8b0a7 status: experimental description: Detects suspicious access to Lsass handle via a call trace to "seclogon.dll" -author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma) references: - https://twitter.com/SBousseaden/status/1541920424635912196 - https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html +author: Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma) date: 2022/06/29 +tags: + - attack.credential_access + - attack.t1003.001 logsource: category: process_access product: windows @@ -21,6 +24,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.credential_access - - attack.t1003.001 From 1e5ae09c4bf6b849833b9d358dae480230958a1d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 26 Oct 2022 09:43:39 +0200 Subject: [PATCH 14/14] Order yaml field --- .../posh_pc_alternate_powershell_hosts.yml | 8 +++---- .../posh_pc_delete_volume_shadow_copies.yml | 6 ++--- .../posh_pc_downgrade_attack.yml | 6 ++--- .../posh_pc_exe_calling_ps.yml | 6 ++--- .../powershell_classic/posh_pc_powercat.yml | 12 +++++----- .../posh_pc_remote_powershell_session.yml | 10 ++++---- .../posh_pc_renamed_powershell.yml | 2 +- ...susp_athremotefxvgpudisablementcommand.yml | 6 ++--- .../posh_pc_susp_download.yml | 8 +++---- .../posh_pc_susp_get_nettcpconnection.yml | 6 ++--- .../posh_pc_tamper_with_windows_defender.yml | 2 +- .../posh_pc_xor_commandline.yml | 2 +- .../posh_pm_alternate_powershell_hosts.yml | 8 +++---- .../posh_pm_bad_opsec_artifacts.yml | 5 +++- .../posh_pm_clear_powershell_history.yml | 6 ++--- .../posh_pm_decompress_commands.yml | 16 ++++++------- .../posh_pm_get_addbaccount.yml | 6 ++--- .../posh_pm_get_clipboard.yml | 16 ++++++------- .../posh_pm_invoke_obfuscation_clip.yml | 8 +++---- ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../posh_pm_invoke_obfuscation_stdin.yml | 10 ++++---- .../posh_pm_invoke_obfuscation_var.yml | 8 +++---- ...osh_pm_invoke_obfuscation_via_compress.yml | 6 ++--- .../posh_pm_invoke_obfuscation_via_rundll.yml | 18 +++++++------- .../posh_pm_invoke_obfuscation_via_stdin.yml | 6 ++--- ...osh_pm_invoke_obfuscation_via_use_clip.yml | 6 ++--- ...sh_pm_invoke_obfuscation_via_use_mhsta.yml | 16 ++++++------- ...pm_invoke_obfuscation_via_use_rundll32.yml | 18 +++++++------- .../posh_pm_invoke_obfuscation_via_var.yml | 6 ++--- .../powershell_module/posh_pm_powercat.yml | 6 ++--- .../posh_pm_remote_powershell_session.yml | 8 +++---- .../posh_pm_susp_ad_group_reco.yml | 14 +++++------ ...susp_athremotefxvgpudisablementcommand.yml | 6 ++--- .../posh_pm_susp_download.yml | 8 +++---- .../posh_pm_susp_get_nettcpconnection.yml | 6 ++--- .../posh_pm_susp_invocation_generic.yml | 6 ++--- .../posh_pm_susp_invocation_specific.yml | 6 ++--- .../posh_pm_susp_local_group_reco.yml | 8 +++---- ..._pm_susp_reset_computermachinepassword.yml | 10 ++++---- .../posh_pm_susp_smb_share_reco.yml | 11 +++++---- .../posh_pm_susp_zip_compress.yml | 6 ++--- .../posh_pm_syncappvpublishingserver_exe.yml | 4 ++-- .../posh_ps_access_to_browser_login_data.yml | 10 ++++---- .../posh_ps_accessing_win_api.yml | 4 ++-- .../posh_ps_add_dnsclient_rule.yml | 4 +++- .../posh_ps_adrecon_execution.yml | 6 ++--- .../posh_ps_apt_silence_eda.yml | 24 +++++++++---------- .../posh_ps_as_rep_roasting.yml | 10 ++++---- .../posh_ps_automated_collection.yml | 6 ++--- .../posh_ps_azurehound_commands.yml | 16 ++++++------- .../posh_ps_capture_screenshots.yml | 6 ++--- .../posh_ps_cl_invocation_lolscript.yml | 8 +++---- .../posh_ps_cl_invocation_lolscript_count.yml | 8 +++---- .../posh_ps_cl_mutexverifiers_lolscript.yml | 8 +++---- ...h_ps_cl_mutexverifiers_lolscript_count.yml | 8 +++---- .../posh_ps_clear_powershell_history.yml | 8 +++---- ...sh_ps_clearing_windows_console_history.yml | 16 ++++++------- .../posh_ps_cmdlet_scheduled_task.yml | 8 +++---- .../posh_ps_copy_item_system_directory.yml | 14 +++++------ .../posh_ps_cor_profiler.yml | 12 +++++----- .../posh_ps_create_local_user.yml | 6 ++--- .../posh_ps_create_volume_shadow_copy.yml | 10 ++++---- .../posh_ps_data_compressed.yml | 10 ++++---- .../posh_ps_detect_vm_env.yml | 10 ++++---- .../posh_ps_directorysearcher.yml | 8 +++---- ...ps_directoryservices_accountmanagement.yml | 6 ++--- ..._ps_disable_psreadline_command_history.yml | 6 ++--- ...posh_ps_disable_windowsoptionalfeature.yml | 8 +++---- .../posh_ps_dnscat_execution.yml | 2 +- ...mp_password_windows_credential_manager.yml | 14 +++++------ .../posh_ps_enable_psremoting.yml | 6 ++--- .../posh_ps_enable_windowsoptionalfeature.yml | 8 +++---- ...te_password_windows_credential_manager.yml | 10 ++++---- .../posh_ps_etw_trace_evasion.yml | 12 +++++----- .../posh_ps_file_and_directory_discovery.yml | 11 +++++---- .../posh_ps_get_acl_service.yml | 6 ++--- .../posh_ps_get_adreplaccount.yml | 10 ++++---- .../posh_ps_get_childitem_bookmarks.yml | 10 ++++---- .../powershell_script/posh_ps_hotfix_enum.yml | 6 ++--- .../posh_ps_icmp_exfiltration.yml | 6 ++--- .../posh_ps_import_module_susp_dirs.yml | 6 ++--- .../posh_ps_invoke_command_remote.yml | 6 ++--- .../posh_ps_invoke_dnsexfiltration.yml | 6 ++--- .../posh_ps_invoke_nightmare.yml | 16 ++++++------- .../posh_ps_invoke_obfuscation_clip.yml | 8 +++---- ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../posh_ps_invoke_obfuscation_stdin.yml | 8 +++---- .../posh_ps_invoke_obfuscation_var.yml | 8 +++---- ...osh_ps_invoke_obfuscation_via_compress.yml | 20 ++++++++-------- .../posh_ps_invoke_obfuscation_via_rundll.yml | 16 ++++++------- .../posh_ps_invoke_obfuscation_via_stdin.yml | 6 ++--- ...osh_ps_invoke_obfuscation_via_use_clip.yml | 6 ++--- ...sh_ps_invoke_obfuscation_via_use_mhsta.yml | 16 ++++++------- ...ps_invoke_obfuscation_via_use_rundll32.yml | 16 ++++++------- .../posh_ps_invoke_obfuscation_via_var.yml | 6 ++--- .../powershell_script/posh_ps_keylogging.yml | 6 ++--- .../powershell_script/posh_ps_localuser.yml | 6 ++--- .../posh_ps_malicious_commandlets.yml | 8 +++---- .../posh_ps_malicious_keywords.yml | 6 ++--- ...ps_memorydump_getstoragediagnosticinfo.yml | 6 ++--- .../posh_ps_modify_group_policy_settings.yml | 12 +++++----- .../powershell_script/posh_ps_msxml_com.yml | 12 +++++----- .../posh_ps_nishang_malicious_commandlets.yml | 6 ++--- .../posh_ps_ntfs_ads_access.yml | 6 ++--- .../posh_ps_office_comobject_registerxll.yml | 6 ++--- .../posh_ps_potential_invoke_mimikatz.yml | 12 +++++----- ...osh_ps_powerview_malicious_commandlets.yml | 6 ++--- .../posh_ps_prompt_credentials.yml | 8 +++---- .../powershell_script/posh_ps_psattack.yml | 6 ++--- .../posh_ps_remote_session_creation.yml | 10 ++++---- .../posh_ps_remove_item_path.yml | 8 +++---- .../posh_ps_request_kerberos_ticket.yml | 12 +++++----- .../posh_ps_run_from_mount_diskimage.yml | 10 ++++---- .../posh_ps_security_software_discovery.yml | 10 ++++---- .../posh_ps_send_mailmessage.yml | 6 ++--- .../posh_ps_sensitive_file_discovery.yml | 8 +++---- ...posh_ps_set_policies_to_unsecure_level.yml | 8 +++---- .../posh_ps_shellcode_b64.yml | 6 ++--- ...sh_ps_shellintel_malicious_commandlets.yml | 20 ++++++++-------- .../posh_ps_software_discovery.yml | 10 ++++---- ...ps_store_file_in_alternate_data_stream.yml | 6 ++--- .../posh_ps_susp_ad_group_reco.yml | 8 +++---- .../posh_ps_susp_clear_eventlog.yml | 8 +++---- .../posh_ps_susp_directory_enum.yml | 10 ++++---- .../posh_ps_susp_download.yml | 8 +++---- .../posh_ps_susp_execute_batch_script.yml | 8 +++---- .../posh_ps_susp_extracting.yml | 10 ++++---- .../posh_ps_susp_follina_execution.yml | 10 ++++---- .../posh_ps_susp_get_adcomputer.yml | 10 ++++---- ...susp_get_addefaultdomainpasswordpolicy.yml | 10 ++++---- .../posh_ps_susp_get_adgroup.yml | 10 ++++---- .../posh_ps_susp_get_current_user.yml | 10 ++++---- .../posh_ps_susp_get_gpo.yml | 10 ++++---- .../posh_ps_susp_get_process.yml | 10 ++++---- .../posh_ps_susp_getprocess_lsass.yml | 6 ++--- .../posh_ps_susp_gettypefromclsid.yml | 12 +++++----- .../powershell_script/posh_ps_susp_gwmi.yml | 10 ++++---- .../posh_ps_susp_hyper_v_condlet.yml | 10 ++++---- .../posh_ps_susp_invocation_generic.yml | 6 ++--- .../posh_ps_susp_invocation_specific.yml | 6 ++--- ...sh_ps_susp_invoke_webrequest_useragent.yml | 10 ++++---- .../posh_ps_susp_iofilestream.yml | 12 +++++----- .../posh_ps_susp_keywords.yml | 6 ++--- .../posh_ps_susp_local_group_reco.yml | 6 ++--- .../posh_ps_susp_mail_acces.yml | 8 ++++--- .../posh_ps_susp_mount_diskimage.yml | 10 ++++---- .../posh_ps_susp_networkcredential.yml | 6 ++--- .../posh_ps_susp_new_psdrive.yml | 8 +++---- .../posh_ps_susp_proxy_scripts.yml | 6 ++--- .../posh_ps_susp_recon_export.yml | 6 ++--- .../posh_ps_susp_remove_adgroupmember.yml | 10 ++++---- .../posh_ps_susp_smb_share_reco.yml | 11 +++++---- .../posh_ps_susp_ssl_keyword.yml | 6 ++--- .../posh_ps_susp_start_process.yml | 8 +++---- .../posh_ps_susp_unblock_file.yml | 10 ++++---- .../posh_ps_susp_wallpaper.yml | 10 ++++---- .../posh_ps_susp_win32_pnpentity.yml | 6 ++--- .../posh_ps_susp_win32_shadowcopy.yml | 10 ++++---- ...posh_ps_susp_win32_shadowcopy_deletion.yml | 12 +++++----- .../posh_ps_susp_windowstyle.yml | 8 ++++--- .../posh_ps_susp_write_eventlog.yml | 4 ++-- .../posh_ps_susp_zip_compress.yml | 6 ++--- .../posh_ps_syncappvpublishingserver_exe.yml | 4 ++-- .../posh_ps_tamper_defender.yml | 8 +++---- ...ps_tamper_defender_remove_mppreference.yml | 8 +++---- .../posh_ps_test_netconnection.yml | 10 ++++---- .../powershell_script/posh_ps_timestomp.yml | 10 ++++---- .../posh_ps_trigger_profiles.yml | 6 ++--- .../powershell_script/posh_ps_upload.yml | 10 ++++---- ..._ps_using_set_service_to_hide_services.yml | 2 +- .../posh_ps_win32_product_install_msi.yml | 10 ++++---- .../posh_ps_win_defender_exclusions_added.yml | 10 ++++---- ...h_ps_windows_firewall_profile_disabled.yml | 18 +++++++------- .../posh_ps_winlogon_helper_dll.yml | 16 ++++++++----- .../posh_ps_wmi_persistence.yml | 6 ++--- .../posh_ps_wmi_unquoted_service_search.yml | 2 +- .../powershell_script/posh_ps_wmimplant.yml | 6 ++--- .../powershell_script/posh_ps_xml_iex.yml | 20 ++++++++-------- 178 files changed, 780 insertions(+), 758 deletions(-) diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 7fcc5fb71..79c370e09 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -3,13 +3,13 @@ id: d7326048-328b-4d5e-98af-86e84b17c765 related: - id: 64e8e417-c19a-475a-8d19-98ea705394cc type: derived -description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test -date: 2019/08/11 -modified: 2022/10/05 -author: Roberto Rodriguez @Cyb3rWard0g +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html +author: Roberto Rodriguez @Cyb3rWard0g +date: 2019/08/11 +modified: 2022/10/05 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index e8e4b05a3..f21afa52c 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -2,15 +2,15 @@ title: Delete Volume Shadow Copies Via WMI With PowerShell id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1 status: stable description: Shadow Copies deletion using operating systems utilities via PowerShell -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods +author: frack113 +date: 2021/06/03 +modified: 2021/10/16 tags: - attack.impact - attack.t1490 -date: 2021/06/03 -modified: 2021/10/16 logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index a0fdf44b4..9ce7332e3 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -4,13 +4,13 @@ status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ +author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) +date: 2017/03/22 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.execution - attack.t1059.001 -author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) -date: 2017/03/22 -modified: 2021/10/16 logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml index ec3b137b4..0335aa189 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml @@ -4,13 +4,13 @@ status: experimental description: Detects PowerShell called from an executable by the version mismatch method references: - https://adsecurity.org/?p=2921 +author: Sean Metcalf (source), Florian Roth (rule) +date: 2017/03/05 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.execution - attack.t1059.001 -author: Sean Metcalf (source), Florian Roth (rule) -date: 2017/03/05 -modified: 2021/10/16 logsource: product: windows category: ps_classic_start diff --git a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml index 3d91e0cff..4c8f16620 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml @@ -1,17 +1,17 @@ title: Netcat The Powershell Version id: c5b20776-639a-49bf-94c7-84f912b91c15 related: - - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 - type: derived + - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 + type: derived status: experimental -author: frack113 -date: 2021/07/21 -modified: 2021/10/16 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ - https://github.com/besimorhino/powercat - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md +author: frack113 +date: 2021/07/21 +modified: 2021/10/16 tags: - attack.command_and_control - attack.t1095 @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml index 4ce2aad71..c3294c708 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml @@ -3,13 +3,13 @@ id: 60167e5c-84b2-4c95-a7ac-86281f27c445 related: - id: 96b9f619-aa91-478f-bacb-c3e50f8df575 type: derived -description: Detects remote PowerShell sessions status: test -date: 2019/08/10 -modified: 2022/06/20 -author: Roberto Rodriguez @Cyb3rWard0g +description: Detects remote PowerShell sessions references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html +author: Roberto Rodriguez @Cyb3rWard0g +date: 2019/08/10 +modified: 2022/06/20 tags: - attack.execution - attack.t1059.001 @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Legitimate use remote PowerShell sessions -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml index 23a33a84c..2a6adeb25 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml @@ -1,7 +1,7 @@ title: Renamed Powershell Under Powershell Channel id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 -description: Detects renamed powershell status: test +description: Detects renamed powershell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Harish Segar, frack113 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml index af8e94cf9..d81b9e4e6 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml @@ -28,11 +28,11 @@ detection: - '-ScriptBlock ' - '-RemoteFXvGPUDisablementFilePath' condition: all of selection_* -falsepositives: - - Unknown -level: medium fields: - ComputerName - User - CommandLine - ParentCommandLine +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml index 183154501..21d647ee3 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml @@ -5,12 +5,12 @@ related: type: derived status: experimental description: Detects suspicious PowerShell download command -tags: - - attack.execution - - attack.t1059.001 author: Florian Roth date: 2017/03/05 modified: 2021/10/16 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_classic_start @@ -27,4 +27,4 @@ detection: condition: downloadfile or downloadstring falsepositives: - PowerShell scripts that download content from the Internet -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml index 39ed23976..c7824c7ec 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml @@ -6,6 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 +tags: + - attack.discovery + - attack.t1049 logsource: product: windows category: ps_classic_start @@ -17,6 +20,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1049 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml index b9eeec34b..5d193835b 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml @@ -3,8 +3,8 @@ id: ec19ebab-72dc-40e1-9728-4c0b805d722c related: - id: ec19ebab-72dc-40e1-9728-4c0b805d722c type: similar -description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow. status: experimental +description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: frack113 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index acb208b83..ccb752a5d 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -1,7 +1,7 @@ title: Suspicious XOR Encoded PowerShell Command Line id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 -description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. status: experimental +description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 5a8f7764d..89ebf709e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -1,12 +1,12 @@ title: Alternate PowerShell Hosts id: 64e8e417-c19a-475a-8d19-98ea705394cc -description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test -date: 2019/08/11 -modified: 2022/10/10 -author: Roberto Rodriguez @Cyb3rWard0g +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html +author: Roberto Rodriguez @Cyb3rWard0g +date: 2019/08/11 +modified: 2022/10/10 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index fb48751d4..3739517c7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -3,8 +3,11 @@ id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86 related: - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 type: derived -description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. status: experimental +description: | + focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including + Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads + that often undergo minimal changes by attackers due to bad opsec. references: - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 0d36117af..08affa1ba 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -5,11 +5,11 @@ related: type: derived status: experimental description: Detects keywords that could indicate clearing PowerShell history -date: 2019/10/25 -modified: 2022/05/10 -author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community +date: 2019/10/25 +modified: 2022/05/10 tags: - attack.defense_evasion - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index af98c89a7..d6d0186cb 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -3,17 +3,17 @@ id: 1ddc1472-8e52-4f7d-9f11-eab14fc171f5 related: - id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 type: derived -description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. status: experimental -date: 2020/05/02 -modified: 2021/10/16 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.defense_evasion - - attack.t1140 +description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/8 - https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/05/02 +modified: 2021/10/16 +tags: + - attack.defense_evasion + - attack.t1140 logsource: product: windows category: ps_module @@ -24,4 +24,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: informational \ No newline at end of file +level: informational diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml index 6305b90d1..fd3a425c0 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -1,12 +1,12 @@ title: Suspicious Get-ADDBAccount Usage id: b140afd9-474b-4072-958e-2ebb435abd68 -description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers status: experimental -author: Florian Roth -date: 2022/03/16 +description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers references: - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md +author: Florian Roth +date: 2022/03/16 tags: - attack.credential_access - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index baf228bd5..5ba8781e7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -1,16 +1,16 @@ title: PowerShell Get Clipboard id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 -description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental -date: 2020/05/02 -modified: 2022/06/20 -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -tags: - - attack.collection - - attack.t1115 +description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/05/02 +modified: 2022/06/20 +tags: + - attack.collection + - attack.t1115 logsource: product: windows category: ps_module @@ -21,4 +21,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 73f8b09f4..20e4882de 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -3,13 +3,13 @@ id: a136cde0-61ad-4a61-9b82-8dc490e60dd2 related: - id: 73e67340-0d25-11eb-adc1-0242ac120002 type: derived -description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental +description: Detects Obfuscated use of Clip.exe to execute PowerShell +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: - attack.defense_evasion - attack.t1027 @@ -25,4 +25,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 9a4848faf..40e3d5feb 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -3,10 +3,10 @@ id: 2f211361-7dce-442d-b78a-c04039677378 related: - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 type: derived +status: experimental description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 -status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 483b4c343..7c6480e6a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -2,14 +2,14 @@ title: Invoke-Obfuscation STDIN+ Launcher id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 related: - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 - type: derived -description: Detects Obfuscated use of stdin to execute PowerShell + type: derived status: experimental +description: Detects Obfuscated use of stdin to execute PowerShell +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: - attack.defense_evasion - attack.t1027 @@ -25,4 +25,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 91aec4b61..1c4f947d8 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -3,13 +3,13 @@ id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e related: - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 type: derived -description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental +description: Detects Obfuscated use of Environment Variables to execute PowerShell +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: - attack.defense_evasion - attack.t1027 @@ -25,4 +25,4 @@ detection: condition: selection_4103 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index 36fb17672..efece32de 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -3,13 +3,13 @@ id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 related: - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 type: derived -description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index a8ad4066e..1b3a08617 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -3,20 +3,25 @@ id: a23791fe-8846-485a-b16b-ca691e1b03d4 related: - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 type: derived -description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/03/08 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|contains|all: + Payload|contains|all: - 'rundll32.exe' - 'shell32.dll' - 'shellexec_rundll' @@ -25,8 +30,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index 1bd27a934..264ebea41 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -3,13 +3,13 @@ id: c72aca44-8d52-45ad-8f81-f96c4d3c755e related: - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 type: derived -description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental +description: Detects Obfuscated Powershell via Stdin in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index ddfa4f24f..2f9dc757e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -3,13 +3,13 @@ id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd related: - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 type: derived -description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index e92b64016..26d7188af 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -3,13 +3,18 @@ id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb related: - id: e55a5195-4724-480e-a77e-3ebe64bd3759 type: derived -description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental +description: Detects Obfuscated Powershell via use MSHTA in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2022/03/07 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_module @@ -27,8 +32,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index a7861292b..a9fa7122f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -3,13 +3,18 @@ id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a related: - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b type: derived -description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 author: Nikita Nazarov, oscd.community date: 2019/10/08 modified: 2022/03/08 -references: - - https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_module @@ -21,7 +26,7 @@ detection: - 'rundll32' - 'shell32.dll' - 'shellexec_rundll' - Payload|contains: + Payload|contains: - 'value' - 'invoke' - 'comspec' @@ -30,8 +35,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 04936a2e0..e76e8230b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -3,13 +3,13 @@ id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 related: - id: e54f5149-6ba3-49cf-b153-070d24679126 type: derived -description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml index fbfba628d..d0e211da3 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml @@ -1,14 +1,14 @@ title: Netcat The Powershell Version id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: experimental -author: frack113 -date: 2021/07/21 -modified: 2021/10/16 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network references: - https://nmap.org/ncat/ - https://github.com/besimorhino/powercat - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md +author: frack113 +date: 2021/07/21 +modified: 2021/10/16 tags: - attack.command_and_control - attack.t1095 diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index 606af813f..6f9d204c1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -1,12 +1,12 @@ title: Remote PowerShell Session (PS Module) id: 96b9f619-aa91-478f-bacb-c3e50f8df575 -description: Detects remote PowerShell sessions status: test -date: 2019/08/10 -modified: 2022/06/20 -author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton +description: Detects remote PowerShell sessions references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html +author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton +date: 2019/08/10 +modified: 2022/06/20 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index c1b2673e6..28a91baf6 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -1,14 +1,17 @@ title: AD Groups Or Users Enumeration Using PowerShell - PoshModule id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4 +status: experimental description: | - Adversaries may attempt to find domain-level groups and permission settings. - The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. - Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. + Adversaries may attempt to find domain-level groups and permission settings. + The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md -status: experimental author: frack113 date: 2021/12/15 +tags: + - attack.discovery + - attack.t1069.001 logsource: product: windows category: ps_module @@ -32,6 +35,3 @@ detection: falsepositives: - Administrator script level: low -tags: - - attack.discovery - - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index 4ad279399..d7bd34858 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -1,13 +1,13 @@ title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand id: 38a7625e-b2cb-485d-b83d-aff137d859f4 status: experimental -author: frack113 -date: 2021/07/13 -modified: 2021/10/16 description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 +author: frack113 +date: 2021/07/13 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 598a3549e..5f36c7b73 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -5,12 +5,12 @@ related: type: derived status: experimental description: Detects suspicious PowerShell download command -tags: - - attack.execution - - attack.t1059.001 author: Florian Roth date: 2017/03/05 modified: 2021/10/18 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_module @@ -24,4 +24,4 @@ detection: