From 3bd12552bb7e2687bbdc05ad4cccb75cbae39a10 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 2 Jan 2023 22:19:32 +0100 Subject: [PATCH 01/64] feat: add bitlocker channel --- tests/logsource.json | 1 + tests/test_rules.py | 2 ++ tools/config/elk-windows.yml | 5 +++++ tools/config/elk-winlogbeat-sp.yml | 5 +++++ tools/config/elk-winlogbeat.yml | 5 +++++ tools/config/fireeye-helix.yml | 5 +++++ tools/config/logpoint-windows.yml | 5 +++++ tools/config/logstash-windows.yml | 5 +++++ tools/config/powershell.yml | 7 ++++++- tools/config/splunk-windows.yml | 5 +++++ tools/config/sumologic.yml | 5 +++++ tools/config/thor.yml | 5 +++++ tools/config/winlogbeat-modules-enabled.yml | 5 +++++ tools/config/winlogbeat-old.yml | 5 +++++ tools/config/winlogbeat.yml | 5 +++++ 15 files changed, 69 insertions(+), 1 deletion(-) diff --git a/tests/logsource.json b/tests/logsource.json index 45761f7da..7f7ab8b7d 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -44,6 +44,7 @@ "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"] }, "service":{ + "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], "bits-client":["RemoteName","LocalName","processPath","processId"], "codeintegrity-operational":["FileNameLength","FileNameBuffer","ProcessNameLength","ProcessNameBuffer", "RequestedPolicy","ValidatedPolicy","Status"], diff --git a/tests/test_rules.py b/tests/test_rules.py index 004b72032..f864f9975 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -857,6 +857,8 @@ class TestRules(unittest.TestCase): pattern_prefix = "win_applocker_" elif value == "dns-server-analytic": pattern_prefix = "win_dns_analytic_" + elif value == "bitlocker": + pattern_prefix = "win_bitlocker_" # This value is used to test if we should add the OS infix for certain categories if os_bool: diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index df881f41a..458f64607 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -109,4 +109,9 @@ logsources: service: ldap_debug conditions: EventLog: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + EventLog: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 5f3098e63..90f764db2 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -109,6 +109,11 @@ logsources: service: ldap_debug conditions: log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 4e55a3e8c..cb0d4e24a 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -109,6 +109,11 @@ logsources: service: ldap_debug conditions: logname: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + logname: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 1eedbd76b..ff57115d1 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -137,6 +137,11 @@ logsources: service: ldap_debug conditions: channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + channel: 'Microsoft-Windows-BitLocker/BitLocker Management' linux: product: linux index: posix diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 879e1bc07..f7faa953f 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -109,6 +109,11 @@ logsources: service: ldap_debug conditions: event_source: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + event_source: 'Microsoft-Windows-BitLocker/BitLocker Management' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 637f099f8..48bcf02c0 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -130,4 +130,9 @@ logsources: service: ldap_debug conditions: Channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + Channel: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 6102e3d8c..556051e6c 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -150,4 +150,9 @@ logsources: product: windows service: ldap_debug conditions: - LogName: 'Microsoft-Windows-LDAP-Client/Debug' \ No newline at end of file + LogName: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + LogName: 'Microsoft-Windows-BitLocker/BitLocker Management' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index f8c30dcca..1df7507d0 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -166,6 +166,11 @@ logsources: service: ldap_debug conditions: source: 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + source: 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' windows-defender: product: windows service: windefend diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index aa0e9f75e..d23d40698 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -140,6 +140,11 @@ logsources: service: ldap_debug conditions: source: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + source: 'Microsoft-Windows-BitLocker/BitLocker Management' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 86c46e545..5eb6437e4 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -414,6 +414,11 @@ logsources: service: ldap_debug sources: - 'WinEventLog:Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + sources: + - 'WinEventLog:Microsoft-Windows-BitLocker/BitLocker Management' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index cbc432525..ce55c210f 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -154,6 +154,11 @@ logsources: service: ldap_debug conditions: winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + winlog.channel: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 564ecfee6..6234fc1ed 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -117,6 +117,11 @@ logsources: service: ldap_debug conditions: log_name: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + log_name: 'Microsoft-Windows-BitLocker/BitLocker Management' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 23eedcd78..7948fcf8c 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -143,6 +143,11 @@ logsources: service: ldap_debug conditions: winlog.channel: 'Microsoft-Windows-LDAP-Client/Debug' + windows-bitlocker: + product: windows + service: bitlocker + conditions: + winlog.channel: 'bitlocker' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' From fefaa57d3c05da5f26b01df3e63597a637e7ff4b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 3 Jan 2023 00:16:32 +0100 Subject: [PATCH 02/64] fix: FPs noticed in CI testing --- .../posh_ps_token_obfuscation.yml | 7 +++++-- .../proc_creation_win_susp_cmd.yml | 15 ++++++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index 2c1be97b9..0c4040836 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -9,6 +9,7 @@ references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022/12/27 +modified: 2023/01/03 tags: - attack.defense_evasion - attack.t1027.009 @@ -25,8 +26,10 @@ detection: # ${e`Nv:pATh} - ScriptBlockText|re: '\w+\`(\w+|-|.)\`[\w+|\s]' #- ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme - - ScriptBlockText|re: '"({\d})+"\s*-f' - - ScriptBlockText|re: '\${((e|n|v)*`(e|n|v)*)+:path}|\${((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+}|\${env:((p|a|t|h)*`(p|a|t|h)*)+}' + - ScriptBlockText|re: '"(\{\d\})+"\s*-f' + - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' + filter: + - ScriptBlockText|contains: 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 5af183017..6308dd90f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,7 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113 date: 2022/12/05 -modified: 2022/12/07 +modified: 2023/01/03 tags: - attack.privilege_escalation - attack.defense_evasion @@ -35,6 +35,19 @@ detection: ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun' OriginalFileName: 'PowerShell.EXE' CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host' + filter_erl: + # Example: + # C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers [] + ParentImage|startswith: 'C:\Program Files\erl-' + ParentImage|endswith: '\bin\erl.exe' + filter_vmware: + ParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + CommandLine|contains: 'get-vmswitch ' + filter_asgard: + ParentImage: 'C:\Windows\System32\asgard2-agent\bin\generic.exe' + CommandLine|contains|all: + - ' -taskid ' + - ' -name asgard2-agent ' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From a6ff066baa9774c0a8ddddfbc19ec93212e54599 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 3 Jan 2023 00:32:02 +0100 Subject: [PATCH 03/64] fix: unused filter --- .../powershell_script/posh_ps_token_obfuscation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index ce552697d..cf7936755 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -29,8 +29,8 @@ detection: - ScriptBlockText|re: '"(\{\d\})+"\s*-f' - ScriptBlockText|re: '\$\{((e|n|v)*`(e|n|v)*)+:path\}|\$\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\}|\$\{env:((p|a|t|h)*`(p|a|t|h)*)+\}' filter: - - ScriptBlockText|contains: 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey - condition: selection + ScriptBlockText|contains: 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey + condition: selection and not filter falsepositives: - Unknown level: high From 6c178639f417d0226a46d6390bca6ffc5596320f Mon Sep 17 00:00:00 2001 From: Ali Alwashali Date: Tue, 3 Jan 2023 08:01:11 +0300 Subject: [PATCH 04/64] adding WMIADAP.exe to filters adding WMIADAP.exe to filters --- rules/windows/sysmon/sysmon_process_hollowing.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml index 47201e255..164f13215 100644 --- a/rules/windows/sysmon/sysmon_process_hollowing.yml +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -27,6 +27,7 @@ detection: - '\opera.exe' - '\firefox.exe' - '\MicrosoftEdge.exe' + - '\WMIADAP.exe' condition: selection and not filters falsepositives: - There are no known false positives at this time From e620fcbc0bbf444c58e00c1a25d15efcae746730 Mon Sep 17 00:00:00 2001 From: vadim Date: Tue, 3 Jan 2023 11:36:54 +0300 Subject: [PATCH 05/64] Detects change location evtx used wecutil --- ...proc_creation_win_change_evtx_location.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_change_evtx_location.yml diff --git a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml new file mode 100644 index 000000000..d65944fb4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml @@ -0,0 +1,30 @@ +title: Process Creation Win Change Evtx Location +id: e6b11ea9-919a-413a-92bd-0976b42bd3b8 +status: experimental +description: Detects change location evtx used wecutil +author: D3F7A5105 +date: 2023/01/03 +references: + - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + category: process_creation + product: windows +detection: + selection_cmd: + Image|endswith: \wevtutil.exe + CommandLine|contains|all: + - wevtutil + - /lfn + - \.evtx + filter_cmd: + CommandLine|contains: + - \Windows\System32\winevt\Logs + condition: selection_cmd and not filter_cmd +falsepositives: + - Admin activity + - Backup activity +level: medium From 2075962596f0c49bfa871e8f42fdf2feb024aa58 Mon Sep 17 00:00:00 2001 From: Vadim Date: Tue, 3 Jan 2023 11:54:30 +0300 Subject: [PATCH 06/64] Update proc_creation_win_change_evtx_location.yml --- .../proc_creation_win_change_evtx_location.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml index d65944fb4..b21ea449c 100644 --- a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml +++ b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml @@ -1,7 +1,7 @@ -title: Process Creation Win Change Evtx Location +title: Change Evtx Location Used Wevtutil id: e6b11ea9-919a-413a-92bd-0976b42bd3b8 status: experimental -description: Detects change location evtx used wecutil +description: Detects change location evtx used wevtutil author: D3F7A5105 date: 2023/01/03 references: @@ -21,8 +21,7 @@ detection: - /lfn - \.evtx filter_cmd: - CommandLine|contains: - - \Windows\System32\winevt\Logs + CommandLine|contains: \Windows\System32\winevt\Logs condition: selection_cmd and not filter_cmd falsepositives: - Admin activity From 052cd2e9677d1d4b87c42db865fb63e8da683ec6 Mon Sep 17 00:00:00 2001 From: Vadim Date: Tue, 3 Jan 2023 12:11:13 +0300 Subject: [PATCH 07/64] Update proc_creation_win_change_evtx_location.yml --- .../process_creation/proc_creation_win_change_evtx_location.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml index b21ea449c..4afdcd17f 100644 --- a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml +++ b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml @@ -19,7 +19,7 @@ detection: CommandLine|contains|all: - wevtutil - /lfn - - \.evtx + - .evtx filter_cmd: CommandLine|contains: \Windows\System32\winevt\Logs condition: selection_cmd and not filter_cmd From f409a8a98482483760b1072094a024436b11b889 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 3 Jan 2023 10:37:09 +0100 Subject: [PATCH 08/64] fix: update modified date --- rules/windows/sysmon/sysmon_process_hollowing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml index 164f13215..a222d8141 100644 --- a/rules/windows/sysmon/sysmon_process_hollowing.yml +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -7,7 +7,7 @@ references: - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S date: 2022/01/25 -modified: 2022/02/01 +modified: 2023/01/03 tags: - attack.defense_evasion - attack.privilege_escalation From 5dc77bad7a39e7e6bf886c2411633b43d04350ba Mon Sep 17 00:00:00 2001 From: Vadim Date: Tue, 3 Jan 2023 15:10:54 +0300 Subject: [PATCH 09/64] Update rule for detects change location evtx --- .../proc_creation_win_susp_eventlog_clear.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index 0694210af..a053522fc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -5,12 +5,14 @@ description: Detects clearing or configuration of eventlogs using wevtutil, powe references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html -author: Ecco, Daniil Yugoslavskiy, oscd.community + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 date: 2019/09/26 -modified: 2022/09/12 +modified: 2023/12/03 tags: - attack.defense_evasion - attack.t1070.001 + - attack.t1562.002 - car.2016-04-002 logsource: category: process_creation @@ -23,6 +25,7 @@ detection: - ' cl ' # short version of 'clear-log' - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size - ' sl ' # short version of 'set-log' + - 'lfn:' # log file name selection_other_ps: Image|endswith: - '\powershell.exe' From 4329b9ad495cfb28531a6b686af2efb3cbec5a8b Mon Sep 17 00:00:00 2001 From: Vadim Date: Tue, 3 Jan 2023 15:11:33 +0300 Subject: [PATCH 10/64] Update proc_creation_win_susp_eventlog_clear.yml --- .../process_creation/proc_creation_win_susp_eventlog_clear.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index a053522fc..f3b288a83 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -8,7 +8,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 date: 2019/09/26 -modified: 2023/12/03 +modified: 2023/01/03 tags: - attack.defense_evasion - attack.t1070.001 From eabad667683ccd35fda926e0eeef1620d7fb17e0 Mon Sep 17 00:00:00 2001 From: Vadim Date: Tue, 3 Jan 2023 15:15:52 +0300 Subject: [PATCH 11/64] Delete proc_creation_win_change_evtx_location.yml --- ...proc_creation_win_change_evtx_location.yml | 29 ------------------- 1 file changed, 29 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_change_evtx_location.yml diff --git a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml b/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml deleted file mode 100644 index 4afdcd17f..000000000 --- a/rules/windows/process_creation/proc_creation_win_change_evtx_location.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Change Evtx Location Used Wevtutil -id: e6b11ea9-919a-413a-92bd-0976b42bd3b8 -status: experimental -description: Detects change location evtx used wevtutil -author: D3F7A5105 -date: 2023/01/03 -references: - - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key - - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil -tags: - - attack.defense_evasion - - attack.t1562.002 -logsource: - category: process_creation - product: windows -detection: - selection_cmd: - Image|endswith: \wevtutil.exe - CommandLine|contains|all: - - wevtutil - - /lfn - - .evtx - filter_cmd: - CommandLine|contains: \Windows\System32\winevt\Logs - condition: selection_cmd and not filter_cmd -falsepositives: - - Admin activity - - Backup activity -level: medium From 0bf6645387f5385aed0470e37914824c2138a1e8 Mon Sep 17 00:00:00 2001 From: "Tim (Bobby-Tablez) Peck" Date: Tue, 3 Jan 2023 09:35:36 -0700 Subject: [PATCH 12/64] Update posh_ps_susp_invocation_generic.yml --- .../powershell_script/posh_ps_susp_invocation_generic.