diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml new file mode 100644 index 000000000..3c38c959e --- /dev/null +++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml @@ -0,0 +1,28 @@ +title: AWS Passed Role to Lambda Function +id: d914951b-52c8-485f-875e-86abab710c0b +description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ +logsource: + service: cloudtrail +detection: + selection1: + eventSource: iam.amazonaws.com + eventName: PassRole + selection2: + eventSource: lambda.amazonaws.com + eventName: CreateFunction + selection3: + eventSource: lambda.amazonaws.com + eventName: InvokeFunction + condition: selection1 and selection2 and selection3 +level: low +tags: + - attack.privilege_escalation + - attack.t1078 +falsepositives: + - Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml new file mode 100644 index 000000000..dfc15fc69 --- /dev/null +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -0,0 +1,25 @@ +title: AWS Passed Role to Glue Development Endpoint +id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 +description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ + - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html +logsource: + service: cloudtrail +detection: + selection1: + eventSource: lambda.amazonaws.com + eventName: PassRole + selection2: + eventSource: glue.amazonaws.com + eventName: CreateDevEndpoint + condition: selection1 and selection2 +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml new file mode 100644 index 000000000..8a311ec4b --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -0,0 +1,33 @@ +title: Possible Coin Miner CPU Priority Param +id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed +status: experimental +description: Detects command line parameter very often used with coin miners +author: Florian Roth +date: 2021/10/09 +references: + - https://xmrig.com/docs/miner/command-line-options +tags: + - attack.privilege_escalation + - attack.t1068 +logsource: + product: linux + service: auditd +detection: + cmd1: + a1|startswith: '--cpu-priority' + cmd2: + a2|startswith: '--cpu-priority' + cmd3: + a3|startswith: '--cpu-priority' + cmd4: + a4|startswith: '--cpu-priority' + cmd5: + a5|startswith: '--cpu-priority' + cmd6: + a6|startswith: '--cpu-priority' + cmd7: + a7|startswith: '--cpu-priority' + condition: 1 of them +falsepositives: + - Other tools that use a --cpu-priority flag +level: critical \ No newline at end of file diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml index 118ecf209..a28a05f86 100644 --- a/rules/web/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -4,17 +4,25 @@ status: experimental description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. author: daffainfo, Florian Roth date: 2021/10/05 +modified: 2021/10/06 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 - https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/h4x0r_dz/status/1445401960371429381 - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml + - https://twitter.com/bl4sty/status/1445462677824761878 logsource: category: webserver detection: selection: - c-uri|contains: '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' + c-uri|contains: + - '/cgi-bin/.%2e/' + - '/icons/.%2e/' + - '/cgi-bin/.%%32%65/' + - '/icons/.%%32%65/' + - '/cgi-bin/.%%%25%33' + - '/icons/.%%%25%33' selection_success: sc-status: - 200 @@ -25,4 +33,4 @@ false_positives: tags: - attack.initial_access - attack.t1190 -level: critical +level: high diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml new file mode 100644 index 000000000..eebef6273 --- /dev/null +++ b/rules/web/web_iis_tilt_shortname_scan.yml @@ -0,0 +1,30 @@ +title: Successful IIS Shortname Fuzzing Scan +id: 7cb02516-6d95-4ffc-8eee-162075e111ac +status: experimental +author: frack113 +description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. +references: + - https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/iis-shortname.yaml + - https://www.exploit-db.com/exploits/19525 + - https://github.com/lijiejie/IIS_shortname_Scanner +date: 2021/10/06 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '~1' + c-uri|endswith: 'a.aspx' + cs-method: + - GET + - OPTIONS + #only succes + sc-status: + - 200 + - 301 + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 92c9a2eac..992e37110 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -5,6 +5,7 @@ description: Checks for event id 1102 which indicates the security event log was references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 +modified: 2021/10/08 author: Saw Winn Naung level: medium logsource: @@ -16,6 +17,7 @@ tags: detection: selection: EventID: 1102 + Source: Microsoft-Windows-Eventlog condition: selection fields: - SubjectLogonId diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 454919e5c..02b082525 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -9,7 +9,7 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth date: 2017/01/10 -modified: 2021/09/21 +modified: 2021/10/08 tags: - attack.defense_evasion - attack.t1070 # an old one @@ -23,8 +23,9 @@ detection: EventID: - 517 - 1102 + Source: Microsoft-Windows-Eventlog condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - System provisioning (system reset before the golden image creation) -level: high \ No newline at end of file +level: high diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml new file mode 100644 index 000000000..f1bc4e86d --- /dev/null +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -0,0 +1,33 @@ +title: ADFS Database Named Pipe Connection +id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 +description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. +status: experimental +date: 2021/10/08 +modified: 2021/10/08 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml + - https://o365blog.com/post/adfs/ + - https://github.com/Azure/SimuLand +tags: + - attack.collection + - attack.t1005 +logsource: + product: windows + service: pipe_connected +detection: + selection: + PipeName: '\MICROSOFT##WID\tsql\query' + filter: + Image|endswith: + - 'Microsoft.IdentityServer.ServiceHost.exe' + - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe' + - 'AzureADConnect.exe' + - 'Microsoft.Tri.Sensor.exe' + - 'wsmprovhost.exe' + - 'mmc.exe' + - 'sqlservr.exe' + condition: selection and not filter +falsepositives: + - Processes in the filter condition +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml new file mode 100644 index 000000000..cdecb338e --- /dev/null +++ b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml @@ -0,0 +1,40 @@ +title: VMToolsd Suspicious Child Process +id: 5687f942-867b-4578-ade7-1e341c46e99a +status: experimental +description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup +tags: + - attack.execution + - attack.persistence + - attack.t1059 +author: behops, Bhabesh Raj +date: 2021/10/08 +modified: 2021/10/10 +references: + - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate use by adminstrator +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\vmtoolsd.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\wscript.exe' + - '\cscript.exe' + filter: + CommandLine|contains: + - '\VMware\VMware Tools\poweron-vm-default.bat' + - '\VMware\VMware Tools\poweroff-vm-default.bat' + - '\VMware\VMware Tools\resume-vm-default.bat' + - '\VMware\VMware Tools\suspend-vm-default.bat' + condition: selection and not filter diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index 021e88fb8..790363fa4 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line author: Florian Roth date: 2019/07/17 -modified: 2021/07/20 +modified: 2021/10/07 references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\regsvr32.exe' + Image|endswith: '\regsvr32.exe' filter: CommandLine|contains: - '.dll'