condition: webclient and download falsepositives: - PowerShell scripts that download content from the Internet -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index f32822bbd..0be65ca51 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -6,6 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 +tags: + - attack.discovery + - attack.t1049 logsource: product: windows category: ps_module @@ -17,6 +20,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1049 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 68532a09c..58ab9a87c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -5,12 +5,12 @@ related: type: derived status: experimental description: Detects suspicious PowerShell invocation command parameters -tags: - - attack.execution - - attack.t1059.001 author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index d429a97b7..0a8f13c05 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -5,12 +5,12 @@ related: type: derived status: experimental description: Detects suspicious PowerShell invocation command parameters -tags: - - attack.execution - - attack.t1059.001 author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2022/02/21 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_module diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index f41058316..506f6baa4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -1,14 +1,17 @@ title: Suspicious Get Local Groups Information id: cef24b90-dddc-4ae1-a09a-8764872f69fc +status: experimental description: | Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md -status: experimental author: frack113 date: 2021/12/12 +tags: + - attack.discovery + - attack.t1069.001 logsource: product: windows category: ps_module @@ -32,6 +35,3 @@ detection: falsepositives: - Administrator script level: low -tags: - - attack.discovery - - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index ad78a9bde..7985de802 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -1,12 +1,17 @@ title: Suspicious Computer Machine Password by PowerShell id: e3818659-5016-4811-a73c-dde4679169d2 status: experimental -description: The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer. +description: | + The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. + You can use it to reset the password of the local computer. references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: frack113 date: 2022/02/21 +tags: + - attack.initial_access + - attack.t1078 logsource: product: windows category: ps_module @@ -18,6 +23,3 @@ detection: falsepositives: - Administrator PowerShell scripts level: medium -tags: - - attack.initial_access - - attack.t1078 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index 5c1f99b96..fed54bbf6 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -1,13 +1,17 @@ title: Suspicious Get Information for SMB Share id: 6942bd25-5970-40ab-af49-944247103358 +status: experimental description: | - Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. + Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and + to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md -status: experimental author: frack113 date: 2021/12/15 +tags: + - attack.discovery + - attack.t1069.001 logsource: product: windows category: ps_module @@ -20,6 +24,3 @@ detection: falsepositives: - Administrator script level: low -tags: - - attack.discovery - - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 9cc35cb3e..1cd4292c4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -4,12 +4,12 @@ related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 type: derived status: experimental -author: frack113 -date: 2021/07/20 -modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md +author: frack113 +date: 2021/07/20 +modified: 2021/10/16 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index f5d5cff74..ec7d8c72a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -5,8 +5,8 @@ related: type: derived - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 type: derived -description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. status: experimental +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' @@ -25,4 +25,4 @@ detection: condition: selection falsepositives: - App-V clients -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index 56a47176f..ccdb8e75d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -4,14 +4,17 @@ related: - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d type: obsoletes status: experimental -author: frack113 -date: 2022/01/30 description: | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md +author: frack113 +date: 2022/01/30 +tags: + - attack.credential_access + - attack.t1555.003 logsource: product: windows category: ps_script @@ -32,6 +35,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.credential_access - - attack.t1555.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml index 558746b04..df4639d7e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml @@ -2,11 +2,11 @@ title: Accessing WinAPI in PowerShell id: 03d83090-8cba-44a0-b02f-0b756a050306 status: experimental description: Detecting use WinAPI Functions in PowerShell +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Tim Shelton date: 2020/10/06 modified: 2022/09/29 -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index dddb6e625..23b3341b7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -1,7 +1,9 @@ title: Powershell Add Name Resolution Policy Table Rule id: 4368354e-1797-463c-bc39-a309effbe8d7 status: test -description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. +description: | + Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. + This will bypass the default DNS server and uses a specified server for answering the query. references: - https://twitter.com/NathanMcNulty/status/1569497348841287681 - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index ef08b024f..8482c2316 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -5,13 +5,13 @@ description: Detects execution of ADRecon.ps1 for AD reconnaissance which has be references: - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1 - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 +author: Bhabesh Raj +date: 2021/07/16 +modified: 2022/09/06 tags: - attack.discovery - attack.execution - attack.t1059.001 -author: Bhabesh Raj -date: 2021/07/16 -modified: 2022/09/06 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml index e623df577..f2b73179c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml @@ -2,11 +2,21 @@ title: Silence.EDA Detection id: 3ceb2083-a27f-449a-be33-14ec1b7cc973 status: test description: Detects Silence EmpireDNSAgent as described in the Group-IP report +references: + - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf author: Alina Stepchenkova, Group-IB, oscd.community date: 2019/11/01 modified: 2022/10/05 -references: - - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf +tags: + - attack.execution + - attack.t1059.001 + - attack.command_and_control + - attack.t1071.004 + - attack.t1572 + - attack.impact + - attack.t1529 + - attack.g0091 + - attack.s0363 logsource: product: windows service: powershell @@ -33,13 +43,3 @@ detection: falsepositives: - Unknown level: critical -tags: - - attack.execution - - attack.t1059.001 - - attack.command_and_control - - attack.t1071.004 - - attack.t1572 - - attack.impact - - attack.t1529 - - attack.g0091 - - attack.s0363 diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml index 54cdd93a0..54e8f51e4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -2,11 +2,14 @@ title: Get-ADUser Enumeration Using UserAccountControl Flags id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8 status: experimental description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication. -date: 2022/03/17 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/ +author: frack113 +date: 2022/03/17 +tags: + - attack.discovery + - attack.t1033 logsource: product: windows category: ps_script @@ -24,6 +27,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.discovery - - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml index f85d12599..7e391ab90 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml @@ -1,12 +1,12 @@ title: Automated Collection Command PowerShell id: c1dda054-d638-4c16-afc8-53e007f3fbc5 status: experimental -author: frack113 -date: 2021/07/28 -modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md +author: frack113 +date: 2021/07/28 +modified: 2021/12/02 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml index b006328ae..96a2831f0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml @@ -8,14 +8,6 @@ references: author: Austin Songer (@austinsonger) date: 2021/10/23 modified: 2022/01/12 -logsource: - product: windows - category: ps_script - definition: Script Block Logging must be enabled -detection: - selection: - ScriptBlockText|contains: Invoke-AzureHound - condition: selection tags: - attack.discovery - attack.t1482 @@ -25,6 +17,14 @@ tags: - attack.t1069.001 - attack.t1069.002 - attack.t1069 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enabled +detection: + selection: + ScriptBlockText|contains: Invoke-AzureHound + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml index ddae8a494..7f0bf381f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml @@ -9,6 +9,9 @@ references: author: frack113 date: 2021/12/28 modified: 2022/07/07 +tags: + - attack.collection + - attack.t1113 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.collection - - attack.t1113 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml index 75b81b735..3c739eb68 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml @@ -1,13 +1,13 @@ title: Execution via CL_Invocation.ps1 id: 4cd29327-685a-460e-9dac-c3ab96e549dc -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/10/16 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module references: - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1216 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml index cae4b871e..ca4c8c67e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml @@ -1,13 +1,13 @@ title: Execution via CL_Invocation.ps1 (2 Lines) id: f588e69b-0750-46bb-8f87-0e9320d57536 -description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/10/16 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module references: - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1216 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml index 44f7610e5..7a9904163 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml @@ -1,13 +1,13 @@ title: Execution via CL_Mutexverifiers.ps1 id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/10/16 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ - https://twitter.com/pabraeken/status/995111125447577600 +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1216 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml index 53b50941d..f32263af7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml @@ -1,13 +1,13 @@ title: Execution via CL_Mutexverifiers.ps1 (2 Lines) id: 6609c444-9670-4eab-9636-fe4755a851ce -description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module status: experimental -author: oscd.community, Natalia Shornikova -date: 2020/10/14 -modified: 2021/10/16 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module references: - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ - https://twitter.com/pabraeken/status/995111125447577600 +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1216 diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index d9b2bdb47..6793baf4e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -5,11 +5,14 @@ related: type: derived status: experimental description: Detects keywords that could indicate clearing PowerShell history -author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2022/01/25 modified: 2022/05/10 +tags: + - attack.defense_evasion + - attack.t1070.003 logsource: product: windows category: ps_script @@ -36,6 +39,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.defense_evasion - - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index c2741d7aa..1dfc80f96 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -1,13 +1,17 @@ title: Clearing Windows Console History id: bde47d4b-9987-405c-94c7-b080410e8ea7 -description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. status: experimental -author: Austin Songer @austinsonger -date: 2021/11/25 +description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. references: - https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/ - https://www.shellhacks.com/clear-history-powershell/ - https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics +author: Austin Songer @austinsonger +date: 2021/11/25 +tags: + - attack.defense_evasion + - attack.t1070 + - attack.t1070.003 logsource: product: windows category: ps_script @@ -24,10 +28,6 @@ detection: - ConsoleHost_history.txt - (Get-PSReadlineOption).HistorySavePath condition: selection1 or selection2a and selection2b -tags: - - attack.defense_evasion - - attack.t1070 - - attack.t1070.003 -level: high falsepositives: - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 050837322..c1c7fb77f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -7,6 +7,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task author: frack113 date: 2021/12/28 +tags: + - attack.persistence + - attack.t1053.005 logsource: product: windows category: ps_script @@ -29,8 +32,5 @@ detection: - 'Root\Microsoft\Windows\TaskScheduler' condition: 1 of selection_* falsepositives: - - Unknown + - Unknown level: medium -tags: - - attack.persistence - - attack.t1053.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 666fef3bb..03c915c60 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -7,6 +7,9 @@ references: author: frack113, Nasreddine Bencherchali date: 2021/12/27 modified: 2022/10/20 +tags: + - attack.credential_access + - attack.t1556.002 logsource: product: windows category: ps_script @@ -14,16 +17,13 @@ logsource: detection: selection_copy: ScriptBlockText|contains|all: - - 'Copy-Item ' - - '-Destination ' + - 'Copy-Item ' + - '-Destination ' selection_paths: ScriptBlockText|contains: - - '\Windows\System32' - - '\Windows\SysWOW64' + - '\Windows\System32' + - '\Windows\SysWOW64' condition: all of selection* falsepositives: - Unknown level: high -tags: - - attack.credential_access - - attack.t1556.