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index d4d6ca63d..0f3a397cb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -20,11 +20,13 @@ detection: ScriptBlockText|contains: - ' -enc ' - ' -EncodedCommand ' + - ' -ec ' selection_hidden: ScriptBlockText|contains: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' + - ' -w 1 ' selection_noninteractive: ScriptBlockText|contains: - ' -noni ' From 0391f127c4f43d32f86d0d2c69095168ac90e8bb Mon Sep 17 00:00:00 2001 From: "Tim (Bobby-Tablez) Peck" Date: Tue, 3 Jan 2023 09:38:26 -0700 Subject: [PATCH 13/64] Update posh_pm_susp_invocation_generic.yml --- .../powershell_module/posh_pm_susp_invocation_generic.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index e37c54b48..db21224e6 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -20,11 +20,13 @@ detection: ContextInfo|contains: - ' -enc ' - ' -EncodedCommand ' + - ' -ec ' selection_hidden: ContextInfo|contains: - ' -w hidden ' - ' -window hidden ' - ' -windowstyle hidden ' + - ' -w 1 ' selection_noninteractive: ContextInfo|contains: - ' -noni ' From 843506c9f0bb926c3d2e59d5ea3c0fdb97be1de7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 3 Jan 2023 17:46:39 +0100 Subject: [PATCH 14/64] fix: update modified field --- .../powershell_module/posh_pm_susp_invocation_generic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index db21224e6..677e18670 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule) date: 2017/03/12 -modified: 2022/12/02 +modified: 2023/01/03 tags: - attack.execution - attack.t1059.001 From d1fcf96d7dec10b4f2e8e5b5d11a9145a333bb4b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 3 Jan 2023 17:47:15 +0100 Subject: [PATCH 15/64] fix: update modified field --- .../powershell_script/posh_ps_susp_invocation_generic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index 0f3a397cb..d851cfdca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -7,7 +7,7 @@ status: test description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule) date: 2017/03/12 -modified: 2022/12/25 +modified: 2023/01/03 tags: - attack.execution - attack.t1059.001 From 705782ee9b41929028a6b3343a34a6f6fd0bb940 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 3 Jan 2023 20:52:10 +0000 Subject: [PATCH 16/64] FP: call of window style hidden is embedded in AWS code. --- .../powershell_script/posh_ps_susp_windowstyle.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index ea8c32176..2c9159a8f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -6,9 +6,9 @@ description: | In some cases, windows that would typically be displayed when an application carries out an operation can be hidden references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md -author: frack113 +author: frack113, Tim Shelton (fp AWS) date: 2021/10/20 -modified: 2022/12/25 +modified: 2023/01/03 tags: - attack.defense_evasion - attack.t1564.003 @@ -22,7 +22,9 @@ detection: - 'powershell' - 'WindowStyle' - 'Hidden' - condition: selection + filter: + ScriptBlockText|contains: ':\Program Files\Amazon\WorkSpacesConfig\Scripts\' + condition: selection and not filter falsepositives: - Unknown level: medium From 0c520dc930c1f16bb0d32759f7c2214a78112eee Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 3 Jan 2023 22:04:52 +0000 Subject: [PATCH 17/64] FP: manage engine admanager postgres calling archive.bat --- .../windows/process_creation/proc_creation_win_susp_cmd.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index a8c86c74c..d2a4dd0a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -48,6 +48,11 @@ detection: CommandLine|contains|all: - ' -taskid ' - ' -name asgard2-agent ' + filter_manageengine: + # Example: + # parent: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380 + # child: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA) + ParentImage: 'C:\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From 4d6aec82a65c98b780c7ddc4a7bc2c7384a6d906 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:43:40 +0100 Subject: [PATCH 18/64] fix: enhance fp filter --- .../powershell/powershell_script/posh_ps_susp_windowstyle.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index 2c9159a8f..c4c13d575 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -23,7 +23,9 @@ detection: - 'WindowStyle' - 'Hidden' filter: - ScriptBlockText|contains: ':\Program Files\Amazon\WorkSpacesConfig\Scripts\' + ScriptBlockText|contains|all: + - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\' + - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule' condition: selection and not filter falsepositives: - Unknown From a737737d923637896e358ff6e9efc0e89dd8c71e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 00:46:54 +0100 Subject: [PATCH 19/64] fix: enhance filter --- .../process_creation/proc_creation_win_susp_cmd.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index d2a4dd0a1..295f194f3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -49,10 +49,11 @@ detection: - ' -taskid ' - ' -name asgard2-agent ' filter_manageengine: - # Example: - # parent: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380 - # child: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA) + # Example: + # ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380 + # CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA) ParentImage: 'C:\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe' + Image|endswith: '\cmd.exe' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From 0fe4f16dfbfb96943905fd85ee78e3f287f756bf Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 10:28:50 +0100 Subject: [PATCH 20/64] fix: update filter based on ##3865 and #3866 --- .../process_creation/proc_creation_win_susp_cmd.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 295f194f3..9dfbb96b5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -54,6 +54,18 @@ detection: # CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA) ParentImage: 'C:\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe' Image|endswith: '\cmd.exe' + filter_landesk: + # Example: + # ParentImage: C:\Program Files (x86)\LANDesk\LDCLient\sdistbat.exe + # CommandLine: cmd.exe /c C:\Program Files "(x86)\LANDesk\LDCLient\\sdclient_temp.bat > C:\Program" Files (x86)\LANDesk\LDCLient\data\sd_2491.tmp + ParentImage: 'C:\Program Files (x86)\LANDesk\LDClient\sdistbat.exe' + Image|endswith: '\cmd.exe' + filter_varonis: + # Example: + # ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad + # CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector + ParentImage: 'C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe' + Image|endswith: '\cmd.exe' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From 3da07164ce0d651bf72691bac1cfcafbf20249de Mon Sep 17 00:00:00 2001 From: Hendrik Baecker Date: Wed, 4 Jan 2023 15:58:35 +0100 Subject: [PATCH 21/64] test-rules: Execute get_mitre_data() as part of unittest Catching the data as part of the unittest class is more IDE friendly cause they won't call __main__ but using the test methods directly. --- tests/test_rules.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index f864f9975..43e355b86 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -17,6 +17,14 @@ import collections class TestRules(unittest.TestCase): + + @classmethod + def setUpClass(cls): + print("Calling get_mitre_data()") + # Get Current Data from MITRE ATT&CK® + cls.MITRE_ALL = get_mitre_data() + print("Catched data - starting tests...") + MITRE_TECHNIQUE_NAMES = [ "process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", @@ -101,7 +109,7 @@ class TestRules(unittest.TestCase): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: - if tag not in MITRE_ALL and tag.startswith("attack."): + if tag not in self.MITRE_ALL and tag.startswith("attack."): print( Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) @@ -1295,7 +1303,5 @@ def get_mitre_data(): if __name__ == "__main__": init(autoreset=True) - # Get Current Data from MITRE ATT&CK® - MITRE_ALL = get_mitre_data() # Run the tests unittest.main() From c998945b34b3f0034c96aff2f9f51611d06d81e6 Mon Sep 17 00:00:00 2001 From: Hendrik Baecker Date: Wed, 4 Jan 2023 16:02:57 +0100 Subject: [PATCH 22/64] test-rules: use cti directory relative to test file This little change will use 'cti/' relative to the executing test_*.py file and doesn't care if the testfile is executed from sigma/ or sigma/tests/. --- tests/test_rules.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 43e355b86..2f5cb996e 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -1254,7 +1254,9 @@ def get_mitre_data(): """ Use Tags from CTI subrepo to get consitant data """ - cti_path = "tests/cti/" + cti_path = "cti/" + cti_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), cti_path) + # Get ATT&CK information lift = attack_client(local_path=cti_path) # Techniques From 9985905f54066656e284a9d37b0767c75c1c4f2e Mon Sep 17 00:00:00 2001 From: Hendrik Baecker Date: Wed, 4 Jan 2023 16:25:07 +0100 Subject: [PATCH 23/64] rule_tests: Rule directory relative to test_* file --- tests/test_rules.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 2f5cb996e..c6087e238 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -32,7 +32,8 @@ class TestRules(unittest.TestCase): # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} - path_to_rules = "rules" + path_to_rules = "../rules" + path_to_rules = os.path.join(os.path.dirname(os.path.realpath(__file__)), path_to_rules) # Helper functions def yield_next_rule_file_path(self, path_to_rules: str) -> str: From 711ba956e30b0bfa4924cf4d7c2e9b390a442452 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 17:49:32 +0100 Subject: [PATCH 24/64] feat: updates and enhancements --- .../proc_creation_win_indirect_cmd.yml | 4 +- ...in_indirect_command_execution_forfiles.yml | 8 +++- .../proc_creation_lnx_hack_tools.yml | 29 +++++++++++ ...eation_lnx_install_suspicioua_packages.yml | 48 +++++++++++++++++++ .../proc_creation_lnx_susp_git_clone.yml | 40 ++++++++++++++++ ...e_event_win_powershell_exploit_scripts.yml | 3 +- .../posh_pm_alternate_powershell_hosts.yml | 2 +- .../posh_pm_bad_opsec_artifacts.yml | 2 +- .../posh_pm_clear_powershell_history.yml | 2 +- .../posh_pm_decompress_commands.yml | 2 +- .../posh_pm_get_addbaccount.yml | 2 +- .../posh_pm_get_clipboard.yml | 8 ++-- .../posh_pm_invoke_obfuscation_clip.yml | 2 +- ...h_pm_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../posh_pm_invoke_obfuscation_var.yml | 2 +- ...osh_pm_invoke_obfuscation_via_compress.yml | 2 +- .../posh_pm_invoke_obfuscation_via_rundll.yml | 2 +- .../posh_pm_invoke_obfuscation_via_stdin.yml | 2 +- ...osh_pm_invoke_obfuscation_via_use_clip.yml | 2 +- ...sh_pm_invoke_obfuscation_via_use_mhsta.yml | 2 +- ...pm_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_module/posh_pm_powercat.yml | 2 +- .../posh_pm_remote_powershell_session.yml | 2 +- .../posh_pm_susp_ad_group_reco.yml | 2 +- ...susp_athremotefxvgpudisablementcommand.yml | 2 +- .../posh_pm_susp_get_nettcpconnection.yml | 2 +- .../posh_pm_susp_invocation_generic.yml | 2 +- .../posh_pm_susp_invocation_specific.yml | 2 +- .../posh_pm_susp_local_group_reco.yml | 2 +- ..._pm_susp_reset_computermachinepassword.yml | 2 +- .../posh_pm_susp_smb_share_reco.yml | 2 +- .../posh_pm_susp_zip_compress.yml | 2 +- .../posh_pm_syncappvpublishingserver_exe.yml | 2 +- .../posh_ps_access_to_browser_login_data.yml | 2 +- .../posh_ps_accessing_win_api.yml | 2 +- .../posh_ps_add_dnsclient_rule.yml | 2 +- .../posh_ps_adrecon_execution.yml | 2 +- .../posh_ps_amsi_bypass_pattern_nov22.yml | 2 +- .../posh_ps_amsi_null_bits_bypass.yml | 27 +++++++++++ .../posh_ps_apt_silence_eda.yml | 1 + .../posh_ps_as_rep_roasting.yml | 2 +- .../posh_ps_automated_collection.yml | 2 +- .../posh_ps_capture_screenshots.yml | 2 +- .../posh_ps_cl_invocation_lolscript.yml | 2 +- .../posh_ps_cl_invocation_lolscript_count.yml | 2 +- .../posh_ps_cl_mutexverifiers_lolscript.yml | 2 +- ...h_ps_cl_mutexverifiers_lolscript_count.yml | 2 +- .../posh_ps_clear_powershell_history.yml | 2 +- ...sh_ps_clearing_windows_console_history.yml | 2 +- .../posh_ps_cmdlet_scheduled_task.yml | 2 +- ...h_ps_computer_discovery_get_adcomputer.yml | 2 +- .../posh_ps_copy_item_system_directory.yml | 2 +- .../posh_ps_cor_profiler.yml | 2 +- .../posh_ps_create_local_user.yml | 2 +- .../posh_ps_create_volume_shadow_copy.yml | 2 +- .../posh_ps_data_compressed.yml | 2 +- .../posh_ps_detect_vm_env.yml | 2 +- .../posh_ps_directorysearcher.yml | 2 +- ...ps_directoryservices_accountmanagement.yml | 2 +- ..._ps_disable_psreadline_command_history.yml | 2 +- ...posh_ps_disable_windowsoptionalfeature.yml | 2 +- .../posh_ps_dnscat_execution.yml | 2 +- ...mp_password_windows_credential_manager.yml | 2 +- .../posh_ps_enable_psremoting.yml | 2 +- .../posh_ps_enable_windowsoptionalfeature.yml | 2 +- ...te_password_windows_credential_manager.yml | 2 +- .../posh_ps_etw_trace_evasion.yml | 2 +- ..._exchange_mailbox_smpt_forwarding_rule.yml | 2 +- .../posh_ps_file_and_directory_discovery.yml | 2 +- .../posh_ps_frombase64string_archive.yml | 2 +- .../posh_ps_get_acl_service.yml | 2 +- .../posh_ps_get_adcomputer.yml | 2 +- .../powershell_script/posh_ps_get_adgroup.yml | 2 +- .../posh_ps_get_adreplaccount.yml | 2 +- .../posh_ps_get_childitem_bookmarks.yml | 2 +- .../powershell_script/posh_ps_hotfix_enum.yml | 2 +- .../posh_ps_icmp_exfiltration.yml | 2 +- .../posh_ps_import_module_susp_dirs.yml | 2 +- .../posh_ps_invoke_command_remote.yml | 2 +- .../posh_ps_invoke_dnsexfiltration.yml | 2 +- .../posh_ps_invoke_obfuscation_clip.yml | 2 +- ...h_ps_invoke_obfuscation_obfuscated_iex.yml | 2 +- .../posh_ps_invoke_obfuscation_stdin.yml | 2 +- .../posh_ps_invoke_obfuscation_var.yml | 2 +- ...osh_ps_invoke_obfuscation_via_compress.yml | 2 +- .../posh_ps_invoke_obfuscation_via_rundll.yml | 2 +- .../posh_ps_invoke_obfuscation_via_stdin.yml | 2 +- ...osh_ps_invoke_obfuscation_via_use_clip.yml | 2 +- ...sh_ps_invoke_obfuscation_via_use_mhsta.yml | 2 +- ...ps_invoke_obfuscation_via_use_rundll32.yml | 2 +- .../posh_ps_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_keylogging.yml | 2 +- .../powershell_script/posh_ps_localuser.yml | 2 +- .../posh_ps_mailboxexport_share.yml | 2 +- .../posh_ps_malicious_commandlets.yml | 8 +++- .../posh_ps_malicious_keywords.yml | 2 +- ...ps_memorydump_getstoragediagnosticinfo.yml | 2 +- .../posh_ps_modify_group_policy_settings.yml | 2 +- .../powershell_script/posh_ps_msxml_com.yml | 2 +- .../posh_ps_nishang_malicious_commandlets.yml | 2 +- .../posh_ps_ntfs_ads_access.yml | 2 +- .../posh_ps_office_comobject_registerxll.yml | 2 +- ...osh_ps_powerview_malicious_commandlets.yml | 2 +- .../posh_ps_prompt_credentials.yml | 2 +- .../posh_ps_psasyncshell.yml | 2 +- .../powershell_script/posh_ps_psattack.yml | 2 +- .../posh_ps_remote_session_creation.yml | 2 +- .../posh_ps_remove_item_path.yml | 2 +- .../posh_ps_request_kerberos_ticket.yml | 2 +- .../posh_ps_root_certificate_installed.yml | 2 +- .../posh_ps_run_from_mount_diskimage.yml | 2 +- .../posh_ps_security_software_discovery.yml | 2 +- .../posh_ps_send_mailmessage.yml | 2 +- .../posh_ps_sensitive_file_discovery.yml | 2 +- ...posh_ps_set_policies_to_unsecure_level.yml | 2 +- .../posh_ps_shellcode_b64.yml | 2 +- ...sh_ps_shellintel_malicious_commandlets.yml | 2 +- .../posh_ps_software_discovery.yml | 2 +- ...ps_store_file_in_alternate_data_stream.yml | 2 +- .../posh_ps_susp_ad_group_reco.yml | 2 +- .../posh_ps_susp_clear_eventlog.yml | 2 +- .../posh_ps_susp_directory_enum.yml | 2 +- .../posh_ps_susp_download.yml | 2 +- .../posh_ps_susp_execute_batch_script.yml | 2 +- .../posh_ps_susp_export_pfxcertificate.yml | 2 +- .../posh_ps_susp_extracting.yml | 2 +- .../posh_ps_susp_follina_execution.yml | 2 +- ...susp_get_addefaultdomainpasswordpolicy.yml | 2 +- .../posh_ps_susp_get_current_user.yml | 2 +- .../posh_ps_susp_get_gpo.yml | 2 +- .../posh_ps_susp_get_process.yml | 2 +- .../posh_ps_susp_getprocess_lsass.yml | 2 +- .../posh_ps_susp_gettypefromclsid.yml | 2 +- .../powershell_script/posh_ps_susp_gwmi.yml | 2 +- .../posh_ps_susp_hyper_v_condlet.yml | 2 +- .../posh_ps_susp_invocation_generic.yml | 2 +- .../posh_ps_susp_invocation_specific.yml | 2 +- ...sh_ps_susp_invoke_webrequest_useragent.yml | 2 +- .../posh_ps_susp_iofilestream.yml | 2 +- .../posh_ps_susp_keylogger_activity.yml | 26 ++++++++++ .../posh_ps_susp_keywords.yml | 2 +- .../posh_ps_susp_local_group_reco.yml | 2 +- .../posh_ps_susp_mail_acces.yml | 2 +- .../posh_ps_susp_mount_diskimage.yml | 2 +- .../posh_ps_susp_mounted_share_deletion.yml | 2 +- .../posh_ps_susp_networkcredential.yml | 2 +- .../posh_ps_susp_new_psdrive.yml | 2 +- .../posh_ps_susp_proxy_scripts.yml | 2 +- .../posh_ps_susp_recon_export.yml | 2 +- .../posh_ps_susp_remove_adgroupmember.yml | 2 +- ..._service_dacl_modification_set_service.yml | 2 +- .../posh_ps_susp_smb_share_reco.yml | 2 +- .../posh_ps_susp_ssl_keyword.yml | 2 +- .../posh_ps_susp_start_process.yml | 2 +- .../posh_ps_susp_unblock_file.yml | 2 +- .../posh_ps_susp_wallpaper.yml | 2 +- .../posh_ps_susp_win32_pnpentity.yml | 2 +- .../posh_ps_susp_win32_shadowcopy.yml | 2 +- .../posh_ps_susp_windowstyle.yml | 2 +- .../posh_ps_susp_write_eventlog.yml | 2 +- .../posh_ps_susp_zip_compress.yml | 2 +- .../posh_ps_syncappvpublishingserver_exe.yml | 2 +- .../posh_ps_tamper_defender.yml | 2 +- ...ps_tamper_defender_remove_mppreference.yml | 2 +- .../posh_ps_test_netconnection.yml | 2 +- .../powershell_script/posh_ps_timestomp.yml | 2 +- .../posh_ps_token_obfuscation.yml | 2 +- .../posh_ps_trigger_profiles.yml | 2 +- .../powershell_script/posh_ps_upload.yml | 2 +- .../posh_ps_user_discovery_get_aduser.yml | 2 +- ..._ps_using_set_service_to_hide_services.yml | 2 +- .../posh_ps_web_request_cmd_and_cmdlets.yml | 2 +- .../posh_ps_win32_product_install_msi.yml | 2 +- .../posh_ps_win_defender_exclusions_added.yml | 2 +- ...h_ps_windows_firewall_profile_disabled.yml | 2 +- .../posh_ps_winlogon_helper_dll.yml | 2 +- .../posh_ps_wmi_persistence.yml | 2 +- .../posh_ps_wmi_unquoted_service_search.yml | 2 +- .../powershell_script/posh_ps_wmimplant.yml | 2 +- .../posh_ps_x509enrollment.yml | 2 +- .../powershell_script/posh_ps_xml_iex.yml | 2 +- ...roc_creation_win_amsi_null_bits_bypass.yml | 26 ++++++++++ ...n_local_system_owner_account_discovery.yml | 43 ++++++++--------- ...b.yml => proc_creation_win_lolbin_cdb.yml} | 8 ++-- ...eation_win_lolbin_execution_via_winget.yml | 17 +++---- .../proc_creation_win_lolbin_forfiles.yml | 7 ++- .../proc_creation_win_lolbin_pcalua.yml | 8 +++- .../proc_creation_win_malicious_cmdlets.yml | 5 ++ .../proc_creation_win_manage_bde_lolbas.yml | 2 +- ...eation_win_powershell_downgrade_attack.yml | 10 ++-- .../proc_creation_win_susp_git_clone.yml | 46 ++++++++++++++++++ .../proc_creation_win_wmic_reconnaissance.yml | 4 +- .../registry_set_amsi_com_hijack.yml | 25 ++++++++++ 195 files changed, 517 insertions(+), 230 deletions(-) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_indirect_cmd.yml (96%) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_indirect_command_execution_forfiles.yml (73%) create mode 100644 rules/linux/process_creation/proc_creation_lnx_hack_tools.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml create mode 100644 rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml rename rules/windows/process_creation/{proc_creation_win_susp_cdb.yml => proc_creation_win_lolbin_cdb.yml} (72%) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_git_clone.yml create mode 100644 rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml diff --git a/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml b/rules-deprecated/windows/proc_creation_win_indirect_cmd.yml similarity index 96% rename from rules/windows/process_creation/proc_creation_win_indirect_cmd.yml rename to rules-deprecated/windows/proc_creation_win_indirect_cmd.yml index a2f9064b5..ae206f284 100644 --- a/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml +++ b/rules-deprecated/windows/proc_creation_win_indirect_cmd.yml @@ -1,13 +1,13 @@ title: Indirect Command Execution id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 -status: test +status: deprecated description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml b/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml similarity index 73% rename from rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml rename to rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml index 29a87ef8f..8b1bb6c6b 100644 --- a/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml +++ b/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml @@ -1,12 +1,16 @@ title: Indirect Command Exectuion via Forfiles id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 +related: + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: experimental -description: Detects the use of native Windows tool, forfiles to execute a file. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. +description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ -author: Tim Rauch (rule), Elastic (idea) +author: Tim Rauch (rule), Elastic (idea), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/10/17 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.t1202 diff --git a/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml new file mode 100644 index 000000000..9633677c0 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml @@ -0,0 +1,29 @@ +title: HackTool Execution +id: a015e032-146d-4717-8944-7a1884122111 +status: experimental +description: Detects known hacktool execution based on image name +references: + - Internal Research +author: Nasreddine Bencherchali +date: 2023/01/03 +tags: + - attack.execution +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + # Add more as you see fit + - '/sqlmap' + - '/teamserver' + - '/aircrack-ng' + - '/john' + - '/setoolkit' + - '/wpscan' + - '/hydra' + - '/nikto' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml new file mode 100644 index 000000000..5f8dec1d0 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -0,0 +1,48 @@ +title: Suspicious Package Installed - Linux +id: 700fb7e8-2981-401c-8430-be58e189e741 +status: experimental +description: Detects installation of suspicious packages using system installation utilities +references: + - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt +author: Nasreddine Bencherchali +date: 2023/01/03 +tags: + - attack.defense_evasion + - attack.t1553.004 +logsource: + product: linux + category: process_creation +detection: + selection_tool_apt: + Image|endswith: + - '/apt' + - '/apt-get' + CommandLine|contains: 'install' + selection_tool_yum: + Image|endswith: + - '/yum' + CommandLine|contains: + - 'localinstall' + - 'install' + selection_tool_rpm: + Image|endswith: '/rpm' + CommandLine|contains: '-i' + selection_tool_dpkg: + Image|endswith: '/dpkg' + CommandLine|contains: + - '--install' + - '-i' + selection_keyword: + CommandLine|contains: + # Add more suspicious packages + - 'nmap' + - ' nc' + - 'netcat' + - 'wireshark' + - 'tshark' + - 'openconnect' + - 'proxychains' + condition: 1 of selection_tool_* and selection_keyword +falsepositives: + - Legitimate administration activities +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml new file mode 100644 index 000000000..3222b7a55 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -0,0 +1,40 @@ +title: Suspicious Git Clone - Linux +id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446 +status: experimental +description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +references: + - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt +author: Nasreddine Bencherchali +date: 2023/01/03 +tags: + - attack.reconnaissance + - attack.t1593.003 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/git.exe' + CommandLine|contains: ' clone ' + selection_keyword: + CommandLine|contains: + # Add more suspicious keywords + - 'exploit' + - 'Vulns' + - 'vulnerability' + - 'RCE' + - 'RemoteCodeExecution' + - 'Invoke-' + - 'CVE-' + - 'poc-' + - 'ProofOfConcept' + # Add more vuln names + - 'proxyshell' + - 'log4shell' + - 'eternalblue' + - 'eternal-blue' + - 'MS17-' + condition: all of selection_* +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 5bcc9ffbe..284b321f1 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -21,7 +21,7 @@ references: - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2023/01/02 +modified: 2023/01/04 tags: - attack.execution - attack.t1059.001 @@ -34,6 +34,7 @@ detection: - '\Add-Exfiltration.ps1' - '\Add-Persistence.ps1' - '\Add-RegBackdoor.ps1' + - '\Add-RemoteRegBackdoor.ps1' - '\Add-ScrnSaveBackdoor.ps1' - '\Check-VM.ps1' - '\Do-Exfiltration.ps1' diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index f5681b205..335baafab 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: ContextInfo|contains: '*' diff --git a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml index f9de98a09..44eceaa41 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml @@ -21,7 +21,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|contains: diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 95535ca0b..4df78d588 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_1a_payload: Payload|contains: diff --git a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml index 826bb54ff..4fd3af03c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|contains: 'Expand-Archive' diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml index fd3a425c0..095388e73 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: Payload|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index 5ba8781e7..bdb3c7e4b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -7,18 +7,18 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2022/06/20 +modified: 2023/01/04 tags: - attack.collection - attack.t1115 logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: - selection_4103: + selection: Payload|contains: 'Get-Clipboard' - condition: selection_4103 + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 46976953b..947318b1a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index f23e75d22..ade49c077 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_payload: - Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 010548ea8..8ca8db286 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"' diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index f95db218a..47582f71a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index c459d364a..3c9c60b8a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index 0e9e880c6..272615b59 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index e5b6f4462..d350934c0 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"' diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index 567a0fe9e..40955c038 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index ad33cb51d..59bc6bb6c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabledd + definition: 'Requirements: PowerShell Module Logging must be enabled'd detection: selection_4103: Payload|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index 0dcd50e28..535393eb3 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 10e11a918..7b992b806 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml index c2c8b233a..230e21713 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: ContextInfo|contains: diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index 6f9d204c1..fc612df0d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: ContextInfo|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index a49837b18..3facf209c 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: test_2: - Payload|contains: get-ADPrincipalGroupMembership diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index 6e59a9f24..25ada0368 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabledd + definition: 'Requirements: PowerShell Module Logging must be enabled'd detection: selection_cmd: ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index c5ffd17ef..6d0a118f7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: ContextInfo|contains: 'Get-NetTCPConnection' diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 677e18670..92f9fba15 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_encoded: ContextInfo|contains: diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index 8c224599e..23cd32f48 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_convert_b64: ContextInfo|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index 36cd5f293..414038c71 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: test_3: - Payload|contains: diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml index 7985de802..d52ff5326 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: ContextInfo|contains: 'Reset-ComputerMachinePassword' diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index 76ec86dc2..201f634c2 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: - Payload|contains: get-smbshare diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 0579a4f7a..839919b76 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_4103: ContextInfo|contains|all: diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index ed0d1c132..899a443f7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_module - definition: PowerShell Module Logging must be enabled + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection: ContextInfo|contains: 'SyncAppvPublishingServer.exe' diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index a745ebdc1..5326d1f6b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -20,7 +20,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmd: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml index df4639d7e..9890b9455 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 23b3341b7..2c8971122 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml index 8482c2316..9344c27ad 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml index 678e522be..744061a8e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml new file mode 100644 index 000000000..fa229d87a --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -0,0 +1,27 @@ +title: Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging +id: fa2559c8-1197-471d-9cdd-05a0273d4522 +related: + - id: 92a974db-ab84-457f-9ec0-55db83d7a825 + type: similar +status: experimental +description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities +references: + - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi +author: Nasreddine Bencherchali +date: 2023/01/04 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: powershell + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockLogging|contains: + - "if(0){{{0}}}' -f $(0 -as [char]) +" + - "#" + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml index f2b73179c..65c1adbec 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml @@ -20,6 +20,7 @@ tags: logsource: product: windows service: powershell + definition: 'Requirements: Script Block Logging must be enabled' detection: empire: # better to randomise the order diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml index 54e8f51e4..5f4479c4f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: #4194304 DONT_REQ_PREAUTH diff --git a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml index 5d26c54cb..f08297092 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_ext: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml index 7f0bf381f..b52742308 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: '.CopyFromScreen' diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml index ed41b15b2..58bf2d79f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml index 