From bb214f5832fdab115624f74d4cdc2f077917c5aa Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 29 Jun 2020 12:07:15 +0200 Subject: [PATCH 1/6] rule: Explorer Root Flag Process Tree Break --- .../win_susp_explorer_break_proctree.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_explorer_break_proctree.yml diff --git a/rules/windows/process_creation/win_susp_explorer_break_proctree.yml b/rules/windows/process_creation/win_susp_explorer_break_proctree.yml new file mode 100644 index 000000000..49c22c096 --- /dev/null +++ b/rules/windows/process_creation/win_susp_explorer_break_proctree.yml @@ -0,0 +1,23 @@ +title: Explorer Root Flag Process Tree Break +id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 +description: Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer +status: experimental +references: + - https://twitter.com/CyberRaiju/status/1273597319322058752 + - https://twitter.com/bohops/status/1276357235954909188?s=12 +author: Florian Roth +date: 2019/06/29 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'explorer.exe' + - ' /root,' + condition: selection +falsepositives: + - Unknown how many legitimate software products use that method +level: medium From f2587791f2a07fcda15428a1e8dd78796aee6953 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Jul 2020 09:04:26 +0200 Subject: [PATCH 2/6] rule: suspicious rar flags --- .../process_creation/win_susp_rar_flags.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_rar_flags.yml diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml new file mode 100644 index 000000000..1840fe8dd --- /dev/null +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -0,0 +1,24 @@ +title: Rar with Password or Compression Level +id: faa48cae-6b25-4f00-a094-08947fef582f +status: experimental +description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. +references: + - https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/ +author: '@ROxPinTeddy' +date: 2020/05/12 +tags: + - attack.exfiltration + - attack.t1002 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - ' -hp' + - ' -m' + condition: selection +falsepositives: + - Legitimate use of Winrar command line version + - Other command line tools, that use these flags +level: medium \ No newline at end of file From fe71d21d97de7d39efd4a0cc6a4c08d367cdaebd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Jul 2020 09:11:00 +0200 Subject: [PATCH 3/6] style: removed new lines --- rules/windows/registry_event/sysmon_susp_service_installed.yml | 1 - .../registry_event/sysmon_suspicious_keyboard_layout_load.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 920c884ae..0b69557ec 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -14,7 +14,6 @@ logsource: product: windows detection: selection_1: - TargetObject: - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index ee1ac4d78..aa2a1b1db 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -14,7 +14,6 @@ logsource: definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: - TargetObject: - '*\Keyboard Layout\Preload\*' - '*\Keyboard Layout\Substitutes\*' From d70b63b78cb4c3ca4105596dc887c791098f2bdc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Jul 2020 09:17:31 +0200 Subject: [PATCH 4/6] rule: RedMimicry rules (modified) --- .../file_event/sysmon_redmimicry_winnti.yml | 23 ++++++++++++++++ .../sysmon_redmimicry_winnti.yml | 27 +++++++++++++++++++ .../sysmon_redmimicry_winnti.yml | 20 ++++++++++++++ .../sysmon/sysmon_redmimicry_winnti.yml | 22 +++++++++++++++ 4 files changed, 92 insertions(+) create mode 100644 rules/windows/file_event/sysmon_redmimicry_winnti.yml create mode 100644 rules/windows/process_creation/sysmon_redmimicry_winnti.yml create mode 100644 rules/windows/registry_event/sysmon_redmimicry_winnti.yml create mode 100644 rules/windows/sysmon/sysmon_redmimicry_winnti.yml diff --git a/rules/windows/file_event/sysmon_redmimicry_winnti.yml b/rules/windows/file_event/sysmon_redmimicry_winnti.yml new file mode 100644 index 000000000..c754edcbd --- /dev/null +++ b/rules/windows/file_event/sysmon_redmimicry_winnti.yml @@ -0,0 +1,23 @@ +title: RedMimicry Winnti Playbook Dropped File +id: 130c9e58-28ac-4f83-8574-0a4cc913b97e +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.defense_evasion + - attack.t1027 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - gthread-3.6.dll + - sigcmm-2.4.dll + - \Windows\Temp\tmp.bat + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/sysmon_redmimicry_winnti.yml b/rules/windows/process_creation/sysmon_redmimicry_winnti.yml new file mode 100644 index 000000000..367b37226 --- /dev/null +++ b/rules/windows/process_creation/sysmon_redmimicry_winnti.yml @@ -0,0 +1,27 @@ +title: RedMimicry Winnti Playbook Execute +id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.execution + - attack.t1059 + - attack.t1106 +logsource: + product: windows + category: process_creation +detection: + selection: + Image|contains: + - rundll32.exe + - cmd.exe + CommandLine|contains: + - gthread-3.6.dll + - \Windows\Temp\tmp.bat + - sigcmm-2.4.dll + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_redmimicry_winnti.yml b/rules/windows/registry_event/sysmon_redmimicry_winnti.yml new file mode 100644 index 000000000..9f8bee94b --- /dev/null +++ b/rules/windows/registry_event/sysmon_redmimicry_winnti.yml @@ -0,0 +1,20 @@ +title: RedMimicry Winnti Playbook Registry Manipulation +id: 5b175490-b652-4b02-b1de-5b5b4083c5f8 +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_redmimicry_winnti.yml b/rules/windows/sysmon/sysmon_redmimicry_winnti.yml new file mode 100644 index 000000000..972bc2c66 --- /dev/null +++ b/rules/windows/sysmon/sysmon_redmimicry_winnti.yml @@ -0,0 +1,22 @@ +title: RedMimicry Winnti Playbook Inject +id: 51c1c141-efef-4686-88d6-50b8da6d5562 +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + SourceImage|contains: rundll32.exe + TargetImage|contains: svchost.exe + condition: selection +falsepositives: + - Unknown +level: high From 154181c6c8ec289a0878305b0515462721e55481 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Jul 2020 09:48:48 +0200 Subject: [PATCH 5/6] fix: renamed files and lien break change --- ... => sysmon_redmimicry_winnti_filedrop.yml} | 46 ++++++++-------- ...nti.yml => win_redmimicry_winnti_proc.yml} | 54 +++++++++---------- ...i.yml => sysmon_redmimicry_winnti_reg.yml} | 40 +++++++------- ...ml => sysmon_redmimicry_winnti_inject.yml} | 44 +++++++-------- 4 files changed, 92 insertions(+), 92 deletions(-) rename rules/windows/file_event/{sysmon_redmimicry_winnti.yml => sysmon_redmimicry_winnti_filedrop.yml} (96%) rename rules/windows/process_creation/{sysmon_redmimicry_winnti.yml => win_redmimicry_winnti_proc.yml} (96%) rename rules/windows/registry_event/{sysmon_redmimicry_winnti.yml => sysmon_redmimicry_winnti_reg.yml} (96%) rename rules/windows/sysmon/{sysmon_redmimicry_winnti.yml => sysmon_redmimicry_winnti_inject.yml} (96%) diff --git a/rules/windows/file_event/sysmon_redmimicry_winnti.yml b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml similarity index 96% rename from rules/windows/file_event/sysmon_redmimicry_winnti.yml rename to rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml index c754edcbd..00e042ace 100644 --- a/rules/windows/file_event/sysmon_redmimicry_winnti.yml +++ b/rules/windows/file_event/sysmon_redmimicry_winnti_filedrop.yml @@ -1,23 +1,23 @@ -title: RedMimicry Winnti Playbook Dropped File -id: 130c9e58-28ac-4f83-8574-0a4cc913b97e -description: Detects actions caused by the RedMimicry Winnti playbook -references: - - https://redmimicry.com -author: Alexander Rausch -date: 2020/06/24 -tags: - - attack.defense_evasion - - attack.t1027 -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|contains: - - gthread-3.6.dll - - sigcmm-2.4.dll - - \Windows\Temp\tmp.bat - condition: selection -falsepositives: - - Unknown -level: high +title: RedMimicry Winnti Playbook Dropped File +id: 130c9e58-28ac-4f83-8574-0a4cc913b97e +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.defense_evasion + - attack.t1027 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - gthread-3.6.dll + - sigcmm-2.4.dll + - \Windows\Temp\tmp.bat + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/sysmon_redmimicry_winnti.yml b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml similarity index 96% rename from