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 1c92773af..c14435c36 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -7,10 +7,13 @@ description: | These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013) -author: frack113 -date: 2021/12/30 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler +author: frack113 +date: 2021/12/30 +tags: + - attack.persistence + - attack.t1574.012 logsource: product: windows category: ps_script @@ -23,8 +26,5 @@ detection: - '$env:COR_PROFILER_PATH' condition: selection falsepositives: - - Legitimate administrative script + - Legitimate administrative script level: medium -tags: - - attack.persistence - - attack.t1574.012 diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index 8b4983cbf..4661466f1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -4,14 +4,14 @@ status: experimental description: Detects creation of a local user via PowerShell references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md +author: '@ROxPinTeddy' +date: 2020/04/11 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 - attack.persistence - attack.t1136.001 -author: '@ROxPinTeddy' -date: 2020/04/11 -modified: 2021/10/16 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index 6c098c110..aaa8fb639 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -2,11 +2,14 @@ title: Create Volume Shadow Copy with Powershell id: afd12fed-b0ec-45c9-a13d-aa86625dac81 status: experimental description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information -date: 2022/01/12 -author: frack113 references: - https://attack.mitre.org/datasources/DS0005/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +author: frack113 +date: 2022/01/12 +tags: + - attack.credential_access + - attack.t1003.003 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: high -tags: - - attack.credential_access - - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml index 02098dfae..e7691dcea 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml @@ -2,11 +2,14 @@ title: Data Compressed - PowerShell id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2021/10/16 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md +tags: + - attack.exfiltration + - attack.t1560 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Highly likely if archive operations are done via PowerShell. level: low -tags: - - attack.exfiltration - - attack.t1560 diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 3a7d39ced..0462aaa64 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -1,13 +1,15 @@ title: Powershell Detect Virtualization Environment id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental -author: frack113, Duc.Le-GTSC -date: 2021/08/03 -modified: 2022/03/03 -description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox +description: | + Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. + This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md - https://techgenix.com/malicious-powershell-scripts-evade-detection/ +author: frack113, Duc.Le-GTSC +date: 2021/08/03 +modified: 2022/03/03 tags: - attack.defense_evasion - attack.t1497.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml index 72b5b9b37..d6e71c8bc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml @@ -2,10 +2,13 @@ title: DirectorySearcher Powershell Exploitation id: 1f6399cf-2c80-4924-ace1-6fcff3393480 status: experimental description: Enumerates Active Directory to determine computers that are joined to the domain -date: 2022/02/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher author: frack113 +date: 2022/02/12 +tags: + - attack.discovery + - attack.t1018 logsource: product: windows category: ps_script @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.discovery - - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index 65bcc357a..6538dcd50 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -9,6 +9,9 @@ references: - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0 author: frack113 date: 2021/12/28 +tags: + - attack.persistence + - attack.t1136.002 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Legitimate administrative script level: medium -tags: - - attack.persistence - - attack.t1136.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index 0fd446068..ca73990c6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -6,6 +6,9 @@ references: - https://twitter.com/DissectMalware/status/1062879286749773824 author: Ali Alwashali date: 2022/08/21 +tags: + - attack.defense_evasion + - attack.t1070.003 logsource: product: windows category: ps_script @@ -19,6 +22,3 @@ detection: falsepositives: - Legitimate script that disables the command history level: high -tags: - - attack.defense_evasion - - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml index df3121e56..51f323566 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -1,14 +1,14 @@ title: Disable-WindowsOptionalFeature Command PowerShell id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 status: experimental -author: frack113 -date: 2022/09/10 description: | - Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. - Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images + Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +author: frack113 +date: 2022/09/10 tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml index ea3a7d0a7..79ac972e0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml @@ -1,7 +1,7 @@ title: Dnscat Execution id: a6d67db4-6220-436d-8afc-f3842fe05d43 -description: Dnscat exfiltration tool execution status: experimental +description: Dnscat exfiltration tool execution author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml index 596705cf0..d389bfedb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml @@ -1,13 +1,16 @@ title: Dump Credentials from Windows Credential Manager With PowerShell id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc status: experimental -author: frack113 -date: 2021/12/20 description: | - Adversaries may search for common password storage locations to obtain user credentials. - Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. + Adversaries may search for common password storage locations to obtain user credentials. + Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md +author: frack113 +date: 2021/12/20 +tags: + - attack.credential_access + - attack.t1555 logsource: product: windows category: ps_script @@ -32,6 +35,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.credential_access - - attack.t1555 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index b1134519d..a91231944 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -7,6 +7,9 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 author: frack113 date: 2022/01/07 +tags: + - attack.lateral_movement + - attack.t1021.006 logsource: product: windows category: ps_script @@ -18,6 +21,3 @@ detection: falsepositives: - Legitimate script level: medium -tags: - - attack.lateral_movement - - attack.t1021.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml index c37b1dd75..67c4d231f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml @@ -1,13 +1,13 @@ title: Enable-WindowsOptionalFeature Command PowerShell id: 55c925c1-7195-426b-a136-a9396800e29b status: experimental -author: frack113 -date: 2022/09/10 description: | - Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. - Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images + Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images references: - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +author: frack113 +date: 2022/09/10 tags: - attack.defense_evasion logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml index cd35eba18..da88ea021 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml @@ -1,13 +1,16 @@ title: Enumerate Credentials from Windows Credential Manager With PowerShell id: 603c6630-5225-49c1-8047-26c964553e0e status: experimental -author: frack113 -date: 2021/12/20 description: | Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md +author: frack113 +date: 2021/12/20 +tags: + - attack.credential_access + - attack.t1555 logsource: product: windows category: ps_script @@ -25,6 +28,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.credential_access - - attack.t1555 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index 55e61a589..f41738e05 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -5,10 +5,15 @@ related: type: derived status: experimental description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions -author: Nasreddine Bencherchali references: - https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 +author: Nasreddine Bencherchali date: 2022/06/28 +tags: + - attack.defense_evasion + - attack.t1070 + - attack.t1562.006 + - car.2016-04-002 logsource: product: windows category: ps_script @@ -24,8 +29,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1070 - - attack.t1562.006 - - car.2016-04-002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml index 413246730..1cd5b1aca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml @@ -1,13 +1,17 @@ title: Powershell File and Directory Discovery id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 +status: experimental description: | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. - Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. + Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, + including whether or not the adversary fully infects the target and/or attempts specific actions. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md -status: experimental author: frack113 date: 2021/12/15 +tags: + - attack.discovery + - attack.t1083 logsource: product: windows category: ps_script @@ -24,6 +28,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 6602dc891..9fb1db082 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -10,6 +10,9 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2 author: frack113 date: 2021/12/30 +tags: + - attack.persistence + - attack.t1574.011 logsource: product: windows category: ps_script @@ -23,6 +26,3 @@ detection: falsepositives: - Legitimate administrative script level: medium -tags: - - attack.persistence - - attack.t1574.011 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml index d4f4563f7..6b95f660a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml @@ -4,11 +4,14 @@ status: experimental description: | The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. -date: 2022/02/06 -author: frack113 references: - https://www.powershellgallery.com/packages/DSInternals - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount +author: frack113 +date: 2022/02/06 +tags: + - attack.credential_access + - attack.t1003.006 logsource: product: windows category: ps_script @@ -23,6 +26,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.credential_access - - attack.t1003.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml index e236b8802..490360c65 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml @@ -1,14 +1,17 @@ title: Automated Collection Bookmarks Using Get-ChildItem PowerShell id: e0565f5d-d420-4e02-8a68-ac00d864f9cf status: experimental -author: frack113 -date: 2021/12/13 description: | Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md +author: frack113 +date: 2021/12/13 +tags: + - attack.discovery + - attack.t1217 logsource: product: windows category: ps_script @@ -26,6 +29,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1217 diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml index 544a4d5ce..88aee21b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -2,10 +2,12 @@ title: PowerShell Hotfix Enumeration id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c status: experimental description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers -author: Nasreddine Bencherchali references: - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 +author: Nasreddine Bencherchali date: 2022/06/21 +tags: + - attack.discovery logsource: product: windows category: ps_script @@ -19,5 +21,3 @@ detection: falsepositives: - Legitimate administration scripts level: medium -tags: - - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml index ef385981a..a27a51485 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml @@ -17,9 +17,9 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - 'New-Object' - - 'System.Net.NetworkInformation.Ping' - - '.Send(' + - 'New-Object' + - 'System.Net.NetworkInformation.Ping' + - '.Send(' condition: selection falsepositives: - Legitimate usage of System.Net.NetworkInformation.Ping class diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index f73b2a6f8..dee35db0e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -6,6 +6,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md author: Nasreddine Bencherchali date: 2022/07/07 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -32,6 +35,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index e29bcb6af..8de575e07 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -7,6 +7,9 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 author: frack113 date: 2022/01/07 +tags: + - attack.lateral_movement + - attack.t1021.006 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Legitimate script level: medium -tags: - - attack.lateral_movement - - attack.t1021.