From be359ef3f2a7962dfbdbc705c4f532d6b2f440a5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 29 Jan 2024 13:37:20 +0100 Subject: [PATCH] Merge PR #4681 from @nasbench - Add Missing Ref & Tags fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode" fix: Metasploit SMB Authentication - Remove unnecessary field fix: Service Installation in Suspicious Folder - Update FP filter update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2" remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules remove: SAM Dump to AppData update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2" update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2" update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1" update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1" update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only update: New or Renamed User Account with '$' Character - Reduced level to "medium" update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium" update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic update: Prefetch File Deleted - Update selection to remove 'C:' prefix update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule) update: Shell Process Spawned by Java.EXE - Add "bash.exe" update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic update: Sysmon Application Crashed - Add 32bit version of sysmon binary update: Tap Driver Installation - Security - Reduce level to "low" update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .github/workflows/known-FPs.csv | 2 - .../windows}/posh_ps_dnscat_execution.yml | 4 +- .../windows}/win_system_susp_sam_dump.yml | 4 +- .../net_firewall_apt_equationgroup_c2.yml | 18 ++++---- ...ad_apt_cozy_bear_graphical_proton_dlls.yml | 3 ++ .../win_security_susp_interactive_logons.yml | 6 ++- ...tion_win_susp_execution_path_webserver.yml | 17 +++---- ...usp_exfil_and_tunneling_tool_execution.yml | 13 +++--- ...eation_win_wscript_cscript_script_exec.yml | 6 +++ .../aws_config_disable_recording.yml | 12 ++--- .../okta/okta_security_threat_detected.yml | 2 + .../compliance/default_credentials_usage.yml | 7 +-- .../netflow_cleartext_protocols.yml | 3 +- .../builtin/lnx_shell_susp_log_entries.yml | 10 +++-- .../cisco/aaa/cisco_cli_clear_logs.yml | 9 ++-- .../cisco/aaa/cisco_cli_collect_data.yml | 10 ++--- .../cisco/aaa/cisco_cli_crypto_actions.yml | 8 +--- .../cisco/aaa/cisco_cli_disable_logging.yml | 2 + .../network/cisco/aaa/cisco_cli_discovery.yml | 22 ++++------ .../net_firewall_cleartext_protocols.yml | 7 +-- ...verted_win_susp_raccess_sensitive_fext.yml | 9 ++-- .../proxy_download_susp_tlds_whitelist.yml | 2 + .../proxy_ua_bitsadmin_susp_ip.yml | 2 + .../proxy_ursnif_malware_download_url.yml | 7 +-- .../win_builtin_remove_application.yml | 7 ++- .../win_security_susp_failed_logon_source.yml | 12 ++--- .../win_security_susp_wmi_login.yml | 7 ++- .../win_security_admin_share_access.yml | 16 ++++--- ...n_security_codeintegrity_check_failure.yml | 3 ++ .../security/win_security_external_device.yml | 14 +++--- .../win_security_hidden_user_creation.yml | 6 ++- ...win_security_metasploit_authentication.yml | 3 +- ..._renamed_user_account_with_dollar_sign.yml | 25 ++++++----- ..._service_installation_by_unusal_client.yml | 2 +- .../win_security_susp_add_domain_trust.yml | 5 ++- ...in_security_susp_kerberos_manipulation.yml | 8 ++-- ...n_security_susp_raccess_sensitive_fext.yml | 23 +++++----- .../win_security_tap_driver_installation.yml | 11 +++-- ...ity_user_added_to_local_administrators.yml | 20 +++++---- .../security/win_security_user_creation.yml | 7 +-- .../security/win_security_user_logoff.yml | 3 ++ .../win_security_workstation_was_locked.yml | 3 +- .../win_system_application_sysmon_crash.yml | 9 +++- ...rkspwdump_clearing_hive_access_history.yml | 23 ---------- ...ical_hive_location_access_bits_cleared.yml | 32 ++++++++++++++ .../win_system_susp_system_update_error.yml | 5 ++- ...tem_service_install_sups_unusal_client.yml | 2 +- .../win_system_service_install_susp.yml | 2 + .../win_system_service_install_tap_driver.yml | 4 +- .../win_system_service_install_uncommon.yml | 7 ++- ...ystem_susp_service_installation_folder.yml | 11 ++--- ...sp_service_installation_folder_pattern.yml | 2 + ...ystem_susp_service_installation_script.yml | 2 + ...win_taskscheduler_susp_schtasks_delete.yml | 5 ++- .../driver_load_win_susp_temp_use.yml | 2 + ...ge_win_unusual_modification_by_dns_exe.yml | 2 +- .../file_delete_win_delete_prefetch.yml | 13 +++--- ...delete_win_unusual_deletion_by_dns_exe.yml | 2 +- .../file_event_win_creation_system_file.yml | 5 ++- ...e_event_win_powershell_exploit_scripts.yml | 3 +- ...e_event_win_tsclient_filewrite_startup.yml | 2 + .../posh_pm_exploit_scripts.yml | 4 +- .../posh_pm_malicious_commandlets.yml | 3 +- .../posh_pm_remote_powershell_session.yml | 1 - .../posh_pm_susp_download.yml | 3 ++ .../posh_pm_susp_invocation_generic.yml | 2 + .../posh_pm_susp_invocation_specific.yml | 4 +- .../posh_ps_malicious_commandlets.yml | 3 +- .../posh_ps_potential_invoke_mimikatz.yml | 2 +- .../posh_ps_susp_download.yml | 5 +++ .../posh_ps_susp_invocation_generic.yml | 2 + .../posh_ps_susp_invocation_specific.yml | 4 +- .../posh_ps_win_defender_exclusions_added.yml | 2 +- ...oc_access_win_susp_shellcode_injection.yml | 2 + ...on_win_bitsadmin_potential_persistence.yml | 27 +++++++----- .../proc_creation_win_cmd_unusual_parent.yml | 2 +- ...c_creation_win_conhost_uncommon_parent.yml | 2 +- ...desktopimgdownldr_remote_file_download.yml | 2 +- ...n_win_dns_exfiltration_tools_execution.yml | 3 ++ ...oc_creation_win_dns_susp_child_process.yml | 2 +- .../proc_creation_win_hxtsr_masquerading.yml | 14 +++--- ...appcmd_service_account_password_dumped.yml | 2 +- ..._win_iis_connection_strings_decryption.yml | 2 +- ...c_creation_win_java_susp_child_process.yml | 5 ++- ...creation_win_java_susp_child_process_2.yml | 5 ++- ...oc_creation_win_malware_script_dropper.yml | 39 ---------------- ..._creation_win_mssql_susp_child_process.yml | 2 + .../proc_creation_win_net_stop_service.yml | 4 +- ...win_office_outlook_execution_from_temp.yml | 7 ++- ...proc_creation_win_plink_susp_tunneling.yml | 4 +- ...eation_win_powershell_disable_firewall.yml | 2 +- ...ation_win_powershell_download_patterns.yml | 7 +-- ...ion_win_powershell_invocation_specific.yml | 4 +- ...ation_win_powershell_malicious_cmdlets.yml | 3 +- ...ion_win_powershell_shadowcopy_deletion.yml | 2 +- ...c_creation_win_powershell_stop_service.yml | 4 +- ...reg_write_protect_for_storage_disabled.yml | 10 +++-- .../proc_creation_win_sc_stop_service.yml | 16 +++---- .../proc_creation_win_schtasks_creation.yml | 15 +++---- .../proc_creation_win_ssh_rdp_tunneling.yml | 2 +- ...in_susp_priv_escalation_via_named_pipe.yml | 2 +- ...tion_win_susp_remote_desktop_tunneling.yml | 2 +- ...susp_sensitive_file_access_shadowcopy.yml} | 12 ++--- ...on_win_svchost_uncommon_parent_process.yml | 2 + ...proc_creation_win_tapinstall_execution.yml | 4 +- .../proc_creation_win_taskmgr_localsystem.yml | 2 + ...reation_win_taskmgr_susp_child_process.yml | 22 +++++----- ...n_uac_bypass_hijacking_firwall_snap_in.yml | 2 +- ...roc_creation_win_uac_bypass_icmluautil.yml | 2 +- ..._creation_win_winrm_susp_child_process.yml | 2 + ...c_creation_win_wscript_cscript_dropper.yml | 44 +++++++++++++++++++ ...script_cscript_uncommon_extension_exec.yml | 2 + .../sysmon_wmi_event_subscription.yml | 4 ++ tests/thor.yml | 5 +++ 114 files changed, 482 insertions(+), 342 deletions(-) rename {rules/windows/powershell/powershell_script => deprecated/windows}/posh_ps_dnscat_execution.yml (85%) rename {rules/windows/builtin/system/microsoft_windows_kernel_general => deprecated/windows}/win_system_susp_sam_dump.yml (94%) rename {rules/network/firewall => rules-emerging-threats/2017/TA/Equation-Group}/net_firewall_apt_equationgroup_c2.yml (73%) mode change 100755 => 100644 rename {rules => rules-threat-hunting}/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml (62%) rename rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml => rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml (56%) rename {rules => rules-threat-hunting}/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml (81%) delete mode 100644 rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml create mode 100644 rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml rename rules/windows/process_creation/{proc_creation_win_malware_conti_shadowcopy.yml => proc_creation_win_susp_sensitive_file_access_shadowcopy.yml} (75%) create mode 100644 rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 59ac2269a..e65d695c5 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -26,8 +26,6 @@ bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.2 c187c075-bb3e-4c62-b4fa-beae0ffc211f;Deteled Rule in Windows Firewall with Advanced Security;Dropbox.*\\netsh\.exe 69aeb277-f15f-4d2d-b32a-55e883609563;Disabling Windows Event Auditing;Computer: .