From 92b1ce4cf428d756b16c3159b21f645fd196a5df Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 3 Oct 2021 22:54:01 -0500 Subject: [PATCH 01/18] Create pass_role_to_lambda_function.yml --- .../aws/pass_role_to_lambda_function.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/aws/pass_role_to_lambda_function.yml diff --git a/rules/cloud/aws/pass_role_to_lambda_function.yml b/rules/cloud/aws/pass_role_to_lambda_function.yml new file mode 100644 index 000000000..013ca204b --- /dev/null +++ b/rules/cloud/aws/pass_role_to_lambda_function.yml @@ -0,0 +1,28 @@ +title: AWS Passed Role to Lambda Function +id: d914951b-52c8-485f-875e-86abab710c0b +description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ +logsource: + service: cloudtrail +detection: + selection1: + eventSource: iam.amazonaws.com + eventName: PassRole + selection2: + eventSource: lambda.amazonaws.com + eventName: CreateFunction + selection3: + eventSource: lambda.amazonaws.com + eventName: InvokeFunction + condition: all +level: low +tags: + - attack.privilege_escalation + - attack.t1078 +falsepositives: + - Passed Role to New Lambda Function may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. From 60eccf711de6b2556deb1569a16f8b1128c02641 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 3 Oct 2021 22:54:19 -0500 Subject: [PATCH 02/18] Rename pass_role_to_lambda_function.yml to aws_pass_role_to_lambda_function.yml --- ...o_lambda_function.yml => aws_pass_role_to_lambda_function.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/aws/{pass_role_to_lambda_function.yml => aws_pass_role_to_lambda_function.yml} (100%) diff --git a/rules/cloud/aws/pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml similarity index 100% rename from rules/cloud/aws/pass_role_to_lambda_function.yml rename to rules/cloud/aws/aws_pass_role_to_lambda_function.yml From d694d6faa83e6530c0c22546794c5e35c991537b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sun, 3 Oct 2021 23:03:39 -0500 Subject: [PATCH 03/18] Create passed_role_to_glue_development_endpoint.yml --- ...ssed_role_to_glue_development_endpoint.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/aws/passed_role_to_glue_development_endpoint.yml diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml new file mode 100644 index 000000000..ff46be0a8 --- /dev/null +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -0,0 +1,25 @@ +title: AWS Passed Role to Glue Development Endpoint +id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 +description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account. +author: Austin Songer @austinsonger +status: experimental +date: 2021/10/03 +references: + - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ + - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html +logsource: + service: cloudtrail +detection: + selection1: + eventSource: lambda.amazonaws.com + eventName: PassRole + selection2: + eventSource: glue.amazonaws.com + eventName: CreateDevEndpoint + condition: all +level: low +tags: + - attack.privilege_escalation +falsepositives: + - Passed Role to Glue Development Endpoint may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - If known behavior is causing false positives, it can be exempted from the rule. From 3b014259369fa07eaf301e770baa2131174c0822 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 5 Oct 2021 07:40:42 +0200 Subject: [PATCH 04/18] Update aws_pass_role_to_lambda_function.yml --- rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml index 013ca204b..333b6596e 100644 --- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml +++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml @@ -1,5 +1,5 @@ title: AWS Passed Role to Lambda Function -id: d914951b-52c8-485f-875e-86abab710c0b +id: d914951b-52c8-485f-875e-86abab710c0b description: Detects when an user with these permissions could escalate privileges by passing an existing IAM role to a new Lmbda function that includes code to import the AWS library to their programming lanugage. This can give access to the privileges associated with any Lambda service role that exists in the account and escalate to full administrator access to the account. author: Austin Songer @austinsonger status: experimental From ad9362e043131ca57ec780171d05ea02e90f8f13 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 5 Oct 2021 07:41:41 +0200 Subject: [PATCH 05/18] Update passed_role_to_glue_development_endpoint.yml --- rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml index ff46be0a8..b57a55000 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -1,5 +1,5 @@ title: AWS Passed Role to Glue Development Endpoint -id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 +id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26 description: Detects when an user these permissions could create a new AWS Glue development endpoint and pass an existing service role to it. They then could SSH into the instance and use the AWS CLI to have access of the permissions the role has access to. The adversary could gain privileges associated with any Glue service role that exists in the account, which could range from no privilege escalation to full administrator access to the account. author: Austin Songer @austinsonger status: experimental @@ -13,7 +13,7 @@ detection: selection1: eventSource: lambda.amazonaws.com eventName: PassRole - selection2: + selection2: eventSource: glue.amazonaws.com eventName: CreateDevEndpoint condition: all From 7cf01c2f0c9e02fc84da2be085092f3d9061e46f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 6 Oct 2021 12:43:10 +0200 Subject: [PATCH 06/18] extended CVE-2021-41773 rule --- rules/web/web_cve_2021_41773_apache_path_traversal.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml index 118ecf209..04ab16342 100644 --- a/rules/web/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -4,17 +4,21 @@ status: experimental description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. author: daffainfo, Florian Roth date: 2021/10/05 +modified: 2021/10/06 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 - https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/h4x0r_dz/status/1445401960371429381 - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml + - https://twitter.com/bl4sty/status/1445462677824761878?s=12 logsource: category: webserver detection: selection: - c-uri|contains: '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' + c-uri|contains: + - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' + - '/icons/.%2e/%2e%2e/%2e%2e/%2e%2e' selection_success: sc-status: - 200 @@ -26,3 +30,4 @@ tags: - attack.initial_access - attack.t1190 level: critical + From dfd316c0ce2f11b223753c4ab3b8a2b8753b4f37 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 6 Oct 2021 17:46:15 +0200 Subject: [PATCH 07/18] Add web_iis_tilt_shortname_scan.yml --- rules/web/web_iis_tilt_shortname_scan.yml | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_iis_tilt_shortname_scan.yml diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml new file mode 100644 index 000000000..c97b5ed10 --- /dev/null +++ b/rules/web/web_iis_tilt_shortname_scan.yml @@ -0,0 +1,30 @@ +title: Successful IIS Shortname Fuzzing Scan +id: 7cb02516-6d95-4ffc-8eee-162075e111ac +status: experimental +author: frack113 +description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. +references: + - https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/iis-shortname.yaml + - https://www.exploit-db.com/exploits/19525 + - https://github.com/lijiejie/IIS_shortname_Scanner +date: 2021/10/06 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '~1' + c-uri|endswith: 'a.aspx' + cs-method: + - GET + - OPTIONS + #only succes + sc-status: + - 200 + - 301 + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file From 930d2d4223667564ecfcf1f91b0b3fe7ee8809d1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 6 Oct 2021 17:53:16 +0200 Subject: [PATCH 08/18] fix id --- rules/web/web_iis_tilt_shortname_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml index c97b5ed10..eebef6273 100644 --- a/rules/web/web_iis_tilt_shortname_scan.yml +++ b/rules/web/web_iis_tilt_shortname_scan.yml @@ -1,5 +1,5 @@ title: Successful IIS Shortname Fuzzing Scan -id: 7cb02516-6d95-4ffc-8eee-162075e111ac +id: 7cb02516-6d95-4ffc-8eee-162075e111ac status: experimental author: frack113 description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. From 0ee777e3b427c8e48d4dfd9a516c4b7581b37995 Mon Sep 17 00:00:00 2001 From: Mika Luhta <12100880+mluhta@users.noreply.github.com> Date: Thu, 7 Oct 2021 14:25:18 +0300 Subject: [PATCH 09/18] Fix rule detection logic Changed ParentImage to Image --- rules/windows/process_creation/win_susp_regsvr32_no_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index 021e88fb8..b97d80b77 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\regsvr32.exe' + Image|endswith: '\regsvr32.exe' filter: CommandLine|contains: - '.dll' From e70d17745ef89c6d2e20c9a0a88d8fe7d26a9bea Mon Sep 17 00:00:00 2001 From: Mika Luhta <12100880+mluhta@users.noreply.github.com> Date: Thu, 7 Oct 2021 18:42:22 +0200 Subject: [PATCH 10/18] Update modified field --- rules/windows/process_creation/win_susp_regsvr32_no_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml index b97d80b77..790363fa4 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_no_dll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a regsvr.exe execution that doesn't contain a DLL in the command line author: Florian Roth date: 2019/07/17 -modified: 2021/07/20 +modified: 2021/10/07 references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: From 7f17eaeb87019370134b4ac3cdd6f8812a9c7c65 Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Fri, 8 Oct 2021 01:57:22 -0400 Subject: [PATCH 11/18] added rule to detect suspicious named pipe connections to an AD FS server --- .../sysmon_susp_adfs_namedpipe_connection.