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index a6c5c5911..f1ec39f84 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -7,6 +7,9 @@ references: - https://github.com/Arno0x/DNSExfiltrator author: frack113 date: 2022/01/07 +tags: + - attack.exfiltration + - attack.t1048 logsource: product: windows category: ps_script @@ -24,6 +27,3 @@ detection: falsepositives: - Legitimate script level: high -tags: - - attack.exfiltration - - attack.t1048 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml index 133b02854..dc88b8395 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml @@ -2,22 +2,22 @@ title: PrintNightmare Powershell Exploitation id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf status: test description: Detects Commandlet name for PrintNightmare exploitation. -date: 2021/08/09 -modified: 2021/10/16 references: - https://github.com/calebstewart/CVE-2021-1675 author: Max Altgelt, Tobias Michalski +date: 2021/08/09 +modified: 2021/10/16 +tags: + - attack.privilege_escalation + - attack.t1548 logsource: product: windows category: ps_script definition: Script Block Logging must be enabled detection: - selection: - ScriptBlockText|contains: Invoke-Nightmare - condition: selection + selection: + ScriptBlockText|contains: Invoke-Nightmare + condition: selection falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.t1548 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index b4aa1b056..96704f6e1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation CLIP+ Launcher id: 73e67340-0d25-11eb-adc1-0242ac120002 -description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental +description: Detects Obfuscated use of Clip.exe to execute PowerShell +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: - attack.defense_evasion - attack.t1027 @@ -22,4 +22,4 @@ detection: condition: selection_4104 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 57792288e..1b5f9451f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -1,9 +1,9 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 +status: experimental description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 references: - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 -status: experimental author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' date: 2019/11/08 modified: 2022/01/27 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 334e424a2..1b6852542 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation STDIN+ Launcher id: 779c8c12-0eb1-11eb-adc1-0242ac120002 -description: Detects Obfuscated use of stdin to execute PowerShell status: experimental +description: Detects Obfuscated use of stdin to execute PowerShell +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: - attack.defense_evasion - attack.t1027 @@ -22,4 +22,4 @@ detection: condition: selection_4104 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index ae25eadb5..14acfefd5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation VAR+ Launcher id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 -description: Detects Obfuscated use of Environment Variables to execute PowerShell status: experimental +description: Detects Obfuscated use of Environment Variables to execute PowerShell +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: - attack.defense_evasion - attack.t1027 @@ -22,4 +22,4 @@ detection: condition: selection_4104 falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index e855b695c..5fcc15619 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -1,22 +1,27 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 -description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/03/08 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - 'new-object' - 'text.encoding]::ascii' - ScriptBlockText|contains: + ScriptBlockText|contains: - 'system.io.compression.deflatestream' - 'system.io.streamreader' ScriptBlockText|endswith: 'readtoend' @@ -24,8 +29,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index b28d35358..c6b949baf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -1,12 +1,17 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 -description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 modified: 2022/03/08 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -22,8 +27,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 73cfb7ba5..43e172219 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Stdin id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 -description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental +description: Detects Obfuscated Powershell via Stdin in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index d2898f76c..f5d1c7c90 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Via Use Clip id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 -description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index 2a4bc5673..a92f74421 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -1,12 +1,17 @@ title: Invoke-Obfuscation Via Use MSHTA id: e55a5195-4724-480e-a77e-3ebe64bd3759 -description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental +description: Detects Obfuscated Powershell via use MSHTA in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 modified: 2022/03/07 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -24,8 +29,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index 9b89392ce..5cde95d40 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -1,12 +1,17 @@ title: Invoke-Obfuscation Via Use Rundll32 id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b -description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +references: + - https://github.com/Neo23x0/sigma/issues/1009 author: Nikita Nazarov, oscd.community date: 2019/10/08 modified: 2022/03/08 -references: - - https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -27,8 +32,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index b81f4aa08..08d14edf4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION id: e54f5149-6ba3-49cf-b153-070d24679126 -description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 modified: 2021/10/16 -references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 70a46b929..6a3a73bf6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -1,13 +1,13 @@ title: Powershell Keylogging id: 34f90d3c-c297-49e9-b26d-911b05a4866c status: experimental -author: frack113 -date: 2021/07/30 -modified: 2022/07/11 description: Adversaries may log user keystrokes to intercept credentials as the user types them. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1 +author: frack113 +date: 2021/07/30 +modified: 2022/07/11 tags: - attack.collection - attack.t1056.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index e92892dbe..501c3c0eb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -9,6 +9,9 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 author: frack113 date: 2021/12/28 +tags: + - attack.persistence + - attack.t1098 logsource: product: windows category: ps_script @@ -27,6 +30,3 @@ detection: falsepositives: - Legitimate administrative script level: medium -tags: - - attack.persistence - - attack.t1098 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 61e80eb83..89f33b2a8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -2,14 +2,17 @@ title: Malicious PowerShell Commandlets id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 status: experimental description: Detects Commandlet names from well-known PowerShell exploitation frameworks -author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp) references: - https://adsecurity.org/?p=2921 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp) date: 2017/03/05 modified: 2022/06/22 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -199,6 +202,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index 9381bd94b..86c6f7263 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -4,12 +4,12 @@ status: experimental description: Detects keywords from well-known PowerShell exploitation frameworks references: - https://adsecurity.org/?p=2921 -tags: - - attack.execution - - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index 4f328ea28..eb51997d6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -2,13 +2,13 @@ title: Live Memory Dump Using Powershell id: cd185561-4760-45d6-a63e-a51325112cae status: experimental description: Detects usage of a PowerShell command to dump the live memory of a Windows machine -date: 2021/09/21 -modified: 2021/10/16 references: - https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo +author: Max Altgelt +date: 2021/09/21 +modified: 2021/10/16 tags: - attack.t1003 -author: Max Altgelt logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml index e3c4c9bec..56be9cb6c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml @@ -1,14 +1,18 @@ title: Modify Group Policy Settings - ScriptBlockLogging id: b7216a7d-687e-4c8d-82b1-3080b2ad961f related: - - id: ada4b0c4-758b-46ac-9033-9004613a150d - type: similar + - id: ada4b0c4-758b-46ac-9033-9004613a150d + type: similar status: experimental description: Detect malicious GPO modifications can be used to implement many other malicious behaviors. references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md author: frack113 date: 2022/08/19 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1484.001 logsource: product: windows category: ps_script @@ -28,7 +32,3 @@ detection: falsepositives: - Legitimate use level: medium -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1484.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml index 91cd0993b..bc7de16b3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -5,13 +5,16 @@ description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code -author: frack113, MatilJ -date: 2022/01/19 -modified: 2022/05/19 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html +author: frack113, MatilJ +date: 2022/01/19 +modified: 2022/05/19 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -27,6 +30,3 @@ detection: falsepositives: - Legitimate administrative script level: medium -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index e0aabdbb1..bb2e5aecd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -2,14 +2,14 @@ title: Malicious Nishang PowerShell Commandlets id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework -date: 2019/05/16 -modified: 2022/08/29 references: - https://github.com/samratashok/nishang +author: Alec Costello +date: 2019/05/16 +modified: 2022/08/29 tags: - attack.execution - attack.t1059.001 -author: Alec Costello logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index 34a83c4b6..f8867e5dd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -5,14 +5,14 @@ description: Detects writing data into NTFS alternate data streams from powershe references: - http://www.powertheshell.com/ntfsstreams/ - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md +author: Sami Ruohonen +date: 2018/07/24 +modified: 2021/12/02 tags: - attack.defense_evasion - attack.t1564.004 - attack.execution - attack.t1059.001 -author: Sami Ruohonen -date: 2018/07/24 -modified: 2021/12/02 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index 25a38346d..f94cb548b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -8,6 +8,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md author: frack113 date: 2021/12/28 +tags: + - attack.persistence + - attack.t1137.006 logsource: product: windows category: ps_script @@ -23,6 +26,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.persistence - - attack.t1137.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml index 734f03f2c..c654b077e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml @@ -1,17 +1,17 @@ title: Potential Invoke-Mimikatz PowerShell Script id: 189e3b02-82b2-4b90-9662-411eb64486d4 status: experimental -author: Tim Rauch -date: 2022/09/28 description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. references: - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script -logsource: - category: ps_script - product: windows +author: Tim Rauch +date: 2022/09/28 tags: - attack.credential_access - attack.t1003 +logsource: + category: ps_script + product: windows detection: selection_1: ScriptBlockText|contains|all: @@ -26,4 +26,4 @@ detection: condition: 1 of selection* falsepositives: - Mimikatz can be useful for testing the security of networks -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 12701d630..728c0738b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -2,17 +2,17 @@ title: Malicious PowerView PowerShell Commandlets id: dcd74b95-3f36-4ed9-9598-0490951643aa status: experimental description: Detects Commandlet names from PowerView of PowerSploit exploitation framework. -date: 2021/05/18 -modified: 2021/10/16 references: - https://powersploit.readthedocs.io/en/stable/Recon/README - https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon - https://thedfirreport.com/2020/10/08/ryuks-return - https://adsecurity.org/?p=2277 +author: Bhabesh Raj +date: 2021/05/18 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 -author: Bhabesh Raj logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index 7c532498b..0317ce8eb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -5,13 +5,13 @@ description: Detects PowerShell calling a credential prompt references: - https://twitter.com/JohnLaTwC/status/850381440629981184 - https://t.co/ezOTGy1a1G +author: John Lambert (idea), Florian Roth (rule) +date: 2017/04/09 +modified: 2021/10/16 tags: - attack.credential_access - attack.execution - attack.t1059.001 -author: John Lambert (idea), Florian Roth (rule) -date: 2017/04/09 -modified: 2021/10/16 logsource: product: windows category: ps_script @@ -20,6 +20,6 @@ detection: selection: ScriptBlockText|contains: 'PromptForCredential' condition: selection -falsepositives: +falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index 1473ce81f..544d746b6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -4,12 +4,12 @@ status: experimental description: Detects the use of PSAttack PowerShell hack tool references: - https://adsecurity.org/?p=2921 -tags: - - attack.execution - - attack.t1059.001 author: Sean Metcalf (source), Florian Roth (rule) date: 2017/03/05 modified: 2021/10/16 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 372b0507d..3dd62bff8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -2,13 +2,16 @@ title: PowerShell Remote Session Creation id: a0edd39f-a0c6-4c17-8141-261f958e8d8f status: experimental description: | - Adversaries may abuse PowerShell commands and scripts for execution. - PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2 author: frack113 date: 2022/01/06 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -22,6 +25,3 @@ detection: falsepositives: - Legitimate administrative script level: medium -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml index bed1490c0..c75aee72c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -2,12 +2,15 @@ title: Use Remove-Item to Delete File id: b8af5f36-1361-4ebe-9e76-e36128d947bf status: experimental description: Powershell Remove-Item with -Path to delete a file or a folder with "-Recurse" -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 +author: frack113 date: 2022/01/15 modified: 2022/03/17 +tags: + - attack.defense_evasion + - attack.t1070.004 logsource: product: windows category: ps_script @@ -25,6 +28,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: low -tags: - - attack.defense_evasion - - attack.t1070.