45bb433b9..626222653 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml index cddc30ca5..d71d9a6ef 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml index c11b8debe..2a268411c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index 12f875418..c1de11032 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection1a: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index dd5ff3bb1..1f131eaf9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection1: ScriptBlockText|contains: Clear-History diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index c1c7fb77f..3f7ced816 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmdlet: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml index 8520b93de..4f015b275 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml index 03c915c60..ca28cd647 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_copy: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index c14435c36..c958c74e5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index dde79372c..1a61b9f01 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'New-LocalUser' diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml index aaa8fb639..295acc7b8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml index cca164ff5..426d1093c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 0462aaa64..461dea45e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_action: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml index d6e71c8bc..926eef0f8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index 6538dcd50..8f22cc66e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: System.DirectoryServices.AccountManagement diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index ca73990c6..0dc350ac3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml index 51f323566..9d25a3898 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmd: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml index 835ff5cc2..2b27478f2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'Start-Dnscat2' diff --git a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml index 0236bb86e..182a9dd07 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_kiddie: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index a91231944..261f32155 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmdlet: ScriptBlockText|contains: 'Enable-PSRemoting ' diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml index 42e9e9523..2748b953b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml @@ -19,7 +19,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmd: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml index 2936b9cc4..3217f716d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmd: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml index 29c478e2e..e95b2ac3e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_pwsh_remove: #Autologger provider removal ScriptBlockText|contains: 'Remove-EtwTraceProvider ' diff --git a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml index e7bd9b6f4..2a849fd21 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml @@ -11,7 +11,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml index e96a83222..72a20a433 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index 6199b3064..d9bcf8a6b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -12,7 +12,7 @@ date: 2022/12/23 logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index 9fb1db082..65ba85aca 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml index 0e41957b9..4df3417ad 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml index df302f649..9ffd8f8d8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml index 6b95f660a..859873cea 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml index 1c0c1665e..0b0acc4b2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml index 88aee21b4..07ac82232 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -11,7 +11,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml index 268431ea1..298c852d1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml index dee35db0e..f91f79597 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_import: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index 8de575e07..fd593ed98 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmdlet: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index 50a292386..81743a193 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmdlet: - ScriptBlockText|contains: 'Invoke-DNSExfiltrator' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 67d28cc30..6a31ff85f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 961bf2f7a..3072d3a9d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_iex: - ScriptBlockText|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index eaf60b389..6655b55cb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 59bf712e2..1f74ac185 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 0faf6f2f3..c4b59ffee 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index e89bc32d9..2ef76b674 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 1d8a40dc1..97483435b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index c1b3ad62c..376de6fbd 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index 0d685fdb1..7aa4eec0f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index 8a5d19679..c5ea8efd9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 6bedc03fb..13730ccf8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 6a3a73bf6..e3b70db34 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_basic: ScriptBlockText|contains: 'Get-Keystrokes' diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index 501c3c0eb..18053947f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml index 7825d3345..ab2894205 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index a5b82ca41..d88d82ba5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -23,7 +23,7 @@ references: - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update) date: 2017/03/05 -modified: 2023/01/02 +modified: 2023/01/04 tags: - attack.execution - attack.discovery @@ -38,13 +38,14 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: - 'Add-Exfiltration' - 'Add-Persistence' - 'Add-RegBackdoor' + - 'Add-RemoteRegBackdoor' - 'Add-ScrnSaveBackdoor' - 'Check-VM' - 'Do-Exfiltration' @@ -64,6 +65,9 @@ detection: - 'Get-PassHashes' - 'Get-RegAlwaysInstallElevated' - 'Get-RegAutoLogon' + - 'Get-RemoteCachedCredential' + - 'Get-RemoteLocalAccountHash' + - 'Get-RemoteMachineAccountHash' - 'Get-RickAstley' - 'Get-Screenshot' - 'Get-SecurityPackages' diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml index d1a82c7da..baa89ee45 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml index 3ef3cc064..9c2fdf12d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml index 56be9cb6c..165852609 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_path: ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml index bc7de16b3..7c0110098 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index 9a68fcd84..b878064e2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index 702df6e6e..6485befa8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_content: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index f94cb548b..27ebe0fde 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 12036f63b..4fb949f32 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml index f742e1293..d03f82f61 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'PromptForCredential' diff --git a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml index 7f392e44b..95b10125e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'PSAsyncShell' diff --git a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml index d8be59d97..927e769d9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_psattack.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_psattack.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'PS ATTACK!!!' diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index aa160f594..49e612494 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml index c75aee72c..e181f62a9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index 51d67294f..ddc1cf1ef 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 269775a91..7276ced41 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection1: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index 1d2663ef6..287caec29 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml index 9cdd71a13..779c695a4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_1: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index db41fc30d..9e79f3aa2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'Send-MailMessage' diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml index cb99de2e3..497c0d9b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_action: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 0a7e959c1..92e9ce7ff 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: cmdlet: ScriptBlockText|contains: 'Set-ExecutionPolicy' diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml index 33ed1c1de..77c40abbb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'AAAAYInlM' diff --git a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml index 0e7ce203a..fd3eb2972 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 1e7e08871..4fdeb58a1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml index b1973cef2..df0557846 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_compspec: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml index cbb20614d..d3365ee89 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: test_2: ScriptBlockText|contains: get-ADPrincipalGroupMembership diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index e3484e805..97238f5d8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml index 67b6b25a5..55d817a7e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index b8a2e0a53..bea931133 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: webclient: ScriptBlockText|contains: 'System.Net.WebClient' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index b814f9f23..f26d83b63 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_start: ScriptBlockText|contains: Start-Process diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml index c01b922c5..1b882804c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'Export-PfxCertificate' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml index c0c3b1688..f2ebf2f61 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml index 6404067b4..4c462db62 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml index eed1d381f..dfa2eb12b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml index 306f99d50..91b760ca3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml index 8fce8cea8..b30d717b4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: Get-GPO diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml index 3e4ed607a..2ecdba0d0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: Get-Process diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml index 2a1c1e65d..418a10281 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'Get-Process lsass' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml index 016637ff1..95e93e86d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml index 982006546..fc85471f7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index 3e88f4542..1f35d5f74 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index d851cfdca..1a5468f15 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_encoded: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index d98028c9a..533749286 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: select_convert_b64: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 5fe1d34d9..61071b01b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml index c595f7474..0e8decea4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml new file mode 100644 index 000000000..d0796f6d0 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml @@ -0,0 +1,26 @@ +title: Potential Keylogger Activity +id: 965e2db9-eddb-4cf6-a986-7a967df651e4 +status: experimental +description: Detects PowerShell scripts that contains reference to keystroke capturing functions +references: + - https://twitter.com/ScumBots/status/1610626724257046529 + - https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content + - https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content + - https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0 +author: Nasreddine Bencherchali +date: 2023/01/04 +tags: + - attack.collection + - attack.credential_access + - attack.t1056.001 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index 1321b31b9..84f0a2ad9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled for 4104 + definition: 'Requirements: Script Block Logging must be enabled' for 4104 detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml index a3750fde6..51dcb960c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: test_3: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml index 02e29b791..b9159bcbe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index 5dbc2f1ac..7cb2cf29b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml index 59e59dae7..9ccd81c10 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml index e0e381e37..4020eb333 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 61737d379..6293d0c16 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml index 392f497b8..f6bb2827d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml index 5ec305e37..0478af77b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_action: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index 9966e7b8a..f5b63be2d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml index 36667445c..64e36663e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_sddl_flag: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml index 775db8b76..f46c20b08 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: get-smbshare diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index b840d8d3f..fe2906a00 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index 1ae9f611a..4e689a786 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml index 5dfe70bc1..666ce10d0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml index 5d5615af3..03bf4c28b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_1: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml index 79d8c7ca2..7dd77e543 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: Win32_PnPEntity diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index 863835803..7b53b258e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index c4c13d575..c18e3b00f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml index 3bf43e462..f9b1a61d4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml @@ -11,7 +11,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index 5c4423415..83a82e09f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script Block Logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_4104: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml index 2b296019a..88486a63c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'SyncAppvPublishingServer.exe' diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index 8d2a5aa0d..6cdeaa8a2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_options_disabling_preference: ScriptBlockText|contains: 'Set-MpPreference' diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml index 878e181a2..f9d75a872 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_remove: ScriptBlockText|contains: 'Remove-MpPreference' diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index 447eb452c..8476044f5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index 6b01394ae..915f754d8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_ioc: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index