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml diff --git a/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml new file mode 100644 index 000000000..f1bc4e86d --- /dev/null +++ b/rules/windows/pipe_created/sysmon_susp_adfs_namedpipe_connection.yml @@ -0,0 +1,33 @@ +title: ADFS Database Named Pipe Connection +id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 +description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. +status: experimental +date: 2021/10/08 +modified: 2021/10/08 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml + - https://o365blog.com/post/adfs/ + - https://github.com/Azure/SimuLand +tags: + - attack.collection + - attack.t1005 +logsource: + product: windows + service: pipe_connected +detection: + selection: + PipeName: '\MICROSOFT##WID\tsql\query' + filter: + Image|endswith: + - 'Microsoft.IdentityServer.ServiceHost.exe' + - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe' + - 'AzureADConnect.exe' + - 'Microsoft.Tri.Sensor.exe' + - 'wsmprovhost.exe' + - 'mmc.exe' + - 'sqlservr.exe' + condition: selection and not filter +falsepositives: + - Processes in the filter condition +level: critical \ No newline at end of file From a45e516f993896e4557c7139aa81d87d0d038400 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Fri, 8 Oct 2021 13:28:35 +0545 Subject: [PATCH 12/18] Added rule for possible persistence via VMTools --- .../sysmon_vmtoolsd_susp_child_process.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml diff --git a/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml new file mode 100644 index 000000000..3a7ddb28d --- /dev/null +++ b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml @@ -0,0 +1,39 @@ +title: VMToolsd Suspicious Child Process +id: 5687f942-867b-4578-ade7-1e341c46e99a +status: experimental +description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup +tags: + - attack.execution + - attack.persistence + - attack.t1059 +author: behops, Bhabesh Raj +date: 2021/10/08 +references: + - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate use by adminstrator +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\vmtoolsd.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\wscript.exe' + - '\cscript.exe' + filter: + CommandLine|contains: + - 'poweron-vm-default.bat' + - 'poweroff-vm-default.bat' + - 'resume-vm-default.bat' + - 'suspend-vm-default.bat' + condition: selection and not filter From 04c37d977bc22b84cb8689fecda9bf7aabfa2118 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Fri, 8 Oct 2021 16:36:34 +0200 Subject: [PATCH 13/18] fix: prevent FP triggering of other sources utilising ID 1102 --- rules/windows/builtin/win_event_log_cleared.yml | 2 ++ rules/windows/builtin/win_susp_eventlog_cleared.yml | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_event_log_cleared.yml b/rules/windows/builtin/win_event_log_cleared.yml index 92c9a2eac..992e37110 100644 --- a/rules/windows/builtin/win_event_log_cleared.yml +++ b/rules/windows/builtin/win_event_log_cleared.yml @@ -5,6 +5,7 @@ description: Checks for event id 1102 which indicates the security event log was references: - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 +modified: 2021/10/08 author: Saw Winn Naung level: medium logsource: @@ -16,6 +17,7 @@ tags: detection: selection: EventID: 1102 + Source: Microsoft-Windows-Eventlog condition: selection fields: - SubjectLogonId diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 454919e5c..02b082525 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -9,7 +9,7 @@ references: - https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 author: Florian Roth date: 2017/01/10 -modified: 2021/09/21 +modified: 2021/10/08 tags: - attack.defense_evasion - attack.t1070 # an old one @@ -23,8 +23,9 @@ detection: EventID: - 517 - 1102 + Source: Microsoft-Windows-Eventlog condition: selection falsepositives: - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) - System provisioning (system reset before the golden image creation) -level: high \ No newline at end of file +level: high From 6c4e24d0de62927bd72d776396ef299409997937 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 