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index c8bc85002..51d67294f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -2,13 +2,16 @@ title: Request A Single Ticket via PowerShell id: a861d835-af37-4930-bcd6-5b178bfb54df status: experimental description: | - utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. - This behavior is typically used during a kerberos or silver ticket attack. - A successful execution will output the SPNs for the endpoint in question. + utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. + This behavior is typically used during a kerberos or silver ticket attack. + A successful execution will output the SPNs for the endpoint in question. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell author: frack113 date: 2021/12/28 +tags: + - attack.credential_access + - attack.t1558.003 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.credential_access - - attack.t1558.003 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index e70ff16ab..1d2663ef6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -2,11 +2,14 @@ title: Suspicious Invoke-Item From Mount-DiskImage id: 902cedee-0398-4e3a-8183-6f3a89773a96 status: experimental description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. -date: 2022/02/01 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +author: frack113 +date: 2022/02/01 +tags: + - attack.defense_evasion + - attack.t1553.005 logsource: product: windows category: ps_script @@ -24,6 +27,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.defense_evasion - - attack.t1553.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml index ab36d888e..6b93371a2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml @@ -1,13 +1,16 @@ title: Security Software Discovery by Powershell id: 904e8e61-8edf-4350-b59c-b905fc8e810c status: experimental -author: frack113 -date: 2021/12/16 description: | Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viru references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md +author: frack113 +date: 2021/12/16 +tags: + - attack.discovery + - attack.t1518.001 logsource: product: windows category: ps_script @@ -28,6 +31,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1518.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index d7f20b484..db41fc30d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -10,6 +10,9 @@ references: - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022/09/26 +tags: + - attack.exfiltration + - attack.t1048.003 logsource: product: windows category: ps_script @@ -23,6 +26,3 @@ detection: falsepositives: - Legitimate script level: medium -tags: - - attack.exfiltration - - attack.t1048.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml index 5815a0ca6..cb99de2e3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -3,12 +3,15 @@ id: 7d416556-6502-45b2-9bad-9d2f05f38997 related: - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 type: derived +status: experimental description: Detect adversaries enumerate sensitive files references: - https://twitter.com/malmoeb/status/1570814999370801158 -status: experimental author: frack113 date: 2022/09/16 +tags: + - attack.discovery + - attack.t1083 logsource: product: windows category: ps_script @@ -30,6 +33,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.discovery - - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index cc8cd7dd7..48c6e97fe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -1,17 +1,17 @@ title: Change PowerShell Policies to an Insecure Level id: 61d0475c-173f-4844-86f7-f3eebae1c66b -description: Detects use of Set-ExecutionPolicy to set insecure policies status: experimental +description: Detects use of Set-ExecutionPolicy to set insecure policies references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1 - https://adsecurity.org/?p=2604 -tags: - - attack.execution - - attack.t1059.001 author: frack113 date: 2021/10/20 modified: 2022/09/10 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index 105e1a82f..37abac32d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -4,15 +4,15 @@ status: experimental description: Detects Base64 encoded Shellcode references: - https://twitter.com/cyb3rops/status/1063072865992523776 +author: David Ledbetter (shellcode), Florian Roth (rule) +date: 2018/11/17 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 - attack.execution - attack.t1059.001 -author: David Ledbetter (shellcode), Florian Roth (rule) -date: 2018/11/17 -modified: 2021/10/16 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index 06c0c193e..046a93cbc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -2,26 +2,26 @@ title: Malicious ShellIntel PowerShell Commandlets id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7 status: experimental description: Detects Commandlet names from ShellIntel exploitation scripts. -date: 2021/08/09 -modified: 2021/10/16 references: - https://github.com/Shellntel/scripts/ +author: Max Altgelt, Tobias Michalski +date: 2021/08/09 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 -author: Max Altgelt, Tobias Michalski logsource: product: windows category: ps_script definition: Script Block Logging must be enabled detection: - selection: - ScriptBlockText|contains: - - Invoke-SMBAutoBrute - - Invoke-GPOLinks - - Out-Minidump - - Invoke-Potato - condition: selection + selection: + ScriptBlockText|contains: + - Invoke-SMBAutoBrute + - Invoke-GPOLinks + - Out-Minidump + - Invoke-Potato + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 6fe4638b5..5e3bb6aec 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -1,13 +1,13 @@ title: Detected Windows Software Discovery id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 -description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. status: experimental -author: Nikita Nazarov, oscd.community -date: 2020/10/16 -modified: 2021/11/12 +description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna +author: Nikita Nazarov, oscd.community +date: 2020/10/16 +modified: 2021/11/12 tags: - attack.discovery - attack.t1518 @@ -24,6 +24,6 @@ detection: - 'select-object' - 'format-table' condition: selection -level: medium falsepositives: - Legitimate administration activities +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml index f55767d6e..fe6b8c0a2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml @@ -1,12 +1,12 @@ title: Powershell Store File In Alternate Data Stream id: a699b30e-d010-46c8-bbd1-ee2e26765fe9 status: experimental -author: frack113 -date: 2021/09/02 -modified: 2021/10/16 description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md +author: frack113 +date: 2021/09/02 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1564.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml index a974e13d5..8163e8a32 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml @@ -1,14 +1,17 @@ title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock id: 88f0884b-331d-403d-a3a1-b668cf035603 +status: experimental description: | Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md -status: experimental author: frack113 date: 2021/12/15 +tags: + - attack.discovery + - attack.t1069.001 logsource: product: windows category: ps_script @@ -26,6 +29,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1069.001 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index 49a838e80..e3484e805 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -3,14 +3,17 @@ id: 0f017df3-8f5a-414f-ad6b-24aff1128278 related: - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 type: derived +status: experimental description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs references: - https://twitter.com/oroneequalsone/status/1568432028361830402 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html -status: experimental author: Nasreddine Bencherchali date: 2022/09/12 +tags: + - attack.defense_evasion + - attack.t1070.001 logsource: product: windows category: ps_script @@ -26,6 +29,3 @@ detection: falsepositives: - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate level: medium -tags: - - attack.defense_evasion - - attack.t1070.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml index a6a8eb1b7..67b6b25a5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml @@ -2,11 +2,14 @@ title: Powershell Directory Enumeration id: 162e69a7-7981-4344-84a9-0f1c9a217a52 status: experimental description: Detects technique used by MAZE ransomware to enumerate directories using Powershell -date: 2022/03/17 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents +author: frack113 +date: 2022/03/17 +tags: + - attack.discovery + - attack.t1083 logsource: product: windows category: ps_script @@ -25,6 +28,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.discovery - - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index ed29bdbf0..a216f6416 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -5,12 +5,12 @@ related: type: derived status: experimental description: Detects suspicious PowerShell download command -tags: - - attack.execution - - attack.t1059.001 author: Florian Roth date: 2017/03/05 modified: 2021/10/18 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -25,4 +25,4 @@ detection: condition: webclient and download falsepositives: - PowerShell scripts that download content from the Internet -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index f952b3ae5..b814f9f23 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -1,5 +1,6 @@ title: Powershell Execute Batch Script id: b5522a23-82da-44e5-9c8b-e10ed8955f88 +status: experimental description: | Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. @@ -8,9 +9,11 @@ description: | Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script -status: experimental author: frack113 date: 2022/01/02 +tags: + - attack.execution + - attack.t1059.003 logsource: product: windows category: ps_script @@ -26,6 +29,3 @@ detection: falsepositives: - Legitimate administration script level: medium -tags: - - attack.execution - - attack.t1059.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml index 578591967..f19e9202f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml @@ -1,14 +1,17 @@ title: Extracting Information with PowerShell id: bd5971a7-626d-46ab-8176-ed643f694f68 status: experimental -author: frack113 -date: 2021/12/19 description: | Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md +author: frack113 +date: 2021/12/19 +tags: + - attack.credential_access + - attack.t1552.001 logsource: product: windows category: ps_script @@ -24,6 +27,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.credential_access - - attack.t1552.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml index 19b337b9a..6404067b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -1,12 +1,15 @@ title: Troubleshooting Pack Cmdlet Execution id: 03409c93-a7c7-49ba-9a4c-a00badf2a153 status: experimental -author: Nasreddine Bencherchali -date: 2022/06/21 description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS) references: - https://twitter.com/nas_bench/status/1537919885031772161 - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ +author: Nasreddine Bencherchali +date: 2022/06/21 +tags: + - attack.defense_evasion + - attack.t1202 logsource: product: windows category: ps_script @@ -22,6 +25,3 @@ detection: falsepositives: - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes level: medium -tags: - - attack.defense_evasion - - attack.t1202 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml index 2d1fdcd42..32cfd4e79 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml @@ -1,11 +1,14 @@ title: Suspicious Enumerate Active Directory Computers with Get-AdComputer id: 36bed6b2-e9a0-4fff-beeb-413a92b86138 status: experimental -author: frack113 -date: 2022/03/17 description: utilize Get-AdComputer to enumerate Computers within Active Directory. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md +author: frack113 +date: 2022/03/17 +tags: + - attack.discovery + - attack.t1018 logsource: product: windows category: ps_script @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml index 8c02d658c..eed1d381f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml @@ -2,11 +2,14 @@ title: Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82 status: experimental description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain. -date: 2022/03/17 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy +author: frack113 +date: 2022/03/17 +tags: + - attack.discovery + - attack.t1201 logsource: product: windows category: ps_script @@ -18,6 +21,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: low -tags: - - attack.discovery - - attack.t1201 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml index 8828e3bd0..1a512d560 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml @@ -1,11 +1,14 @@ title: Suspicious Enumerate Active Directory Groups with Get-AdComputer id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee status: experimental -author: frack113 -date: 2022/03/17 description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md +author: frack113 +date: 2022/03/17 +tags: + - attack.discovery + - attack.t1069.002 logsource: product: windows category: ps_script @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1069.