cf7936755..07d60631b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: # Examples: diff --git a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml index 33eeecfb1..f8e3495de 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml @@ -13,7 +13,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml index 2ba788f2a..4d7e2283e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_upload.yml @@ -15,7 +15,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_cmdlet: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml index eccbec3af..f6f4b8e80 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml index fad3f7007..37ab5b8ba 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml index 695c9fff0..b54a9a758 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml index 54c54c962..ac66e8082 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml @@ -12,7 +12,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index d5360f44f..acacbec7c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -18,7 +18,7 @@ tags: logsource: category: ps_script product: windows - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_args_exc: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml index a2f99f466..a02efba72 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml @@ -20,7 +20,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_args: ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index 3ce685531..24ab10e8c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -17,7 +17,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: 'CurrentVersion\Winlogon' diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 0d446e39c..9cab3e260 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_ioc: - ScriptBlockText|contains|all: diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml index 5ed3c1338..d53f5db28 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml @@ -18,7 +18,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml index da767dee7..8bd67af54 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index 223b3637b..aa42855b6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -14,7 +14,7 @@ date: 2022/12/23 logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: diff --git a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml index 78da29951..dc27f6514 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: Script block logging must be enabled + definition: 'Requirements: Script Block Logging must be enabled' detection: selection_xml: ScriptBlockText|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml b/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml new file mode 100644 index 000000000..2a6d13d82 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml @@ -0,0 +1,26 @@ +title: Potential AMSI Bypass Using NULL Bits - ProcessCreation +id: 92a974db-ab84-457f-9ec0-55db83d7a825 +related: + - id: fa2559c8-1197-471d-9cdd-05a0273d4522 + type: similar +status: experimental +description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities +references: + - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi +author: Nasreddine Bencherchali +date: 2023/01/04 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - "if(0){{{0}}}' -f $(0 -as [char]) +" + - "#" + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml index 2194f4acd..bee5a6cc4 100644 --- a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 -modified: 2022/06/12 +modified: 2023/01/03 tags: - attack.discovery - attack.t1033 @@ -15,30 +15,33 @@ logsource: category: process_creation product: windows detection: - selection_1: - - Image|endswith: '\whoami.exe' - - Image|endswith: '\wmic.exe' - CommandLine|contains|all: - - 'useraccount' - - 'get' - - Image|endswith: + selection_other_img: + Image|endswith: + - '\whoami.exe' - '\quser.exe' - '\qwinsta.exe' - - Image|endswith: '\cmdkey.exe' - CommandLine|contains: ' /l' - - Image|endswith: '\cmd.exe' - CommandLine|contains|all: + selection_other_wmi: + Image|endswith: '\wmic.exe' + CommandLine|contains|all: + - 'useraccount' + - 'get' + selection_other_cmdkey: + Image|endswith: '\cmdkey.exe' + CommandLine|contains: ' /l' + selection_cmd: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: - ' /c' - 'dir ' - '\Users\' - filter_1: + filter_cmd: CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" - selection_2: + selection_net: Image|endswith: - '\net.exe' - '\net1.exe' CommandLine|contains: 'user' - filter_2: + filter_net: CommandLine|contains: - '/domain' # local account discovery only - '/add' # discovery only @@ -49,15 +52,7 @@ detection: - '/scriptpath' # discovery only - '/times' # discovery only - '/workstations' # discovery only - condition: (selection_1 and not filter_1) or (selection_2 and not filter_2) -fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine + condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_* falsepositives: - Legitimate administrator or user enumerates local users for legitimate reason level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_cdb.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml similarity index 72% rename from rules/windows/process_creation/proc_creation_win_susp_cdb.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml index ab3ec391d..325a8c7d1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cdb.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml @@ -1,14 +1,14 @@ -title: Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner +title: WinDbg/CDB LOLBIN Usage id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2 status: test -description: Launch 64-bit shellcode from a debugger script file using cdb.exe. +description: Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/ - - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html + - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html - https://twitter.com/nas_bench/status/1534957360032120833 author: Beyu Denis, oscd.community, Nasreddine Bencherchali date: 2019/10/26 -modified: 2022/06/09 +modified: 2023/01/04 tags: - attack.execution - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml index a297dfe47..64c0b6530 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml @@ -1,12 +1,12 @@ title: Monitoring Winget For LOLbin Execution id: 313d6012-51a0-4d93-8dfc-de8553239e25 status: experimental -description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later. +description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later. references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install author: Sreeman, Florian Roth, Frack113 date: 2020/04/21 -modified: 2022/01/11 +modified: 2023/01/03 tags: - attack.defense_evasion - attack.execution @@ -15,16 +15,17 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: - - 'winget' + selection_img: + - Image|endswith: '\winget.exe' + - OriginalFileName: 'winget.exe' + selection_install_flag: + CommandLine|contains: - 'install' + selection_manifest_flag: CommandLine|contains: - '-m ' - '--manifest' - condition: selection -fields: - - CommandLine + condition: all of selection_* falsepositives: - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml index 375c72c13..ff672f2cb 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml @@ -1,5 +1,10 @@ title: Use of Forfiles For Execution id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b +related: + - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 + type: obsoletes + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: experimental description: Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting. references: @@ -31,5 +36,5 @@ detection: - ' -c ' condition: all of selection* falsepositives: - - Legitimate use by a via a batch script or by an administrator. + - Legitimate use via a batch script or by an administrator. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index 45a030e69..2a068f1fb 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -1,12 +1,16 @@ title: Use of Pcalua For Execution id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2 +related: + - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 + type: obsoletes status: experimental -description: Execute commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This is used as a LOLBIN for example to bypass application whitelisting. +description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Pcalua/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 +modified: 2023/01/04 tags: - attack.execution - attack.t1059 diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml index 4e0562d41..99f7edebe 100644 --- a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml @@ -19,6 +19,7 @@ references: - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Nasreddine Bencherchali date: 2023/01/02 +modified: 2023/01/04 tags: - attack.execution - attack.discovery @@ -39,6 +40,7 @@ detection: - 'Add-Exfiltration' - 'Add-Persistence' - 'Add-RegBackdoor' + - 'Add-RemoteRegBackdoor' - 'Add-ScrnSaveBackdoor' - 'Check-VM' - 'Do-Exfiltration' @@ -58,6 +60,9 @@ detection: - 'Get-PassHashes' - 'Get-RegAlwaysInstallElevated' - 'Get-RegAutoLogon' + - 'Get-RemoteCachedCredential' + - 'Get-RemoteLocalAccountHash' + - 'Get-RemoteMachineAccountHash' - 'Get-RickAstley' - 'Get-Screenshot' - 'Get-SecurityPackages' diff --git a/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml b/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml index 82d2e0c6d..7b95ab800 100644 --- a/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml +++ b/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml @@ -1,7 +1,7 @@ title: Suspicious Usage of the Manage-bde.wsf Script id: c363385c-f75d-4753-a108-c1a8e28bdbda status: test -description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script +description: Detects usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script references: - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/ - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml index b953fc654..e28e6189b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml @@ -1,4 +1,4 @@ -title: PowerShell Downgrade Attack +title: Potential PowerShell Downgrade Attack id: b3512211-c67e-4707-bedc-66efc7848863 related: - id: 6331d09b-4785-4c13-980f-f96661356249 @@ -7,9 +7,10 @@ status: test description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ + - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade- author: Harish Segar (rule) date: 2020/03/20 -modified: 2022/07/14 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.execution @@ -19,9 +20,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' + Image|endswith: '\powershell.exe' CommandLine|contains: - ' -version 2 ' - ' -versio 2 ' @@ -29,6 +28,7 @@ detection: - ' -vers 2 ' - ' -ver 2 ' - ' -ve 2 ' + - ' -v 2 ' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml new file mode 100644 index 000000000..3405097af --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml @@ -0,0 +1,46 @@ +title: Suspicious Git Clone +id: aef9d1f1-7396-4e92-a927-4567c7a495c1 +status: experimental +description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious +references: + - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt +author: Nasreddine Bencherchali +date: 2023/01/03 +tags: + - attack.reconnaissance + - attack.t1593.003 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\git.exe' + - '\git-remote-https.exe' + - OriginalFileName: 'git.exe' + selection_cli: + CommandLine|contains: + - ' clone ' + - 'git-remote-https ' + selection_keyword: + CommandLine|contains: + # Add more suspicious keywords + - 'exploit' + - 'Vulns' + - 'vulnerability' + - 'RCE' + - 'RemoteCodeExecution' + - 'Invoke-' + - 'CVE-' + - 'poc-' + - 'ProofOfConcept' + # Add more vuln names + - 'proxyshell' + - 'log4shell' + - 'eternalblue' + - 'eternal-blue' + - 'MS17-' + condition: all of selection_* +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index 170e98577..826452f11 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -1,4 +1,4 @@ -title: Suspicious WMI Reconnaissance +title: WMI Process Reconnaissance id: 221b251a-357a-49a9-920a-271802777cc0 status: experimental description: An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches. @@ -7,7 +7,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic author: frack113 date: 2022/01/01 -modified: 2022/05/13 +modified: 2023/01/03 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml new file mode 100644 index 000000000..bc803a81c --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml @@ -0,0 +1,25 @@ +title: Potential AMSI COM Server Hijacking +id: 160d2780-31f7-4922-8b3a-efce30e63e96 +status: experimental +description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless +references: + - https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ + - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass +author: Nasreddine Bencherchali +date: 2023/01/04 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)' + filter: + Details: '%windir%\system32\amsi.dll' + condition: selection and not filter +falsepositives: + - Unknown +level: high From e43371ffcf025da9b826933c7399b13b60d50650 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 17:51:34 +0100 Subject: [PATCH 25/64] fix: small typos --- .../posh_pm_invoke_obfuscation_via_use_mhsta.yml | 8 ++++---- ...posh_pm_susp_athremotefxvgpudisablementcommand.yml | 11 +++-------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 59bc6bb6c..97918504e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -9,7 +9,7 @@ references: - https://github.com/SigmaHQ/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2022/11/29 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.t1027 @@ -18,9 +18,9 @@ tags: logsource: product: windows category: ps_module - definition: 'Requirements: PowerShell Module Logging must be enabled'd + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: - selection_4103: + selection: Payload|contains|all: - 'set' - '&&' @@ -28,7 +28,7 @@ detection: - 'vbscript:createobject' - '.run' - '(window.close)' - condition: selection_4103 + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index 25ada0368..0585ac797 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -7,14 +7,14 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 date: 2021/07/13 -modified: 2022/12/02 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.t1218 logsource: product: windows category: ps_module - definition: 'Requirements: PowerShell Module Logging must be enabled'd + definition: 'Requirements: PowerShell Module Logging must be enabled' detection: selection_cmd: ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand ' @@ -24,12 +24,7 @@ detection: - '-ModulePath ' - '-ScriptBlock ' - '-RemoteFXvGPUDisablementFilePath' - condition: selection_cmd and selection_opt -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + condition: all of selection_* falsepositives: - Unknown level: medium From fb9caa875c10648595bad144fc5111f174669867 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 17:53:24 +0100 Subject: [PATCH 26/64] fix: other typos --- .../windows/powershell_suspicious_invocation_specific.yml | 2 +- .../powershell/powershell_script/posh_ps_susp_keywords.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml b/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml index a4e817aaf..dcdaf67e1 100644 --- a/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml +++ b/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml @@ -11,7 +11,7 @@ modified: 2022/04/11 logsource: product: windows service: powershell - definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 + definition: Script block logging must be enabled detection: convert_b64: - '-nop' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index 84f0a2ad9..05a66e50b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -16,7 +16,7 @@ tags: logsource: product: windows category: ps_script - definition: 'Requirements: Script Block Logging must be enabled' for 4104 + definition: 'Requirements: Script Block Logging must be enabled' detection: selection: ScriptBlockText|contains: From ec6c8c391fb2151668567dc239ee12ac1bf44548 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 17:54:20 +0100 Subject: [PATCH 27/64] fix: rollback --- .../windows/powershell_suspicious_invocation_specific.