* ac175779-025a-4f12-98b0-acdaeb77ea85;PowerShell Script Run in AppData;\\Evernote- -cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Attribute 'SamAccountName';HomeGroupUser\$ -7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon diff --git a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml b/deprecated/windows/posh_ps_dnscat_execution.yml similarity index 85% rename from rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml rename to deprecated/windows/posh_ps_dnscat_execution.yml index 2b27478f2..b28d7bbd6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml +++ b/deprecated/windows/posh_ps_dnscat_execution.yml @@ -1,10 +1,10 @@ title: Dnscat Execution id: a6d67db4-6220-436d-8afc-f3842fe05d43 -status: test +status: deprecated # In favour of the more generic Susp and Malicious Cmdlet rules description: Dnscat exfiltration tool execution author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 -modified: 2022/12/25 +modified: 2024/01/25 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml b/deprecated/windows/win_system_susp_sam_dump.yml similarity index 94% rename from rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml rename to deprecated/windows/win_system_susp_sam_dump.yml index 84b793271..873b5c638 100644 --- a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_sam_dump.yml +++ b/deprecated/windows/win_system_susp_sam_dump.yml @@ -1,10 +1,10 @@ title: SAM Dump to AppData id: 839dd1e8-eda8-4834-8145-01beeee33acd -status: test +status: deprecated description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers author: Florian Roth (Nextron Systems) date: 2018/01/27 -modified: 2023/04/30 +modified: 2024/01/18 tags: - attack.credential_access - attack.t1003.002 diff --git a/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml old mode 100755 new mode 100644 similarity index 73% rename from rules/network/firewall/net_firewall_apt_equationgroup_c2.yml rename to rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml index 16eb048d4..fbf7da355 --- a/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml +++ b/rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml @@ -12,18 +12,18 @@ tags: - attack.command_and_control - attack.g0020 - attack.t1041 + - detection.emerging_threats logsource: category: firewall detection: - select_outgoing: - dst_ip: - - '69.42.98.86' - - '89.185.234.145' - select_incoming: - src_ip: - - '69.42.98.86' - - '89.185.234.145' - condition: 1 of select* + selection: + - dst_ip: + - '69.42.98.86' + - '89.185.234.145' + - src_ip: + - '69.42.98.86' + - '89.185.234.145' + condition: selection falsepositives: - Unknown level: high diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml index 379c53f74..6d466fe3e 100644 --- a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -6,6 +6,9 @@ references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a author: CISA date: 2023/12/18 +tags: + - attack.defense_evasion + - attack.t1574.002 logsource: category: image_load product: windows diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 7bb43c8ce..13a8d1c7a 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -2,6 +2,8 @@ title: Interactive Logon to Server Systems id: 3ff152b2-1388-4984-9cd9-a323323fdadf status: test description: Detects interactive console logons to Server Systems +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/17 modified: 2023/12/15 @@ -22,10 +24,10 @@ detection: ComputerName|expand: - '%ServerSystems%' - '%DomainControllers%' - filter_main: + filter_main_advapi: LogonProcessName: 'Advapi' ComputerName|expand: '%Workstations%' - condition: selection and not filter_main + condition: selection and not 1 of filter_main_* falsepositives: - Administrative activity via KVM or ILO board level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml similarity index 62% rename from rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml index 84912f313..a6069d00a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -1,13 +1,17 @@ -title: Execution in Webserver Root Folder +title: Execution From Webserver Root Folder id: 35efb964-e6a5-47ad-bbcd-19661854018d status: test -description: Detects a suspicious program execution in a web service root folder (filter out false positives) +description: | + Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2019/01/16 -modified: 2021/11/27 +modified: 2024/01/18 tags: - attack.persistence - attack.t1505.003 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -17,16 +21,13 @@ detection: - '\wwwroot\' - '\wmpub\' - '\htdocs\' - filter: + filter_main_generic: Image|contains: - 'bin\' - '\Tools\' - '\SMSComponent\' ParentImage|endswith: '\services.exe' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine + condition: selection and not 1 of filter_main_* falsepositives: - Various applications - Tools that include ping or nslookup command invocations diff --git a/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml similarity index 56% rename from rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml index 53e4af697..be3992920 100644 --- a/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_exfil_and_tunneling_tool_execution.yml @@ -1,27 +1,30 @@ -title: Exfiltration and Tunneling Tools Execution +title: Tunneling Tool Execution id: c75309a3-59f8-4a8d-9c2c-4c927ad50555 status: test -description: Execution of well known tools for data exfiltration and tunneling +description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling. author: Daniil Yugoslavskiy, oscd.community +references: + - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ date: 2019/10/24 -modified: 2021/11/27 +modified: 2024/01/18 tags: - attack.exfiltration - attack.command_and_control - attack.t1041 - attack.t1572 - attack.t1071.001 + - detection.threat_hunting logsource: category: process_creation product: windows detection: selection: Image|endswith: + - '\httptunnel.exe' - '\plink.exe' - '\socat.exe' - '\stunnel.exe' - - '\httptunnel.exe' condition: selection falsepositives: - - Legitimate Administrator using tools + - Legitimate administrators using one of these tools level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml similarity index 81% rename from rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml index 036b0b174..d8f7b21dd 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_wscript_cscript_script_exec.yml @@ -3,8 +3,13 @@ id: 1e33157c-53b1-41ad-bbcc-780b80b58288 related: - id: 23250293-eed5-4c39-b57a-841c8933a57d type: obsoletes + - id: cea72823-df4d-4567-950c-0b579eaf0846 + type: derived status: test description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript +references: + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://redcanary.com/blog/gootloader/ author: Michael Haag date: 2019/01/16 modified: 2023/05/15 @@ -12,6 +17,7 @@ tags: - attack.execution - attack.t1059.005 - attack.t1059.007 + - detection.threat_hunting logsource: category: process_creation product: windows diff --git a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml index c56282671..ea3d2e7b3 100644 --- a/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml +++ b/rules/cloud/aws/cloudtrail/aws_config_disable_recording.yml @@ -2,6 +2,8 @@ title: AWS Config Disabling Channel/Recorder id: 07330162-dba1-4746-8121-a9647d49d297 status: test description: Detects AWS Config Service disabling +references: + - https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html author: vitaliy0x1 date: 2020/01/21 modified: 2022/10/09 @@ -12,12 +14,12 @@ logsource: product: aws service: cloudtrail detection: - selection_source: - eventSource: config.amazonaws.com + selection: + eventSource: 'config.amazonaws.com' eventName: - - DeleteDeliveryChannel - - StopConfigurationRecorder - condition: selection_source + - 'DeleteDeliveryChannel' + - 'StopConfigurationRecorder' + condition: selection falsepositives: - Valid change in AWS Config Service level: high diff --git a/rules/cloud/okta/okta_security_threat_detected.yml b/rules/cloud/okta/okta_security_threat_detected.yml index 0cffb48f9..c060324ca 100644 --- a/rules/cloud/okta/okta_security_threat_detected.yml +++ b/rules/cloud/okta/okta_security_threat_detected.yml @@ -9,6 +9,8 @@ references: author: Austin Songer @austinsonger date: 2021/09/12 modified: 2022/10/09 +tags: + - attack.command_and_control logsource: product: okta service: okta diff --git a/rules/compliance/default_credentials_usage.yml b/rules/compliance/default_credentials_usage.yml index dc968a6d0..f17099bb5 100644 --- a/rules/compliance/default_credentials_usage.yml +++ b/rules/compliance/default_credentials_usage.yml @@ -2,8 +2,8 @@ title: Default Credentials Usage id: 1a395cbc-a84a-463a-9086-ed8a70e573c7 status: stable description: | - Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. - Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. + Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. + Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -11,7 +11,8 @@ references: - https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 -# tags: +tags: + - attack.initial_access # - CSC4 # - CSC4.2 # - NIST CSF 1.1 PR.AC-4 diff --git a/rules/compliance/netflow_cleartext_protocols.yml b/rules/compliance/netflow_cleartext_protocols.yml index 937f3be64..cbcda8ea1 100644 --- a/rules/compliance/netflow_cleartext_protocols.yml +++ b/rules/compliance/netflow_cleartext_protocols.yml @@ -12,7 +12,8 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 modified: 2022/11/18 -# tags: +tags: + - attack.credential_access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/linux/builtin/lnx_shell_susp_log_entries.yml b/rules/linux/builtin/lnx_shell_susp_log_entries.yml index 39052a786..caa3385ba 100644 --- a/rules/linux/builtin/lnx_shell_susp_log_entries.yml +++ b/rules/linux/builtin/lnx_shell_susp_log_entries.yml @@ -2,6 +2,8 @@ title: Suspicious Log Entries id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1 status: test description: Detects suspicious log entries in Linux log files +references: + - https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml author: Florian Roth (Nextron Systems) date: 2017/03/25 modified: 2021/11/27 @@ -12,11 +14,11 @@ logsource: detection: keywords: # Generic suspicious log lines - - entered promiscuous mode + - 'entered promiscuous mode' # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml - - Deactivating service - - Oversized packet received from - - imuxsock begins to drop messages + - 'Deactivating service' + - 'Oversized packet received from' + - 'imuxsock begins to drop messages' condition: keywords falsepositives: - Unknown diff --git a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml index 96611b50e..e32eba875 100644 --- a/rules/network/cisco/aaa/cisco_cli_clear_logs.yml +++ b/rules/network/cisco/aaa/cisco_cli_clear_logs.yml @@ -2,6 +2,9 @@ title: Cisco Clear Logs id: ceb407f6-8277-439b-951f-e4210e3ed956 status: test description: Clear command history in network OS which is used for defense evasion +references: + - https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html + - https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 author: Austin Clark date: 2019/08/12 modified: 2023/05/26 @@ -16,12 +19,6 @@ detection: - 'clear logging' - 'clear archive' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Legitimate administrators may run these commands level: high diff --git a/rules/network/cisco/aaa/cisco_cli_collect_data.yml b/rules/network/cisco/aaa/cisco_cli_collect_data.yml index 7e00356ca..a735063db 100644 --- a/rules/network/cisco/aaa/cisco_cli_collect_data.yml +++ b/rules/network/cisco/aaa/cisco_cli_collect_data.yml @@ -2,6 +2,10 @@ title: Cisco Collect Data id: cd072b25-a418-4f98-8ebc-5093fb38fe1a status: test description: Collect pertinent data from the configuration files +references: + - https://blog.router-switch.com/2013/11/show-running-config/ + - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm + - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html author: Austin Clark date: 2019/08/11 modified: 2023/01/04 @@ -22,12 +26,6 @@ detection: - 'show archive config' - 'more' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Commonly run by administrators level: low diff --git a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml index ee51db55f..3485e200e 100644 --- a/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml +++ b/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml @@ -2,6 +2,8 @@ title: Cisco Crypto Commands id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d status: test description: Show when private keys are being exported from the device, or when new certificates are installed +references: + - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html author: Austin Clark date: 2019/08/12 modified: 2023/01/04 @@ -19,12 +21,6 @@ detection: - 'crypto pki import' - 'crypto pki trustpoint' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Not commonly run by administrators. Also whitelist your known good certificates level: high diff --git a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml index 7ff07143b..06711af29 100644 --- a/rules/network/cisco/aaa/cisco_cli_disable_logging.yml +++ b/rules/network/cisco/aaa/cisco_cli_disable_logging.yml @@ -2,6 +2,8 @@ title: Cisco Disabling Logging id: 9e8f6035-88bf-4a63-96b6-b17c0508257e status: test description: Turn off logging locally or remote +references: + - https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf author: Austin Clark date: 2019/08/11 