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml index 8c94df484..306f99d50 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml @@ -2,11 +2,14 @@ title: Suspicious PowerShell Get Current User id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a status: experimental description: Detects the use of PowerShell to identify the current logged user. -date: 2022/04/04 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script +author: frack113 +date: 2022/04/04 +tags: + - attack.discovery + - attack.t1033 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: low -tags: - - attack.discovery - - attack.t1033 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml index 8ec5f3608..8fce8cea8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml @@ -2,11 +2,14 @@ title: Suspicious GPO Discovery With Get-GPO id: eb2fd349-ec67-4caa-9143-d79c7fb34441 status: experimental description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain. -date: 2022/06/04 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps +author: frack113 +date: 2022/06/04 +tags: + - attack.discovery + - attack.t1615 logsource: product: windows category: ps_script @@ -18,6 +21,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: low -tags: - - attack.discovery - - attack.t1615 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml index 2dc9e85f1..3e4ed607a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml @@ -2,11 +2,14 @@ title: Suspicious Process Discovery With Get-Process id: af4c87ce-bdda-4215-b998-15220772e993 status: experimental description: Get the processes that are running on the local computer. -date: 2022/03/17 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7 +author: frack113 +date: 2022/03/17 +tags: + - attack.discovery + - attack.t1057 logsource: product: windows category: ps_script @@ -18,6 +21,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: low -tags: - - attack.discovery - - attack.t1057 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index 53b9343b1..797125188 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -4,12 +4,12 @@ status: experimental description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity references: - https://twitter.com/PythonResponder/status/1385064506049630211 -tags: - - attack.credential_access - - attack.t1003.001 author: Florian Roth date: 2021/04/23 modified: 2021/10/16 +tags: + - attack.credential_access + - attack.t1003.001 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml index 8f8c0b1d6..016637ff1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml @@ -2,10 +2,14 @@ title: Suspicious GetTypeFromCLSID ShellExecute id: 8bc063d5-3a3a-4f01-a140-bc15e55e8437 status: experimental description: Detects suspicious Powershell code that execute COM Objects -date: 2022/04/02 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object +author: frack113 +date: 2022/04/02 +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1546.015 logsource: product: windows category: ps_script @@ -19,7 +23,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1546.015 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml index de0c276a4..e3e8c2397 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml @@ -2,11 +2,14 @@ title: Suspicious Get-WmiObject id: 0332a266-b584-47b4-933d-a00b103e1b37 status: experimental description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers -date: 2022/01/12 -author: frack113 references: - https://attack.mitre.org/datasources/DS0005/ - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +author: frack113 +date: 2022/01/12 +tags: + - attack.persistence + - attack.t1546 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: low -tags: - - attack.persistence - - attack.t1546 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index 1f8c91ff0..3e88f4542 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -2,11 +2,14 @@ title: Suspicious Hyper-V Cmdlets id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd status: experimental description: Adversaries may carry out malicious operations using a virtual instance to avoid detection -date: 2022/04/09 -author: frack113 references: - https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine +author: frack113 +date: 2022/04/09 +tags: + - attack.defense_evasion + - attack.t1564.006 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.defense_evasion - - attack.t1564.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index f854a4fdf..5ea94ecfc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -5,12 +5,12 @@ related: type: derived status: experimental description: Detects suspicious PowerShell invocation command parameters -tags: - - attack.execution - - attack.t1059.001 author: Florian Roth (rule) date: 2017/03/12 modified: 2021/12/02 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index e629c9615..d98028c9a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -5,12 +5,12 @@ related: type: derived status: experimental description: Detects suspicious PowerShell invocation command parameters -tags: - - attack.execution - - attack.t1059.001 author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 modified: 2022/02/21 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 0c6876386..38840bf2a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -1,13 +1,16 @@ title: Change User Agents with WebRequest id: d4488827-73af-4f8d-9244-7b7662ef046e status: experimental -author: frack113 -date: 2022/01/23 description: | Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols +author: frack113 +date: 2022/01/23 +tags: + - attack.command_and_control + - attack.t1071.001 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.command_and_control - - attack.t1071.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml index 157bceab7..c595f7474 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -2,11 +2,14 @@ title: Suspicious IO.FileStream id: 70ad982f-67c8-40e0-a955-b920c2fa05cb status: experimental description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. -date: 2022/01/09 -modified: 2022/03/05 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md +author: frack113 +date: 2022/01/09 +modified: 2022/03/05 +tags: + - attack.defense_evasion + - attack.t1070.003 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.defense_evasion - - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index 7a58955c1..e5cb398a8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -2,14 +2,14 @@ title: Suspicious PowerShell Keywords id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework -date: 2019/02/11 -modified: 2021/10/16 -author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1 - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1 - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 +author: Florian Roth, Perez Diego (@darkquassar) +date: 2019/02/11 +modified: 2021/10/16 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml index d995e57ac..28dd6e838 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml @@ -9,6 +9,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 date: 2021/12/12 +tags: + - attack.discovery + - attack.t1069.001 logsource: product: windows category: ps_script @@ -26,6 +29,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml index b12d37d83..45c632eb1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml @@ -1,12 +1,14 @@ title: Powershell Local Email Collection id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614 status: experimental +description: | + Adversaries may target user email on local systems to collect sensitive information. + Files containing email data can be acquired from a users local system, such as Outlook storage or cache files. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md author: frack113 date: 2021/07/21 modified: 2021/10/16 -description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files. -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md tags: - attack.collection - attack.t1114.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index 85475c278..5dbc2f1ac 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -2,11 +2,14 @@ title: Suspicious Mount-DiskImage id: 29e1c216-6408-489d-8a06-ee9d151ef819 status: experimental description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. -date: 2022/02/01 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps +author: frack113 +date: 2022/02/01 +tags: + - attack.defense_evasion + - attack.t1553.005 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: low -tags: - - attack.defense_evasion - - attack.t1553.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml index 0d1262dd8..e0e381e37 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -8,6 +8,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos author: frack113 date: 2021/12/27 +tags: + - attack.credential_access + - attack.t1110.001 logsource: product: windows category: ps_script @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.credential_access - - attack.t1110.001 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 046048072..61737d379 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -1,12 +1,15 @@ title: Suspicious New-PSDrive to Admin Share id: 1c563233-030e-4a07-af8c-ee0490a66d3a +status: experimental description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 -status: experimental author: frack113 date: 2022/08/13 +tags: + - attack.lateral_movement + - attack.t1021.002 logsource: product: windows category: ps_script @@ -24,6 +27,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.lateral_movement - - attack.t1021.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml index db689fc05..392f497b8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml @@ -6,6 +6,9 @@ references: - https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1 author: Nasreddine Bencherchali date: 2022/07/08 +tags: + - attack.command_and_control + - attack.t1090 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.command_and_control - - attack.t1090 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml index 3e21c39d4..211a61506 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml @@ -1,12 +1,12 @@ title: Recon Information for Export with PowerShell id: a9723fcc-881c-424c-8709-fd61442ab3c3 status: experimental -author: frack113 -date: 2021/07/30 -modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md +author: frack113 +date: 2021/07/30 +modified: 2021/12/02 tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index 927ae77c8..9966e7b8a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -1,13 +1,16 @@ title: Remove Account From Domain Admin Group id: 48a45d45-8112-416b-8a67-46e03a4b2107 status: experimental -author: frack113 -date: 2021/12/26 description: | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group +author: frack113 +date: 2021/12/26 +tags: + - attack.impact + - attack.t1531 logsource: product: windows category: ps_script @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.impact - - attack.t1531 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml index f3befb832..7a8ae67f6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml @@ -1,13 +1,17 @@ title: Suspicious Get Information for SMB Share id: 95f0643a-ed40-467c-806b-aac9542ec5ab +status: experimental description: | - Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. + Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as + a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md -status: experimental author: frack113 date: 2021/12/15 +tags: + - attack.discovery + - attack.t1069.001 logsource: product: windows category: ps_script @@ -19,6 +23,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.discovery - - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index 9663b80e5..b840d8d3f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -7,6 +7,9 @@ references: - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 author: frack113 date: 2022/01/23 +tags: + - attack.command_and_control + - attack.t1573 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Legitimate administrative script level: low -tags: - - attack.command_and_control - - attack.t1573 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index a44817bba..1ae9f611a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -2,11 +2,14 @@ title: Suspicious Start-Process PassThru id: 0718cd72-f316-4aa2-988f-838ea8533277 status: experimental description: Powershell use PassThru option to start in background -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 +author: frack113 date: 2022/01/15 +tags: + - attack.defense_evasion + - attack.t1036.003 logsource: product: windows category: ps_script @@ -21,6 +24,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.defense_evasion - - attack.t1036.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml index 324e94a36..5dfe70bc1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -2,11 +2,14 @@ title: Suspicious Unblock-File id: 5947497f-1aa4-41dd-9693-c9848d58727d status: experimental description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. -date: 2022/02/01 -author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 +author: frack113 +date: 2022/02/01 +tags: + - attack.defense_evasion + - attack.t1553.005 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: medium -tags: - - attack.defense_evasion - - attack.t1553.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml index 61d59550f..5d5615af3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -1,13 +1,16 @@ title: Replace Desktop Wallpaper by Powershell id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287 status: experimental -author: frack113 -date: 2021/12/26 description: | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md +author: frack113 +date: 2021/12/26 +tags: + - attack.impact + - attack.t1491.001 logsource: product: windows category: ps_script @@ -25,6 +28,3 @@ detection: falsepositives: - Unknown level: low -tags: - - attack.impact - - attack.t1491.