diff --git a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml index b55a3a903..6c2761bb1 100644 --- a/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml +++ b/rules-emerging-threats/2023/TA/FIN7/file_event_win_apt_fin7_powershell_scripts_naming_convention.yml @@ -1,7 +1,7 @@ title: Potential APT FIN7 Related PowerShell Script Created id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128 status: experimental -description: Detects powershell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts +description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/web/proxy_generic/proxy_ua_susp_base64.yml b/rules/web/proxy_generic/proxy_ua_susp_base64.yml index 7fffddb75..45adb63ed 100644 --- a/rules/web/proxy_generic/proxy_ua_susp_base64.yml +++ b/rules/web/proxy_generic/proxy_ua_susp_base64.yml @@ -4,7 +4,7 @@ related: - id: d443095b-a221-4957-a2c4-cd1756c9b747 type: derived status: experimental -description: Detects User Agent strings that end with an equal sign, which can be a sign of if being encoded in base64. +description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding. references: - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml index 2d7c89e2e..41820e8d2 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml @@ -4,7 +4,7 @@ related: - id: 11b1ed55-154d-4e82-8ad7-83739298f720 type: similar status: test -description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process, directory +description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml index 08ae58472..b6817ffa8 100644 --- a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -1,7 +1,7 @@ title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e status: experimental -description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from uncommon location +description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml index 9fd4f5339..68f8133dd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml @@ -1,7 +1,7 @@ title: PowerShell Script With File Hostname Resolving Capabilities id: fbc5e92f-3044-4e73-a5c6-1c4359b539de status: experimental -description: Detects powershell scripts that have capabilities to read files, loop through them and resolve dns host entries. +description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries. references: - https://www.fortypoundhead.com/showcontent.asp?artid=24022 - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml index 9b9e0ff2c..47cd9c59d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml @@ -1,7 +1,7 @@ title: PowerShell Script With File Upload Capabilities id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb status: experimental -description: Detects powershell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. +description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml index e0d390ee8..ce3c334f7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_user_profile_tampering.yml @@ -31,5 +31,5 @@ detection: - "-Value 'Start-Process" condition: all of selection_* falsepositives: - - Legitimate administration and tuning scripts that aims to add functionality to a user powershell session + - Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml index c7b97a84f..96b56cccc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml @@ -1,7 +1,7 @@ title: Veeam Backup Servers Credential Dumping Script Execution id: 976d6e6f-a04b-4900-9713-0134a353e38b status: experimental -description: Detects execution of a powershell script that contains calls to the "Veeam.Backup" class, in order to dump credential stored. +description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials. references: - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/ - https://labs.withsecure.com/publications/fin7-target-veeam-servers diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 331f8a3e7..2fb02eacb 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -1,7 +1,7 @@ -title: LSASS Access From Program in Potential Suspicious Folder +title: LSASS Access From Program in Potentially Suspicious Folder id: fa34b441-961a-42fa-a100-ecc28c886725 status: experimental -description: Detects process access to LSASS memory with suspicious access flags and from a potential suspicious folder +description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index b11d370f9..a238df25e 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -17,7 +17,7 @@ detection: - Image|endswith: '\curl.exe' - OriginalFileName: 'curl.exe' selection_websites: - - CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' + - CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' - CommandLine|contains: - 'anonfiles.com' - 'cdn.discordapp.com/attachments/' diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 8a35cf7bc..4114b891d 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -4,7 +4,7 @@ related: - id: 344482e4-a477-436c-aa70-7536d18a48c7 type: obsoletes status: experimental -description: Detects suspicious child processes of SQLServer process. This could indicate potential RCE or SQL Injection. +description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2023/05/04 diff --git a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml index afc15a6ea..ca24ec639 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_veaam_susp_child_processes.yml @@ -4,7 +4,7 @@ related: - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 type: similar status: experimental -description: Detects suspicious child processes of Veeam service process. This could indicate potential RCE or SQL Injection. +description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml index e48e40818..a792c5e75 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml @@ -1,7 +1,7 @@ -title: PowerShell Download and Execute Cradles +title: PowerShell Download and Execution Cradles id: 85b0b087-eddf-4a2b-b033-d771fa2b9775 status: experimental -description: Detects PowerShell download and execute cradles. +description: Detects PowerShell download and execution cradles. references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd - https://labs.withsecure.com/publications/fin7-target-veeam-servers @@ -35,5 +35,5 @@ detection: - 'Invoke-Expression' condition: all of selection_* falsepositives: - - Some powershell installers were seen using similar combinations. Apply filters accordingly + - Some PowerShell installers were seen using similar combinations. Apply filters accordingly level: high diff --git a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml index 978c43c4e..f6fc2cd6f 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_db_recon.yml @@ -1,7 +1,7 @@ title: Veeam Backup Database Suspicious Query id: 696bfb54-227e-4602-ac5b-30d9d2053312 status: experimental -description: Detects potential suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. +description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers author: Nasreddine Bencherchali (Nextron Systems)