rules/windows/process_creation/sysmon_redmimicry_winnti.yml rename to rules/windows/process_creation/win_redmimicry_winnti_proc.yml index 367b37226..d7f7e9a5d 100644 --- a/rules/windows/process_creation/sysmon_redmimicry_winnti.yml +++ b/rules/windows/process_creation/win_redmimicry_winnti_proc.yml @@ -1,27 +1,27 @@ -title: RedMimicry Winnti Playbook Execute -id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b -description: Detects actions caused by the RedMimicry Winnti playbook -references: - - https://redmimicry.com -author: Alexander Rausch -date: 2020/06/24 -tags: - - attack.execution - - attack.t1059 - - attack.t1106 -logsource: - product: windows - category: process_creation -detection: - selection: - Image|contains: - - rundll32.exe - - cmd.exe - CommandLine|contains: - - gthread-3.6.dll - - \Windows\Temp\tmp.bat - - sigcmm-2.4.dll - condition: selection -falsepositives: - - Unknown -level: high +title: RedMimicry Winnti Playbook Execute +id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.execution + - attack.t1059 + - attack.t1106 +logsource: + product: windows + category: process_creation +detection: + selection: + Image|contains: + - rundll32.exe + - cmd.exe + CommandLine|contains: + - gthread-3.6.dll + - \Windows\Temp\tmp.bat + - sigcmm-2.4.dll + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_redmimicry_winnti.yml b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml similarity index 96% rename from rules/windows/registry_event/sysmon_redmimicry_winnti.yml rename to rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml index 9f8bee94b..e1a83679b 100644 --- a/rules/windows/registry_event/sysmon_redmimicry_winnti.yml +++ b/rules/windows/registry_event/sysmon_redmimicry_winnti_reg.yml @@ -1,20 +1,20 @@ -title: RedMimicry Winnti Playbook Registry Manipulation -id: 5b175490-b652-4b02-b1de-5b5b4083c5f8 -description: Detects actions caused by the RedMimicry Winnti playbook -references: - - https://redmimicry.com -author: Alexander Rausch -date: 2020/06/24 -tags: - - attack.defense_evasion - - attack.t1112 -logsource: - product: windows - category: registry_event -detection: - selection: - TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data - condition: selection -falsepositives: - - Unknown -level: high +title: RedMimicry Winnti Playbook Registry Manipulation +id: 5b175490-b652-4b02-b1de-5b5b4083c5f8 +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_redmimicry_winnti.yml b/rules/windows/sysmon/sysmon_redmimicry_winnti_inject.yml similarity index 96% rename from rules/windows/sysmon/sysmon_redmimicry_winnti.yml rename to rules/windows/sysmon/sysmon_redmimicry_winnti_inject.yml index 972bc2c66..2e8b2411b 100644 --- a/rules/windows/sysmon/sysmon_redmimicry_winnti.yml +++ b/rules/windows/sysmon/sysmon_redmimicry_winnti_inject.yml @@ -1,22 +1,22 @@ -title: RedMimicry Winnti Playbook Inject -id: 51c1c141-efef-4686-88d6-50b8da6d5562 -description: Detects actions caused by the RedMimicry Winnti playbook -references: - - https://redmimicry.com -author: Alexander Rausch -date: 2020/06/24 -tags: - - attack.defense_evasion - - attack.t1055 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 8 - SourceImage|contains: rundll32.exe - TargetImage|contains: svchost.exe - condition: selection -falsepositives: - - Unknown -level: high +title: RedMimicry Winnti Playbook Inject +id: 51c1c141-efef-4686-88d6-50b8da6d5562 +description: Detects actions caused by the RedMimicry Winnti playbook +references: + - https://redmimicry.com +author: Alexander Rausch +date: 2020/06/24 +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + SourceImage|contains: rundll32.exe + TargetImage|contains: svchost.exe + condition: selection +falsepositives: + - Unknown +level: high From ab40cdbbd7d55109e62fe40be106750706891b8b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Jul 2020 09:57:35 +0200 Subject: [PATCH 6/6] fix: missing ATT&CK id --- tests/test_rules.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index 0fd01c1fe..c0662e960 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -106,6 +106,7 @@ class TestRules(unittest.TestCase): "t1102", "t1103", "t1105", + "t1106", "t1107", "t1110", "t1112",