modified: 2023/01/04 diff --git a/rules/network/cisco/aaa/cisco_cli_discovery.yml b/rules/network/cisco/aaa/cisco_cli_discovery.yml index 970e34df7..5d6574067 100644 --- a/rules/network/cisco/aaa/cisco_cli_discovery.yml +++ b/rules/network/cisco/aaa/cisco_cli_discovery.yml @@ -2,6 +2,8 @@ title: Cisco Discovery id: 9705a6a1-6db6-4a16-a987-15b7151e299b status: test description: Find information about network devices that is not stored in config files +references: + - https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html author: Austin Clark date: 2019/08/12 modified: 2023/01/04 @@ -22,23 +24,17 @@ logsource: detection: keywords: - 'dir' - - 'show processes' - 'show arp' - 'show cdp' - - 'show version' - - 'show ip route' - - 'show ip interface' - - 'show ip sockets' - - 'show users' - - 'show ssh' - 'show clock' + - 'show ip interface' + - 'show ip route' + - 'show ip sockets' + - 'show processes' + - 'show ssh' + - 'show users' + - 'show version' condition: keywords -fields: - - src - - CmdSet - - User - - Privilege_Level - - Remote_Address falsepositives: - Commonly used by administrators for troubleshooting level: low diff --git a/rules/network/firewall/net_firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml index 96f24d71b..6bc0432ed 100644 --- a/rules/network/firewall/net_firewall_cleartext_protocols.yml +++ b/rules/network/firewall/net_firewall_cleartext_protocols.yml @@ -2,8 +2,8 @@ title: Cleartext Protocol Usage id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e status: stable description: | - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. - Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. + Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. + Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf @@ -11,7 +11,8 @@ references: author: Alexandr Yampolskyi, SOC Prime, Tim Shelton date: 2019/03/26 modified: 2022/10/10 -# tags: +tags: + - attack.credential_access # - CSC4 # - CSC4.5 # - CSC14 diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 7a1e1801f..63b863352 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -5,7 +5,9 @@ related: type: derived status: test description: Detects known sensitive file extensions via Zeek -author: 'Samir Bousseaden, @neu5ron' +references: + - Internal Research +author: Samir Bousseaden, @neu5ron date: 2020/04/02 modified: 2021/11/27 tags: @@ -29,11 +31,6 @@ detection: - '\groups.xml' - '.rdp' condition: selection -fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - RelativeTargetName falsepositives: - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml index c1ababf55..e405b04f6 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml @@ -5,6 +5,8 @@ related: type: similar status: test description: Detects executable downloads from suspicious remote systems +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/13 modified: 2023/05/18 diff --git a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml index 587410b1d..043b61f62 100644 --- a/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_ip.yml @@ -2,6 +2,8 @@ title: Bitsadmin to Uncommon IP Server Address id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3 status: test description: Detects Bitsadmin connections to IP addresses instead of FQDN names +references: + - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 author: Florian Roth (Nextron Systems) date: 2022/06/10 modified: 2022/08/24 diff --git a/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml b/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml index 21db1974a..bcecae990 100644 --- a/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml +++ b/rules/web/proxy_generic/proxy_ursnif_malware_download_url.yml @@ -2,6 +2,8 @@ title: Ursnif Malware Download URL Pattern id: a36ce77e-30db-4ea0-8795-644d7af5dfb4 status: stable description: Detects download of Ursnif malware done by dropper documents. +references: + - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware author: Thomas Patzke date: 2019/12/19 modified: 2022/08/15 @@ -18,11 +20,6 @@ detection: c-uri|endswith: '.cab' sc-status: 200 condition: selection -fields: - - c-ip - - c-uri - - sc-bytes - - c-ua falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml index fd4c7c082..4f6bd8c47 100644 --- a/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/msiinstaller/win_builtin_remove_application.yml @@ -2,6 +2,9 @@ title: Application Uninstalled id: 570ae5ec-33dc-427c-b815-db86228ad43e status: test description: An application has been