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml index 4e0728998..da31d6ef4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml @@ -1,12 +1,12 @@ title: Powershell Suspicious Win32_PnPEntity id: b26647de-4feb-4283-af6b-6117661283c5 status: experimental -author: frack113 -date: 2021/08/23 -modified: 2021/10/16 description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md +author: frack113 +date: 2021/08/23 +modified: 2021/10/16 tags: - attack.discovery - attack.t1120 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index e63f2ede9..c3c9de7a3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -1,11 +1,14 @@ title: Delete Volume Shadow Copies via WMI with PowerShell id: e17121b4-ef2a-4418-8a59-12fb1631fa9e status: test -author: frack113 -date: 2021/12/26 description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell +author: frack113 +date: 2021/12/26 +tags: + - attack.impact + - attack.t1490 logsource: product: windows category: ps_script @@ -20,6 +23,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.impact - - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index acfbb78e5..97e19d2b6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -6,18 +6,18 @@ related: - id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40 type: similar status: experimental -author: Tim Rauch -date: 2022/09/20 description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html -logsource: - category: ps_script - product: windows +author: Tim Rauch +date: 2022/09/20 tags: - attack.impact - attack.t1490 +logsource: + category: ps_script + product: windows detection: selection_get: ScriptBlockText|contains: @@ -37,4 +37,4 @@ detection: condition: all of selection* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index b17c227c1..7ae82de7f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -1,14 +1,16 @@ title: Suspicious PowerShell WindowStyle Option id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c status: experimental -description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden +description: | + Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. + In some cases, windows that would typically be displayed when an application carries out an operation can be hidden references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md +author: frack113 +date: 2021/10/20 tags: - attack.defense_evasion - attack.t1564.003 -author: frack113 -date: 2021/10/20 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml index cbd7befed..3bf43e462 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml @@ -4,10 +4,10 @@ status: experimental description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use references: - https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/ -tags: - - attack.defense_evasion author: Nasreddine Bencherchali date: 2022/08/16 +tags: + - attack.defense_evasion logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index 88651cd46..e8f63ef62 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -1,12 +1,12 @@ title: Zip A Folder With PowerShell For Staging In Temp id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental -author: frack113 -date: 2021/07/20 -modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md +author: frack113 +date: 2021/07/20 +modified: 2021/10/16 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml index 64aae14b5..1ab1fd7e9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml @@ -5,8 +5,8 @@ related: type: derived - id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299 type: derived -description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. status: experimental +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' @@ -25,4 +25,4 @@ detection: condition: selection falsepositives: - App-V clients -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index e5a7840ed..8d2a5aa0d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -5,13 +5,16 @@ related: type: derived status: experimental description: Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow. -author: frack113, elhoim references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ +author: frack113, elhoim date: 2022/01/16 modified: 2022/08/05 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: ps_script @@ -53,6 +56,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml index dc5a6bedb..878e181a2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml @@ -5,10 +5,13 @@ related: type: similar status: experimental description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet -author: Nasreddine Bencherchali references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 +author: Nasreddine Bencherchali date: 2022/08/05 +tags: + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: ps_script @@ -26,6 +29,3 @@ detection: falsepositives: - Legitimate PowerShell scripts level: high -tags: - - attack.defense_evasion - - attack.t1562.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index fca3e1fb2..447eb452c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -2,13 +2,16 @@ title: Testing Usage of Uncommonly Used Port id: adf876b3-f1f8-4aa9-a4e4-a64106feec06 status: experimental description: | - Adversaries may communicate using a protocol and port paring that are typically not associated. - For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. + Adversaries may communicate using a protocol and port paring that are typically not associated. + For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps author: frack113 date: 2022/01/23 +tags: + - attack.command_and_control + - attack.t1571 logsource: product: windows category: ps_script @@ -27,6 +30,3 @@ detection: falsepositives: - Legitimate administrative script level: medium -tags: - - attack.command_and_control - - attack.t1571 diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index e605ad891..987567239 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -1,13 +1,15 @@ title: Powershell Timestomp id: c6438007-e081-42ce-9483-b067fbef33c3 status: experimental -author: frack113 -date: 2021/08/03 -modified: 2021/10/16 -description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. +description: | + Adversaries may modify file time attributes to hide new or changes to existing files. + Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md - https://www.offensive-security.com/metasploit-unleashed/timestomp/ +author: frack113 +date: 2021/08/03 +modified: 2021/10/16 tags: - attack.defense_evasion - attack.t1070.006 diff --git a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml index f5e7a3213..0f38eb408 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml @@ -1,12 +1,12 @@ title: Powershell Trigger Profiles by Add_Content id: 05b3e303-faf0-4f4a-9b30-46cc13e69152 status: experimental -author: frack113 -date: 2021/08/18 -modified: 2021/10/16 description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md +author: frack113 +date: 2021/08/18 +modified: 2021/10/16 tags: - attack.privilege_escalation - attack.t1546.013 diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml index c10fa78bc..766c40007 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_upload.yml @@ -8,6 +8,9 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 author: frack113 date: 2022/01/07 +tags: + - attack.exfiltration + - attack.t1020 logsource: product: windows category: ps_script @@ -20,12 +23,9 @@ detection: selection_method: ScriptBlockText|contains: '-Method ' selection_verb: - - ' Put ' - - ' Post ' + - ' Put ' + - ' Post ' condition: all of selection_* falsepositives: - Legitimate script level: medium -tags: - - attack.exfiltration - - attack.t1020 diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index 84ea5df37..fad3f7007 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -5,10 +5,10 @@ related: type: similar status: experimental description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) -author: Nasreddine Bencherchali references: - https://twitter.com/Alh4zr3d/status/1580925761996828672 - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 +author: Nasreddine Bencherchali date: 2022/10/17 tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml index f38527907..54c54c962 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml @@ -2,10 +2,13 @@ title: PowerShell WMI Win32_Product Install MSI id: 91109523-17f0-4248-a800-f81d9e7c081d status: experimental description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class -author: frack113 -date: 2022/04/24 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md +author: frack113 +date: 2022/04/24 +tags: + - attack.defense_evasion + - attack.t1218.007 logsource: product: windows category: ps_script @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.defense_evasion - - attack.t1218.007 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 90bb6116f..07b8ab10c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -9,17 +9,17 @@ references: - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html author: Tim Rauch date: 2022/09/16 -logsource: - category: ps_script - product: windows tags: - attack.defense_evasion - attack.t1562 - attack.execution - attack.t1059 +logsource: + category: ps_script + product: windows detection: selection_args_exc: - ScriptBlockText|contains: + ScriptBlockText|contains: - ' -ExclusionPath ' - ' -ExclusionExtension ' - ' -ExclusionProcess ' @@ -31,4 +31,4 @@ detection: condition: all of selection* falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index 2342e0ea6..9dcd17630 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -3,17 +3,20 @@ id: 488b44e7-3781-4a71-888d-c95abfacf44d related: - id: 12f6b752-042d-483e-bf9c-915a6d06ad75 type: similar -description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. status: experimental -author: Austin Songer @austinsonger -date: 2021/10/12 -modified: 2022/10/11 +description: Detects when a user disables the Windows Firewall via a Profile to help evade defense. references: - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps - https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell - http://powershellhelp.space/commands/set-netfirewallrule-psv5.php - http://woshub.com/manage-windows-firewall-powershell/ - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html +author: Austin Songer @austinsonger +date: 2021/10/12 +modified: 2022/10/11 +tags: + - attack.defense_evasion + - attack.t1562.004 logsource: product: windows category: ps_script @@ -31,9 +34,6 @@ detection: - 'Domain' - 'Private' condition: all of selection* -tags: - - attack.defense_evasion - - attack.t1562.004 -level: medium falsepositives: - - Unknown \ No newline at end of file + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index 7d46def56..3ce685531 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -1,12 +1,19 @@ title: Winlogon Helper DLL id: 851c506b-6b7c-4ce2-8802-c703009d03c0 status: experimental -description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. +description: | + Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. + Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are + used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to + load and execute malicious DLLs and/or executables. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2022/07/07 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md +tags: + - attack.persistence + - attack.t1547.004 logsource: product: windows category: ps_script @@ -22,6 +29,3 @@ detection: falsepositives: - Unknown level: medium -tags: - - attack.persistence - - attack.t1547.004 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 3185d93ed..3ce752051 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -1,13 +1,13 @@ title: Powershell WMI Persistence id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85 status: experimental -author: frack113 -date: 2021/08/19 -modified: 2021/10/16 description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545 +author: frack113 +date: 2021/08/19 +modified: 2021/10/16 tags: - attack.privilege_escalation - attack.t1546.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml index 35daf9536..6339315bd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml @@ -5,11 +5,11 @@ related: type: similar status: experimental description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts -author: Nasreddine Bencherchali references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ +author: Nasreddine Bencherchali date: 2022/06/20 tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml index 1bc607c4e..29b7fbc93 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml @@ -4,13 +4,13 @@ status: experimental description: Detects parameters used by WMImplant references: - https://github.com/FortyNorthSecurity/WMImplant +author: NVISO +date: 2020/03/26 +modified: 2021/10/16 tags: - attack.execution - attack.t1047 - attack.t1059.001 -author: NVISO -date: 2020/03/26 -modified: 2021/10/16 logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index c0ff702f1..20239ddca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -2,13 +2,16 @@ title: Powershell XML Execute Command id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b status: experimental description: | - Adversaries may abuse PowerShell commands and scripts for execution. - PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) - Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code -author: frack113 -date: 2022/01/19 + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests +author: frack113 +date: 2022/01/19 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: ps_script @@ -20,12 +23,9 @@ detection: - System.Xml.XmlDocument - .Load selection_exec: - - IEX - - Invoke-Expression + - IEX + - Invoke-Expression condition: all of selection_* falsepositives: - Legitimate administrative script level: medium -tags: - - attack.execution - - attack.t1059.001