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml b/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml index dcdaf67e1..a4e817aaf 100644 --- a/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml +++ b/rules-deprecated/windows/powershell_suspicious_invocation_specific.yml @@ -11,7 +11,7 @@ modified: 2022/04/11 logsource: product: windows service: powershell - definition: Script block logging must be enabled + definition: Script block logging must be enabled for 4104, Module Logging must be enabled for 4103 detection: convert_b64: - '-nop' From 3cb8e4c608c84a1f0ef64c18bd02ad5d96eb9f3b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 17:55:48 +0100 Subject: [PATCH 28/64] fix: status --- .../proc_creation_win_indirect_command_execution_forfiles.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml b/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml index 8b1bb6c6b..e05d0a2a5 100644 --- a/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml +++ b/rules-deprecated/windows/proc_creation_win_indirect_command_execution_forfiles.yml @@ -3,7 +3,7 @@ id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 related: - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 type: obsoletes -status: experimental +status: deprecated description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting. references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a From 219b24be0bd12b09e45cf83651dd186219f65ae9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:04:14 +0100 Subject: [PATCH 29/64] fix: broken selection --- .../proc_creation_win_lolbin_execution_via_winget.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml index 64c0b6530..2bce671d0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml @@ -19,8 +19,7 @@ detection: - Image|endswith: '\winget.exe' - OriginalFileName: 'winget.exe' selection_install_flag: - CommandLine|contains: - - 'install' + CommandLine|contains: 'install' selection_manifest_flag: CommandLine|contains: - '-m ' From 2b0451992349c6d1de80887a66217fb84dff042c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:26:59 +0100 Subject: [PATCH 30/64] fix: unique item list --- .../proc_creation_lnx_install_suspicioua_packages.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml index 5f8dec1d0..726225676 100644 --- a/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml +++ b/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml @@ -19,8 +19,7 @@ detection: - '/apt-get' CommandLine|contains: 'install' selection_tool_yum: - Image|endswith: - - '/yum' + Image|endswith: '/yum' CommandLine|contains: - 'localinstall' - 'install' From d8b8cf04bd3959438eb74d09da0543ddb794fc99 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:38:04 +0100 Subject: [PATCH 31/64] fix: wrong fp --- .../linux/process_creation/proc_creation_lnx_susp_git_clone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 3222b7a55..e37981c89 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -36,5 +36,5 @@ detection: - 'MS17-' condition: all of selection_* falsepositives: - - Unkown + - Unknown level: medium From 903ebb11761665dfbf4e21d1f48f0f3373e0ee4f Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 4 Jan 2023 17:42:16 +0000 Subject: [PATCH 32/64] FP: tenable nessus client calls cmd during scanning. --- .../windows/process_creation/proc_creation_win_susp_cmd.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 9dfbb96b5..976d65498 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,7 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) date: 2022/12/05 -modified: 2023/01/03 +modified: 2023/01/04 tags: - attack.privilege_escalation - attack.defense_evasion @@ -66,6 +66,10 @@ detection: # CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector ParentImage: 'C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe' Image|endswith: '\cmd.exe' + filter_tenable: + ParentImage: 'C:\Program Files\Tenable\Nessus Agent\nessus-agent-module.exe' + Image|endswith: '\cmd.exe' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From 46f01f2f88a124d3c150fff3c7f2654bc14f8ad9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:46:34 +0100 Subject: [PATCH 33/64] fix: typo in unknown --- .../process_creation/proc_creation_win_susp_git_clone.yml | 2 +- tests/test_logsource.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml index 3405097af..10eb2b7d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml @@ -42,5 +42,5 @@ detection: - 'MS17-' condition: all of selection_* falsepositives: - - Unkown + - Unknown level: medium diff --git a/tests/test_logsource.py b/tests/test_logsource.py index 99c7d5104..773f73f19 100644 --- a/tests/test_logsource.py +++ b/tests/test_logsource.py @@ -165,7 +165,7 @@ class TestRules(unittest.TestCase): files_with_fieldname_issues.append(file) self.assertEqual(files_with_fieldname_issues, [], Fore.RED + - "There are rule files which contains unkown field or with cast error") + "There are rule files which contains unknown field or with cast error") def load_fields_json(name:str): data = {} From 756a248032c150f4ffd504c633bdee3cacce1fdb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:52:24 +0100 Subject: [PATCH 34/64] update logsource --- .../azure_app_privileged_permissions.yml | 3 +- ...oc_creation_macos_space_after_filename.yml | 4 +- .../cisco/aaa/cisco_cli_collect_data.yml | 3 +- .../cisco/aaa/cisco_cli_crypto_actions.yml | 3 +- .../cisco/aaa/cisco_cli_disable_logging.yml | 3 +- .../network/cisco/aaa/cisco_cli_discovery.yml | 3 +- rules/network/cisco/aaa/cisco_cli_dos.yml | 3 +- .../cisco/aaa/cisco_cli_file_deletion.yml | 3 +- .../cisco/aaa/cisco_cli_input_capture.yml | 3 +- .../cisco/aaa/cisco_cli_local_accounts.yml | 3 +- .../cisco/aaa/cisco_cli_modify_config.yml | 3 +- .../cisco/aaa/cisco_cli_moving_data.yml | 3 +- .../network/cisco/aaa/cisco_cli_net_sniff.yml | 3 +- rules/web/web_cve_2021_26858_iis_rce.yml | 4 +- ..._service_installation_by_unusal_client.yml | 4 +- .../win_security_susp_computer_name.yml | 3 +- ..._service_installation_by_unusal_client.yml | 4 +- tests/logsource.json | 208 +++++++++++++++++- tests/test_logsource.py | 87 ++++++-- 19 files changed, 292 insertions(+), 58 deletions(-) diff --git a/rules/cloud/azure/azure_app_privileged_permissions.yml b/rules/cloud/azure/azure_app_privileged_permissions.yml index ec44918df..5bd6052c3 100644 --- a/rules/cloud/azure/azure_app_privileged_permissions.yml +++ b/rules/cloud/azure/azure_app_privileged_permissions.yml @@ -6,10 +6,11 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/28 +modified: 2023/01/04 tags: - attack.privilege_escalation logsource: - product: microsoft365portal + product: azure service: auditlogs detection: selection: diff --git a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml index f7f329e03..4570e106d 100644 --- a/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml +++ b/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md author: remotephone date: 2021/11/20 -modified: 2022/12/25 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.t1036.006 @@ -17,7 +17,7 @@ detection: selection1: CommandLine|endswith: ' ' selection2: - ImageName|endswith: ' ' + Image|endswith: ' ' condition: 1 of selection* falsepositives: - Mistyped commands or legitimate binaries named to match the pattern diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index d832f6094..7e00356ca 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -4,7 +4,7 @@ status: test description: Collect pertinent data from the configuration files author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.discovery - attack.credential_access @@ -15,7 +15,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'show running-config' diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index cac0f231d..ee51db55f 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -4,7 +4,7 @@ status: test description: Show when private keys are being exported from the device, or when new certificates are installed author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.credential_access - attack.defense_evasion @@ -13,7 +13,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'crypto pki export' diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index ea9d7290f..7ff07143b 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -4,14 +4,13 @@ status: test description: Turn off logging locally or remote author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.t1562.001 logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'no logging' diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml index ca5e160ea..970e34df7 100644 --- a/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -4,7 +4,7 @@ status: test description: Find information about network devices that is not stored in config files author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.discovery - attack.t1083 @@ -19,7 +19,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'dir' diff --git a/rules/network/cisco/aaa/cisco_cli_dos.yml b/rules/network/cisco/aaa/cisco_cli_dos.yml index 769660112..e2455a3bc 100644 --- a/rules/network/cisco/aaa/cisco_cli_dos.yml +++ b/rules/network/cisco/aaa/cisco_cli_dos.yml @@ -4,7 +4,7 @@ status: test description: Detect a system being shutdown or put into different boot mode author: Austin Clark date: 2019/08/15 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.impact - attack.t1495 @@ -13,7 +13,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'shutdown' diff --git a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml index e79f3b9f7..beedf9793 100644 --- a/rules/network/cisco/aaa/cisco_cli_file_deletion.yml +++ b/rules/network/cisco/aaa/cisco_cli_file_deletion.yml @@ -4,7 +4,7 @@ status: test description: See what files are being deleted from flash file systems author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.defense_evasion - attack.impact @@ -14,7 +14,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'erase' diff --git a/rules/network/cisco/aaa/cisco_cli_input_capture.yml b/rules/network/cisco/aaa/cisco_cli_input_capture.yml index 4a8bbfc82..ccd20f84a 100644 --- a/rules/network/cisco/aaa/cisco_cli_input_capture.yml +++ b/rules/network/cisco/aaa/cisco_cli_input_capture.yml @@ -4,14 +4,13 @@ status: test description: See what commands are being input into the device by other people, full credentials can be in the history author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.credential_access - attack.t1552.003 logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'show history' diff --git a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml index c941f2447..678773565 100644 --- a/rules/network/cisco/aaa/cisco_cli_local_accounts.yml +++ b/rules/network/cisco/aaa/cisco_cli_local_accounts.yml @@ -4,7 +4,7 @@ status: test description: Find local accounts being created or modified as well as remote authentication configurations author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.persistence - attack.t1136.001 @@ -12,7 +12,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'username' diff --git a/rules/network/cisco/aaa/cisco_cli_modify_config.yml b/rules/network/cisco/aaa/cisco_cli_modify_config.yml index a3f833c20..699678c94 100644 --- a/rules/network/cisco/aaa/cisco_cli_modify_config.yml +++ b/rules/network/cisco/aaa/cisco_cli_modify_config.yml @@ -4,7 +4,7 @@ status: test description: Modifications to a config that will serve an adversary's impacts or persistence author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.persistence - attack.impact @@ -15,7 +15,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'ip http server' diff --git a/rules/network/cisco/aaa/cisco_cli_moving_data.yml b/rules/network/cisco/aaa/cisco_cli_moving_data.yml index b4f5f2963..a5068ab1d 100644 --- a/rules/network/cisco/aaa/cisco_cli_moving_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_moving_data.yml @@ -4,7 +4,7 @@ status: test description: Various protocols maybe used to put data on the device for exfil or infil author: Austin Clark date: 2019/08/12 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.collection - attack.lateral_movement @@ -16,7 +16,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'tftp' diff --git a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml index 0a390d6d4..e5063d4dc 100644 --- a/rules/network/cisco/aaa/cisco_cli_net_sniff.yml +++ b/rules/network/cisco/aaa/cisco_cli_net_sniff.yml @@ -4,7 +4,7 @@ status: test description: Show when a monitor or a span/rspan is setup or modified author: Austin Clark date: 2019/08/11 -modified: 2021/11/27 +modified: 2023/01/04 tags: - attack.credential_access - attack.discovery @@ -12,7 +12,6 @@ tags: logsource: product: cisco service: aaa - category: accounting detection: keywords: - 'monitor capture point' diff --git a/rules/web/web_cve_2021_26858_iis_rce.yml b/rules/web/web_cve_2021_26858_iis_rce.yml index 02853d426..e85114085 100644 --- a/rules/web/web_cve_2021_26858_iis_rce.yml +++ b/rules/web/web_cve_2021_26858_iis_rce.yml @@ -6,10 +6,10 @@ references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: frack113 date: 2021/08/10 -modified: 2022/10/09 +modified: 2023/01/04 logsource: product: windows - category: webserver + service: iis definition: w3c-logging must be enabled https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging detection: selection: diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index f9f4dc85c..1b087a989 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -10,12 +10,12 @@ references: - https://twitter.com/SBousseaden/status/1490608838701166596 author: Tim Rauch date: 2022/09/15 -modified: 2022/12/04 +modified: 2023/01/04 tags: - attack.privilege_escalation - attack.t1543 logsource: - category: security + service: security product: windows definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: diff --git a/rules/windows/builtin/security/win_security_susp_computer_name.yml b/rules/windows/builtin/security/win_security_susp_computer_name.yml index c74d21d53..1b7b0338f 100644 --- a/rules/windows/builtin/security/win_security_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_security_susp_computer_name.yml @@ -8,6 +8,7 @@ references: - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py author: elhoim date: 2022/09/09 +modified: 2023/01/04 tags: - cve.2021.42278 - cve.2021.42287 @@ -15,7 +16,7 @@ tags: - attack.privilege_escalation - attack.t1078 logsource: - category: security + service: security product: windows detection: # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created) diff --git a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml index d5d3b1ff0..c9b75f3bd 100644 --- a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml @@ -9,13 +9,13 @@ references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html author: Tim Rauch date: 2022/09/15 -modified: 2022/12/04 +modified: 2023/01/04 tags: - attack.privilege_escalation - attack.t1543 logsource: - category: system product: windows + service: system detection: selection: Provider_Name: 'Service Control Manager' diff --git a/tests/logsource.json b/tests/logsource.json index 7f7ab8b7d..63cdfcd6c 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -4,6 +4,7 @@ "legit":{ "windows":{ "commun": ["EventID","Provider_Name"], + "empty": [], "category":{ "process_creation": ["CommandLine","Company","CurrentDirectory","Description","FileVersion", "Hashes","Image","IntegrityLevel","LogonGuid","LogonId","OriginalFileName", @@ -41,7 +42,10 @@ "ps_module":["ContextInfo","UserData","Payload"], "ps_script":["MessageNumber","MessageTotal","ScriptBlockText","ScriptBlockId","Path"], "file_access":["Irp","FileObject","IssuingThreadId","CreateOptions","CreateAttributes","ShareAccess","FileName"], - "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"] + "file_rename":["Irp","FileObject","FileKey","ExtraInformation","IssuingThreadId","InfoClass","FilePath"], + "ps_classic_start":[], + "ps_classic_provider_start":[], + "sysmon_error":[] }, "service":{ "bitlocker": ["VolumeName", "VolumeMountPoint", "ProtectorGUID", "ProtectorType"], @@ -62,10 +66,32 @@ "smbclient-security":["Reason","Status","ShareNameLength","ShareName","ObjectNameLength","ObjectName", "UserNameLength","UserName","ServerNameLength","ServerName"], "taskscheduler":["TaskName","UserContext","Path","ProcessID","Priority"], - "terminalservices-localsessionmanager":["User","SessionID","Address"] + "terminalservices-localsessionmanager":["User","SessionID","Address"], + "iis":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", + "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", + "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", + "cs-referer","cs-cookie"], + "application":[], + "sysmon":[], + "powershell":[], + "powershell-classic":[], + "security":[], + "system":[], + "windefend":[], + "wmi":[], + "microsoft-servicebus-client":[], + "printservice-operational":[], + "driver-framework":[], + "dns-server-analytic":[], + "dns-server":[], + "printservice-admin":[], + "msexchange-management":[], + "applocker":[] } }, "linux":{ + "commun": [], + "empty": [], "category":{ "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", @@ -97,10 +123,21 @@ "proctitle","prom","proto","qbytes","range","rdev","reason","removed","res","resrc","result","role","rport","saddr","sauid", "scontext","selected-context","seperm","seperms","seqno","seresult","ses","seuser","sgid","sig","sigev_signo","smac","spid", "sport","state","subj","success","suid","syscall","table","tclass","tcontext","terminal","tty","type","uid","unit","uri","user", - "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"] + "uuid","val","val","ver","virt","vm","vm-ctx","vm-pid","watch"], + "vsftpd":[], + "sshd":[], + "syslog":[], + "guacamole":[], + "auth":[], + "clamav":[], + "modsecurity":[], + "sudo":[], + "cron":[] } }, "empty":{ + "commun": [], + "empty": [], "category":{ "proxy":["c-uri","c-uri-extension","c-uri-query","c-uri-stem","c-useragent","cs-bytes","cs-cookie", "cs-host","cs-method","r-dns","cs-referrer","cs-version","sc-bytes","sc-status","src_ip","dst_ip", @@ -108,11 +145,169 @@ "webserver":["date","time","c-ip","cs-username","s-sitename","s-computername","s-ip","cs-method", "cs-uri-stem","cs-uri-query","s-port","cs-method","sc-status","sc-win32-status", "sc-bytes","cs-bytes","time-taken","cs-version","cs-host","cs-user-agent", - "cs-referer","cs-cookie"] + "cs-referer","cs-cookie"], + "antivirus":[], + "database":[], + "dns":[], + "firewall":[] + }, + "service":{ + "apache":[], + "netflow":[] + } + }, + "cisco":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "aaa":[] + } + }, + "django":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "python":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "rpc_firewall":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "ruby_on_rails":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "spring":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "sql":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "aws":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "cloudtrail":[] + } + }, + "azure":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "activitylogs":[], + "auditlogs":[], + "azureactivity":[], + "signinlogs":[] + } + }, + "gcp":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "gcp.audit":[] + } + }, + "google_workspace":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "google_workspace.admin":[] + } + }, + "m365":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "exchange":[], + "threat_detection":[], + "threat_management":[] + } + }, + "okta":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "okta":[] + } + }, + "onelogin":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "onelogin.events":[] + } + }, + "zeek":{ + "commun": [], + "empty": [], + "category":{ + }, + "service":{ + "kerberos":[], + "smb_files":[], + "rdp":[], + "http":[], + "dns":[], + "smb_files":[], + "dce_rpc":[], + "x509":[] + } + }, + "macos":{ + "commun": [], + "empty": [], + "category":{ + "process_creation": ["ProcessGuid","ProcessId","Image","FileVersion","Description","Product","Company","OriginalFileName", + "CommandLine","CurrentDirectory","User","LogonGuid","LogonId","TerminalSessionId","IntegrityLevel","Hashes", + "ParentProcessGuid","ParentProcessId","ParentImage","ParentCommandLine","ParentUser"], + "network_connection": ["ProcessGuid","ProcessId","Image","User","Protocol","Initiated","SourceIsIpv6","SourceIp","SourceHostname", + "SourcePort","SourcePortName","DestinationIsIpv6","DestinationIp","DestinationHostname","DestinationPort", + "DestinationPortName"], + "process_termination": ["ProcessGuid","ProcessId","Image","User"], + "raw_access_read": ["ProcessGuid","ProcessId","Image","Device","User"], + "file_event": ["ProcessGuid","ProcessId","Image","TargetFilename","CreationUtcTime","User"], + "sysmon_status": ["Configuration","ConfigurationFileHash"], + "file_delete": ["ProcessGuid","ProcessId","User","Image","TargetFilename","Hashes","IsExecutable","Archived"] }, "service":{ } - } + } }, "addon":{ "windows":{ @@ -128,7 +323,8 @@ "process_access": ["SourceCommandLine","CallTraceExtended"], "file_access":["Image","CommandLine","ParentImage","ParentCommandLine","User","TargetFilename"], "file_rename":["Image","CommandLine","ParentImage","ParentCommandLine","User","OriginalFileName","SourceFilename","TargetFilename","MagicHeader"] - } + }, + "service":{} } } } \ No newline at end of file diff --git a/tests/test_logsource.py b/tests/test_logsource.py index 99c7d5104..4e191f903 100644 --- a/tests/test_logsource.py +++ b/tests/test_logsource.py @@ -73,6 +73,28 @@ class TestRules(unittest.TestCase): return data + def get_logsource(self,logsource:dict) -> list: + data = None + + product = logsource["product"] if logsource["product"] in fieldname_dict.keys() else "empty" + + if logsource["category"] and logsource["category"] in fieldname_dict[product]['category'].keys(): + data= fieldname_dict[product]["category"][logsource["category"]] + elif logsource["service"] and logsource["service"] in fieldname_dict[product]['service'].keys(): + data= fieldname_dict[product]["service"][logsource["service"]] + elif logsource["category"] == None and logsource["service"] == None: + data = fieldname_dict[product]["empty"] + + return data + + def not_commun(self,logsource:dict,data:list) -> bool: + product = logsource["product"] if logsource["product"] in fieldname_dict.keys() else "empty" + + if fieldname_dict[product]["commun"] == data: + return False + else: + return True + # # test functions # @@ -107,6 +129,26 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") + def test_logsource_value(self): + faulty_rules = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + logsource = self.get_rule_part( + file_path=file, part_name="logsource") + if logsource: + full_logsource = self.full_logsource(logsource) + info = self.get_logsource(full_logsource) + if info == None: + faulty_rules.append(file) + print( + Fore.RED + "Rule {} has the unkwon logsource product/category/service ({}/{}/{})".format(file, + full_logsource["product"], + full_logsource["category"], + full_logsource["service"] + )) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with non-conform 'logsource' values.") def test_fieldname_case(self): files_with_fieldname_issues = [] @@ -141,28 +183,30 @@ class TestRules(unittest.TestCase): if logsource and detection : full_logsource = self.full_logsource(logsource) + info = self.get_logsource(full_logsource) + if info != [] and self.not_commun(full_logsource,info): # check the field name - if full_logsource['product']: - if full_logsource['category']: - for field in self.get_detection_field(detection): - if not check_category(full_logsource['product'],full_logsource['category'],field): - print( - Fore.RED + "Rule {} has the invalid field <{}> for category <{}>".format(file, field,full_logsource['category'])) - files_with_fieldname_issues.append(file) - elif full_logsource['service']: - for field in self.get_detection_field(detection): - if not check_service(full_logsource['product'],full_logsource['service'],field): - print( - Fore.RED + "Rule {} has the invalid field <{}> for service <{}>".format(file, field,full_logsource['service'])) - files_with_fieldname_issues.append(file) - else: - if full_logsource['category']: - for field in self.get_detection_field(detection): - if not check_category("empty",full_logsource['category'],field): - print( - Fore.RED + "Rule {} has the invalid field <{}> for category <{}>".format(file, field,full_logsource['category'])) - files_with_fieldname_issues.append(file) + if full_logsource['product']: + if full_logsource['category']: + for field in self.get_detection_field(detection): + if not check_category(full_logsource['product'],full_logsource['category'],field): + print( + Fore.RED + "Rule {} has the invalid field <{}> for category <{}>".format(file, field,full_logsource['category'])) + files_with_fieldname_issues.append(file) + elif full_logsource['service']: + for field in self.get_detection_field(detection): + if not check_service(full_logsource['product'],full_logsource['service'],field): + print( + Fore.RED + "Rule {} has the invalid field <{}> for service <{}>".format(file, field,full_logsource['service'])) + files_with_fieldname_issues.append(file) + else: + if full_logsource['category']: + for field in self.get_detection_field(detection): + if not check_category("empty",full_logsource['category'],field): + print( + Fore.RED + "Rule {} has the invalid field <{}> for category <{}>".format(file, field,full_logsource['category'])) + files_with_fieldname_issues.append(file) self.assertEqual(files_with_fieldname_issues, [], Fore.RED + "There are rule files which contains unkown field or with cast error") @@ -180,6 +224,9 @@ def load_fields_json(name:str): for product in json_dict["addon"]: for category in json_dict["addon"][product]["category"]: data[product]["category"][category] += json_dict["addon"][product]["category"][category] + for service in json_dict["addon"][product]["service"]: + data[product]["service"][service] += json_dict["addon"][product]["service"][service] + # We use some extracted hash # Add commun field From 679f3d015b2b3faadb60d96fecd1b2648336f892 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 4 Jan 2023 19:11:33 +0100 Subject: [PATCH 35/64] fix: remove unnecessary space --- rules/windows/process_creation/proc_creation_win_susp_cmd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 976d65498..9fc743f25 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -67,9 +67,9 @@ detection: ParentImage: 'C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe' Image|endswith: '\cmd.exe' filter_tenable: + # See https://github.com/SigmaHQ/sigma/pull/3869 for an example ParentImage: 'C:\Program Files\Tenable\Nessus Agent\nessus-agent-module.exe' Image|endswith: '\cmd.exe' - condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From 7d5fb8db30c22476432049b1c55cfc7faeb441d4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 4 Jan 2023 19:36:37 +0100 Subject: [PATCH 36/64] update logsource --- rules/cloud/azure/azure_app_privileged_permissions.yml | 3 +-- tests/logsource.json | 1 + tests/test_logsource.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/cloud/azure/azure_app_privileged_permissions.yml b/rules/cloud/azure/azure_app_privileged_permissions.yml index 5bd6052c3..bdc64a4c7 100644 --- a/rules/cloud/azure/azure_app_privileged_permissions.yml +++ b/rules/cloud/azure/azure_app_privileged_permissions.yml @@ -6,12 +6,11 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' date: 2022/07/28 -modified: 2023/01/04 tags: - attack.privilege_escalation logsource: product: azure - service: auditlogs + service: microsoft365portal detection: selection: properties.message: Add app role assignment to service principal diff --git a/tests/logsource.json b/tests/logsource.json index 63cdfcd6c..5a4138bd9 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -228,6 +228,7 @@ "activitylogs":[], "auditlogs":[], "azureactivity":[], + "microsoft365portal":[], "signinlogs":[] } }, diff --git a/tests/test_logsource.py b/tests/test_logsource.py index 4e191f903..a0863726c 100644 --- a/tests/test_logsource.py +++ b/tests/test_logsource.py @@ -141,7 +141,7 @@ class TestRules(unittest.TestCase): if info == None: faulty_rules.append(file) print( - Fore.RED + "Rule {} has the unkwon logsource product/category/service ({}/{}/{})".format(file, + Fore.RED + "Rule {} has the unknown logsource product/category/service ({}/{}/{})".format(file, full_logsource["product"], full_logsource["category"], full_logsource["service"] @@ -209,7 +209,7 @@ class TestRules(unittest.TestCase): files_with_fieldname_issues.append(file) self.assertEqual(files_with_fieldname_issues, [], Fore.RED + - "There are rule files which contains unkown field or with cast error") + "There are rule files which contains unknown field or with cast error") def load_fields_json(name:str): data = {} From ed1a91b53fd4b676b715ef7e8b6de985dece7da5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 4 Jan 2023 19:42:16 +0100 Subject: [PATCH 37/64] remove duplicate value --- tests/logsource.json | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/logsource.json b/tests/logsource.json index 5a4138bd9..4e30278d8 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -285,7 +285,6 @@ "rdp":[], "http":[], "dns":[], - "smb_files":[], "dce_rpc":[], "x509":[] } From 01e7adeb30f1a7b552c247605976b77fd0772e72 Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 5 Jan 2023 08:14:19 +0100 Subject: [PATCH 38/64] order linux file --- .../builtin/{ => auth}/lnx_pwnkit_local_privilege_escalation.yml | 0 .../auth}/lnx_susp_failed_logons_single_source.yml | 0 rules/linux/{other => builtin/clamav}/lnx_clamav.yml | 0 rules/linux/builtin/{ => cron}/lnx_crontab_file_modification.yml | 0 rules/linux/{other => builtin/guacamole}/lnx_susp_guacamole.yml | 0 rules/linux/{ => builtin}/modsecurity/modsec_mulitple_blocks.yml | 0 rules/linux/{other => builtin/sshd}/lnx_ssh_cve_2018_15473.yml | 0 rules/linux/{other => builtin/sshd}/lnx_susp_ssh.yml | 0 rules/linux/builtin/{ => sudo}/lnx_sudo_cve_2019_14287_user.yml | 0 .../syslog}/lnx_security_tools_disabling_syslog.yml | 0 rules/linux/{other => builtin/syslog}/lnx_susp_named.yml | 0 rules/linux/{other => builtin/vsftpd}/lnx_susp_vsftp.yml | 0 12 files changed, 0 insertions(+), 0 deletions(-) rename rules/linux/builtin/{ => auth}/lnx_pwnkit_local_privilege_escalation.yml (100%) rename rules/linux/{other => builtin/auth}/lnx_susp_failed_logons_single_source.yml (100%) rename rules/linux/{other => builtin/clamav}/lnx_clamav.yml (100%) rename rules/linux/builtin/{ => cron}/lnx_crontab_file_modification.yml (100%) rename rules/linux/{other => builtin/guacamole}/lnx_susp_guacamole.yml (100%) rename rules/linux/{ => builtin}/modsecurity/modsec_mulitple_blocks.yml (100%) rename rules/linux/{other => builtin/sshd}/lnx_ssh_cve_2018_15473.yml (100%) rename rules/linux/{other => builtin/sshd}/lnx_susp_ssh.yml (100%) rename rules/linux/builtin/{ => sudo}/lnx_sudo_cve_2019_14287_user.yml (100%) rename rules/linux/{other => builtin/syslog}/lnx_security_tools_disabling_syslog.yml (100%) rename rules/linux/{other => builtin/syslog}/lnx_susp_named.yml (100%) rename rules/linux/{other => builtin/vsftpd}/lnx_susp_vsftp.yml (100%) diff --git a/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml similarity index 100% rename from rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml rename to rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml diff --git