10:28:16 +0200 Subject: [PATCH 14/18] rule: coin miner param --cpu-priority --- rules/linux/auditd/lnx_auditd_coinminer.yml | 33 +++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_coinminer.yml diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml new file mode 100644 index 000000000..8a311ec4b --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -0,0 +1,33 @@ +title: Possible Coin Miner CPU Priority Param +id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed +status: experimental +description: Detects command line parameter very often used with coin miners +author: Florian Roth +date: 2021/10/09 +references: + - https://xmrig.com/docs/miner/command-line-options +tags: + - attack.privilege_escalation + - attack.t1068 +logsource: + product: linux + service: auditd +detection: + cmd1: + a1|startswith: '--cpu-priority' + cmd2: + a2|startswith: '--cpu-priority' + cmd3: + a3|startswith: '--cpu-priority' + cmd4: + a4|startswith: '--cpu-priority' + cmd5: + a5|startswith: '--cpu-priority' + cmd6: + a6|startswith: '--cpu-priority' + cmd7: + a7|startswith: '--cpu-priority' + condition: 1 of them +falsepositives: + - Other tools that use a --cpu-priority flag +level: critical \ No newline at end of file From 195db4cffcf0ed296da4430e4b70f0a987e20574 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Oct 2021 18:48:02 +0200 Subject: [PATCH 15/18] refactor: made Apache RCE rule more robust --- .../web_cve_2021_41773_apache_path_traversal.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml index 04ab16342..a28a05f86 100644 --- a/rules/web/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -11,14 +11,18 @@ references: - https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/h4x0r_dz/status/1445401960371429381 - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml - - https://twitter.com/bl4sty/status/1445462677824761878?s=12 + - https://twitter.com/bl4sty/status/1445462677824761878 logsource: category: webserver detection: selection: c-uri|contains: - - '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e' - - '/icons/.%2e/%2e%2e/%2e%2e/%2e%2e' + - '/cgi-bin/.%2e/' + - '/icons/.%2e/' + - '/cgi-bin/.%%32%65/' + - '/icons/.%%32%65/' + - '/cgi-bin/.%%%25%33' + - '/icons/.%%%25%33' selection_success: sc-status: - 200 @@ -29,5 +33,4 @@ false_positives: tags: - attack.initial_access - attack.t1190 -level: critical - +level: high From de52890a628b3cfb148c461716df341278ab4879 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 9 Oct 2021 15:24:49 -0500 Subject: [PATCH 16/18] Update passed_role_to_glue_development_endpoint.yml --- rules/cloud/aws/passed_role_to_glue_development_endpoint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml index b57a55000..dfc15fc69 100644 --- a/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/passed_role_to_glue_development_endpoint.yml @@ -16,7 +16,7 @@ detection: selection2: eventSource: glue.amazonaws.com eventName: CreateDevEndpoint - condition: all + condition: selection1 and selection2 level: low tags: - attack.privilege_escalation From 1987897a7653c5f1b9dbe0c103b9255f5cd7cde5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Sat, 9 Oct 2021 15:26:38 -0500 Subject: [PATCH 17/18] Update aws_pass_role_to_lambda_function.yml --- rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml index 333b6596e..3c38c959e 100644 --- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml +++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml @@ -18,7 +18,7 @@ detection: selection3: eventSource: lambda.amazonaws.com eventName: InvokeFunction - condition: all + condition: selection1 and selection2 and selection3 level: low tags: - attack.privilege_escalation From a241f526ef6bc52c8478e7a02dd5af1596daabba Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Sun, 10 Oct 2021 07:54:40 +0545 Subject: [PATCH 18/18] Added more strict path --- .../sysmon_vmtoolsd_susp_child_process.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml index 3a7ddb28d..cdecb338e 100644 --- a/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/sysmon_vmtoolsd_susp_child_process.yml @@ -8,6 +8,7 @@ tags: - attack.t1059 author: behops, Bhabesh Raj date: 2021/10/08 +modified: 2021/10/10 references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ fields: @@ -32,8 +33,8 @@ detection: - '\cscript.exe' filter: CommandLine|contains: - - 'poweron-vm-default.bat' - - 'poweroff-vm-default.bat' - - 'resume-vm-default.bat' - - 'suspend-vm-default.bat' + - '\VMware\VMware Tools\poweron-vm-default.bat' + - '\VMware\VMware Tools\poweroff-vm-default.bat' + - '\VMware\VMware Tools\resume-vm-default.bat' + - '\VMware\VMware Tools\suspend-vm-default.bat' condition: selection and not filter