a/rules/linux/other/lnx_susp_failed_logons_single_source.yml b/rules/linux/builtin/auth/lnx_susp_failed_logons_single_source.yml similarity index 100% rename from rules/linux/other/lnx_susp_failed_logons_single_source.yml rename to rules/linux/builtin/auth/lnx_susp_failed_logons_single_source.yml diff --git a/rules/linux/other/lnx_clamav.yml b/rules/linux/builtin/clamav/lnx_clamav.yml similarity index 100% rename from rules/linux/other/lnx_clamav.yml rename to rules/linux/builtin/clamav/lnx_clamav.yml diff --git a/rules/linux/builtin/lnx_crontab_file_modification.yml b/rules/linux/builtin/cron/lnx_crontab_file_modification.yml similarity index 100% rename from rules/linux/builtin/lnx_crontab_file_modification.yml rename to rules/linux/builtin/cron/lnx_crontab_file_modification.yml diff --git a/rules/linux/other/lnx_susp_guacamole.yml b/rules/linux/builtin/guacamole/lnx_susp_guacamole.yml similarity index 100% rename from rules/linux/other/lnx_susp_guacamole.yml rename to rules/linux/builtin/guacamole/lnx_susp_guacamole.yml diff --git a/rules/linux/modsecurity/modsec_mulitple_blocks.yml b/rules/linux/builtin/modsecurity/modsec_mulitple_blocks.yml similarity index 100% rename from rules/linux/modsecurity/modsec_mulitple_blocks.yml rename to rules/linux/builtin/modsecurity/modsec_mulitple_blocks.yml diff --git a/rules/linux/other/lnx_ssh_cve_2018_15473.yml b/rules/linux/builtin/sshd/lnx_ssh_cve_2018_15473.yml similarity index 100% rename from rules/linux/other/lnx_ssh_cve_2018_15473.yml rename to rules/linux/builtin/sshd/lnx_ssh_cve_2018_15473.yml diff --git a/rules/linux/other/lnx_susp_ssh.yml b/rules/linux/builtin/sshd/lnx_susp_ssh.yml similarity index 100% rename from rules/linux/other/lnx_susp_ssh.yml rename to rules/linux/builtin/sshd/lnx_susp_ssh.yml diff --git a/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml b/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml similarity index 100% rename from rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml rename to rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml diff --git a/rules/linux/other/lnx_security_tools_disabling_syslog.yml b/rules/linux/builtin/syslog/lnx_security_tools_disabling_syslog.yml similarity index 100% rename from rules/linux/other/lnx_security_tools_disabling_syslog.yml rename to rules/linux/builtin/syslog/lnx_security_tools_disabling_syslog.yml diff --git a/rules/linux/other/lnx_susp_named.yml b/rules/linux/builtin/syslog/lnx_susp_named.yml similarity index 100% rename from rules/linux/other/lnx_susp_named.yml rename to rules/linux/builtin/syslog/lnx_susp_named.yml diff --git a/rules/linux/other/lnx_susp_vsftp.yml b/rules/linux/builtin/vsftpd/lnx_susp_vsftp.yml similarity index 100% rename from rules/linux/other/lnx_susp_vsftp.yml rename to rules/linux/builtin/vsftpd/lnx_susp_vsftp.yml From a499c7076d50d56b62da983ec20b9696a837d19a Mon Sep 17 00:00:00 2001 From: xFFninja <104439265+xFFninja@users.noreply.github.com> Date: Thu, 5 Jan 2023 09:47:11 +0200 Subject: [PATCH 39/64] fix Image field On Linux git has no .exe extension --- .../linux/process_creation/proc_creation_lnx_susp_git_clone.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index e37981c89..7e283256e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -14,7 +14,7 @@ logsource: product: linux detection: selection_img: - Image|endswith: '/git.exe' + Image|endswith: '/git' CommandLine|contains: ' clone ' selection_keyword: CommandLine|contains: From 379fa4f3dffefe82be6aa250ed6057b4b38082a3 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 5 Jan 2023 09:11:49 +0100 Subject: [PATCH 40/64] Update modified --- .../linux/process_creation/proc_creation_lnx_susp_git_clone.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml index 7e283256e..33e0d9972 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml @@ -6,6 +6,7 @@ references: - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt author: Nasreddine Bencherchali date: 2023/01/03 +modified: 2023/01/05 tags: - attack.reconnaissance - attack.t1593.003 From 325d53223915ac49864810e7a1aa39f23a5018d3 Mon Sep 17 00:00:00 2001 From: Veramine Date: Thu, 5 Jan 2023 13:30:45 -0800 Subject: [PATCH 41/64] Update proc_creation_win_susp_3proxy_usage.yml Fix condition --- .../process_creation/proc_creation_win_susp_3proxy_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml index 8395bb6bc..494efb7a6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml @@ -20,7 +20,7 @@ detection: Description: '3proxy - tiny proxy server' selection_params: # param combos seen in the wild CommandLine|contains: '.exe -i127.0.0.1 -p' - condition: 1 of selection + condition: 1 of selection* falsepositives: - Administrative activity level: high From fb1f72a6346981a866adb086602ca0f1ea0cdee9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 5 Jan 2023 23:08:36 +0100 Subject: [PATCH 42/64] fix: add missing modified field --- .../process_creation/proc_creation_win_susp_3proxy_usage.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml index 494efb7a6..03f94f14c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml @@ -7,6 +7,7 @@ references: - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Florian Roth date: 2022/09/13 +modified: 2023/01/05 tags: - attack.command_and_control - attack.t1572 @@ -14,13 +15,13 @@ logsource: category: process_creation product: windows detection: - selection: + selection_img: Image|endswith: '\3proxy.exe' selection_pe: Description: '3proxy - tiny proxy server' selection_params: # param combos seen in the wild CommandLine|contains: '.exe -i127.0.0.1 -p' - condition: 1 of selection* + condition: 1 of selection_* falsepositives: - Administrative activity level: high From 31530e50b7b114b06459805483ca00a9fc604be1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 6 Jan 2023 13:28:57 +0100 Subject: [PATCH 43/64] Update FP --- ...eation_win_susp_file_download_via_gfxdownloadwrapper.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml index aa78f8cbc..98bc09e1c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/ author: Victor Sergeev, oscd.community date: 2020/10/09 -modified: 2021/11/27 +modified: 2022/01/06 tags: - attack.command_and_control - attack.t1105 @@ -18,7 +18,9 @@ detection: Image|endswith: '\GfxDownloadWrapper.exe' filter: CommandLine|contains: 'gameplayapi.intel.com' - ParentImage|endswith: '\GfxDownloadWrapper.exe' + ParentImage|endswith: + - '\GfxDownloadWrapper.exe' + - '\igfxEM.exe' condition: image_path and not filter fields: - CommandLine From 7e73028c5ed8f9c088f89fe3d58394b4a1859e0a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 6 Jan 2023 16:35:34 +0100 Subject: [PATCH 44/64] feat: updates and enhancements --- .../windows}/file_event_win_susp_clr_logs.yml | 4 +- .../auditd/lnx_auditd_binary_padding.yml | 18 ++--- .../auditd/lnx_auditd_find_cred_in_files.yml | 8 +-- .../lnx_pwnkit_local_privilege_escalation.yml | 5 +- ...nimbuspwn_privilege_escalation_exploit.yml | 5 +- rules/linux/builtin/lnx_susp_dev_tcp.yml | 6 +- .../win_exchange_proxylogon_oabvirtualdir.yml | 7 +- ...ange_proxyshell_certificate_generation.yml | 8 +-- ...hange_proxyshell_remove_mailbox_export.yml | 6 +- ...ge_set_oabvirtualdirectory_externalurl.yml | 6 +- .../file_event_win_net_cli_artefact.yml | 26 +++++-- ...vent_win_notepad_plus_plus_persistence.yml | 4 +- .../file_event/file_event_win_ntds_dit.yml | 4 +- ...le_event_win_outlook_c2_macro_creation.yml | 8 +-- .../file_event_win_outlook_newform.yml | 2 - ...e_event_win_powershell_exploit_scripts.yml | 4 +- ...event_win_powershell_startup_shortcuts.yml | 8 +-- .../file_event_win_quarkspw_filedump.yml | 1 - ...e_event_win_redmimicry_winnti_filedrop.yml | 16 ++--- .../file_event_win_remote_cred_dump.yml | 4 +- .../file_event_win_ripzip_attack.yml | 13 ++-- .../file_event/file_event_win_sam_dump.yml | 5 +- ...e_event_win_shell_write_susp_directory.yml | 8 +-- ...le_event_win_startup_folder_file_write.yml | 5 +- .../file_event_win_susp_colorcpl.yml | 5 +- ...nt_win_susp_startup_folder_persistence.yml | 7 ++ ...ent_win_susp_vscode_powershell_profile.yml | 2 +- .../file_event_win_susp_winword_startup.yml | 2 + ...e_load_susp_script_dotnet_clr_dll_load.yml | 5 +- .../image_load_susp_winword_vbadll_load.yml | 6 +- .../posh_pm_susp_invocation_generic.yml | 2 + .../posh_pm_susp_invocation_specific.yml | 8 ++- .../posh_ps_malicious_commandlets.yml | 9 ++- .../posh_ps_susp_ace_tampering.yml | 33 +++++++++ .../posh_ps_susp_invocation_generic.yml | 2 + .../posh_ps_susp_invocation_specific.yml | 20 +++--- .../proc_creation_win_malicious_cmdlets.yml | 9 ++- .../proc_creation_win_susp_cmd.yml | 47 ++++-------- .../proc_creation_win_susp_eventlog_clear.yml | 15 +++- ...in_susp_powershell_base64_encoded_cmd.yml} | 0 ...n_win_susp_powershell_download_cradles.yml | 4 +- ...ation_win_susp_powershell_download_iex.yml | 13 ++-- ...oc_creation_win_susp_powershell_encode.yml | 6 +- ..._susp_powershell_encoded_cmd_patterns.yml} | 16 +++-- ...n_win_susp_powershell_getprocess_lsass.yml | 16 ++++- ...ion_win_susp_powershell_hidden_b64_cmd.yml | 14 ++-- ...ation_win_susp_powershell_iex_patterns.yml | 2 +- ...in_susp_powershell_invocation_specific.yml | 71 +++++++++++++++++++ ..._susp_powershell_obfuscation_via_utf8.yml} | 4 +- ...ion_win_susp_powershell_parent_process.yml | 27 +++---- ...reation_win_susp_powershell_sam_access.yml | 2 +- ...susp_powershell_script_engine_parent_.yml} | 13 ++-- ...tion_win_susp_powershell_sub_processes.yml | 10 +-- ...n_win_susp_powershell_webclient_casing.yml | 13 ++-- .../registry_set_change_security_zones.yml | 3 + .../registry_set_ie_persistence.yml | 8 ++- .../registry_set_ifilter_persistence.yml | 39 ++++++++++ .../registry_set_treatas_persistence.yml | 7 +- 58 files changed, 423 insertions(+), 198 deletions(-) rename {rules/windows/file/file_event => rules-deprecated/windows}/file_event_win_susp_clr_logs.yml (97%) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml rename rules/windows/process_creation/{proc_creation_win_susp_powershell_enc_cmd.yml => proc_creation_win_susp_powershell_base64_encoded_cmd.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_susp_powershell_cmd_patterns.yml => proc_creation_win_susp_powershell_encoded_cmd_patterns.yml} (80%) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml rename rules/windows/process_creation/{proc_creation_win_susp_powershell_encoded_param.yml => proc_creation_win_susp_powershell_obfuscation_via_utf8.yml} (88%) rename rules/windows/process_creation/{proc_creation_win_susp_powershell_parent_combo.yml => proc_creation_win_susp_powershell_script_engine_parent_.yml} (67%) diff --git a/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml b/rules-deprecated/windows/file_event_win_susp_clr_logs.yml similarity index 97% rename from rules/windows/file/file_event/file_event_win_susp_clr_logs.yml rename to rules-deprecated/windows/file_event_win_susp_clr_logs.yml index 4b5d1c854..84d2f62d7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml +++ b/rules-deprecated/windows/file_event_win_susp_clr_logs.yml @@ -1,6 +1,6 @@ title: Suspicious CLR Logs Creation id: e4b63079-6198-405c-abd7-3fe8b0ce3263 -status: experimental +status: deprecated description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html @@ -8,7 +8,7 @@ references: - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml author: omkar72, oscd.community, Wojciech Lesicki date: 2020/10/12 -modified: 2022/06/24 +modified: 2023/01/05 tags: - attack.execution - attack.defense_evasion diff --git a/rules/linux/auditd/lnx_auditd_binary_padding.yml b/rules/linux/auditd/lnx_auditd_binary_padding.yml index 54d9207d9..a13c63e96 100644 --- a/rules/linux/auditd/lnx_auditd_binary_padding.yml +++ b/rules/linux/auditd/lnx_auditd_binary_padding.yml @@ -2,13 +2,13 @@ title: Binary Padding - Linux id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba status: test description: | - Adversaries may use binary padding to add junk data and change the on-disk representation of malware. - This rule detect using dd and truncate to add a junk data to file. + Adversaries may use binary padding to add junk data and change the on-disk representation of malware. + This rule detect using dd and truncate to add a junk data to file. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md author: 'Igor Fits, oscd.community' date: 2020/10/13 -modified: 2022/11/26 +modified: 2023/01/06 tags: - attack.defense_evasion - attack.t1027.001 @@ -16,17 +16,17 @@ logsource: product: linux service: auditd detection: - execve: + selection_execve: type: 'EXECVE' - truncate: + keywords_truncate: - 'truncate' - '-s' - dd: + keywords_dd: - 'dd' - 'if=' - filter: + keywords_filter: - 'of=' - condition: execve and (all of truncate or (all of dd and not filter)) + condition: selection_execve and (all of keywords_truncate or (all of keywords_dd and not keywords_filter)) falsepositives: - - Legitimate script work + - Unknown level: high diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index fc4b87556..db6bb212a 100644 --- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2022/11/28 +modified: 2023/01/06 tags: - attack.credential_access - attack.t1552.001 @@ -14,12 +14,12 @@ logsource: product: linux service: auditd detection: - execve: + selection: type: 'EXECVE' - passwordgrep: + keywords: - 'grep' - 'password' - condition: execve and all of passwordgrep + condition: selection and all of keywords falsepositives: - Unknown level: high diff --git a/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml index d28ba5af1..618c59c82 100644 --- a/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml +++ b/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/wdormann/status/1486161836961579020 author: Sreeman date: 2022/01/26 +modified: 2023/01/06 tags: - attack.privilege_escalation - attack.t1548.001 @@ -13,11 +14,11 @@ logsource: product: linux service: auth detection: - keyword: + keywords: - 'pkexec' - 'The value for environment variable XAUTHORITY contains suscipious content' - '[USER=root] [TTY=/dev/pts/0]' - condition: all of keyword + condition: all of keywords falsepositives: - Unknown level: high diff --git a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml index 36577bd51..ae84422a5 100644 --- a/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml +++ b/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml @@ -7,17 +7,18 @@ references: - https://github.com/Immersive-Labs-Sec/nimbuspwn author: Bhabesh Raj date: 2022/05/04 +modified: 2023/01/06 tags: - attack.privilege_escalation - attack.t1068 logsource: product: linux detection: - keyword: + keywords: - 'networkd-dispatcher' - 'Error handling notification for interface' - '../../' - condition: all of keyword + condition: all of keywords falsepositives: - Unknown level: high diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index 74a59784c..fc6257f2e 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -8,13 +8,13 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan author: frack113 date: 2021/12/10 -modified: 2022/01/10 +modified: 2023/01/06 tags: - attack.reconnaissance logsource: product: linux detection: - keyword: + keywords: - 'cat /dev/tcp/' - 'echo >/dev/tcp/' @@ -25,7 +25,7 @@ detection: - '(sh)0>/dev/tcp/' - 'bash -c ''bash -i >& /dev/tcp/' - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/' - condition: 1 of keyword + condition: 1 of keywords falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml index dc80a5d10..2a95fa9fc 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml @@ -6,7 +6,7 @@ references: - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c author: Florian Roth date: 2021/08/09 -modified: 2022/10/09 +modified: 2023/01/06 tags: - attack.t1587.001 - attack.resource_development @@ -14,15 +14,14 @@ logsource: product: windows service: msexchange-management detection: - selection_cmdlet: + keywords: - 'OabVirtualDirectory' - ' -ExternalUrl ' - selection_params: - 'eval(request' - 'http://f/