removed. Check if it is critical. +references: + - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml + - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging author: frack113 date: 2022/01/28 modified: 2022/09/17 @@ -15,8 +18,8 @@ detection: selection: Provider_Name: 'MsiInstaller' EventID: - - 11724 - - 1034 + - 1034 # Windows Installer removed the product + - 11724 # Product Removal Successful condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml index fbe6072f9..5d022a9ce 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml @@ -1,7 +1,9 @@ title: Failed Logon From Public IP id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 status: test -description: A login from a public IP can indicate a misconfigured firewall or network boundary. +description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 author: NVISO date: 2020/05/06 modified: 2023/01/11 @@ -17,9 +19,9 @@ logsource: detection: selection: EventID: 4625 - filter_ip_unknown: + filter_main_ip_unknown: IpAddress|contains: '-' - filter_ip_privatev4: + filter_main_ip_privatev4: IpAddress|startswith: - '10.' # 10.0.0.0/8 - '192.168.' # 192.168.0.0/16 @@ -41,12 +43,12 @@ detection: - '172.31.' - '127.' # 127.0.0.0/8 - '169.254.' # 169.254.0.0/16 - filter_ip_privatev6: + filter_main_ip_privatev6: - IpAddress: '::1' # loopback - IpAddress|startswith: - 'fe80::' # link-local - 'fc00::' # unique local - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate logon attempts over the internet - IPv4-to-IPv6 mapped IPs diff --git a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml index 98835de02..d96c2bc07 100644 --- a/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml +++ b/rules/windows/builtin/security/account_management/win_security_susp_wmi_login.yml @@ -1,9 +1,12 @@ -title: Login with WMI +title: Successful Account Login Via WMI id: 5af54681-df95-4c26-854f-2565e13cfab0 status: stable -description: Detection of logins performed with WMI +description: Detects successful logon attempts performed with WMI +references: + - Internal Research author: Thomas Patzke date: 2019/12/04 +modified: 2024/01/17 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/builtin/security/win_security_admin_share_access.yml b/rules/windows/builtin/security/win_security_admin_share_access.yml index be2c750a7..d2f98537e 100644 --- a/rules/windows/builtin/security/win_security_admin_share_access.yml +++ b/rules/windows/builtin/security/win_security_admin_share_access.yml @@ -1,24 +1,26 @@ -title: Access to ADMIN$ Share +title: Access To ADMIN$ Network Share id: 098d7118-55bc-4912-a836-dc6483a8d150 status: test -description: Detects access to $ADMIN share +description: Detects access to ADMIN$ network share +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140 author: Florian Roth (Nextron Systems) date: 2017/03/04 -modified: 2021/11/27 +modified: 2024/01/16 tags: - attack.lateral_movement - attack.t1021.002 logsource: product: windows service: security - definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' + definition: 'Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure' detection: selection: EventID: 5140 - ShareName: Admin$ - filter: + ShareName: 'Admin$' + filter_main_computer_account: SubjectUserName|endswith: '$' - condition: selection and not filter + condition: selection and not 1 of filter_* falsepositives: - Legitimate administrative activity level: low diff --git a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml index 0afc80f5a..8203b0b35 100644 --- a/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_codeintegrity_check_failure.yml @@ -3,6 +3,9 @@ id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable description: | Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5038 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281 author: Thomas Patzke date: 2019/12/03 modified: 2023/12/13 diff --git a/rules/windows/builtin/security/win_security_external_device.yml b/rules/windows/builtin/security/win_security_external_device.yml index 5f1e15eda..fcaea36e0 100644 --- a/rules/windows/builtin/security/win_security_external_device.yml +++ b/rules/windows/builtin/security/win_security_external_device.yml @@ -1,10 +1,12 @@ -title: External Disk Drive Or USB Storage Device +title: External Disk Drive Or USB Storage Device Was Recognized By The System id: f69a87ea-955e-4fb4-adb2-bb9fd6685632 status: test description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416 author: Keith Wright date: 2019/11/20 -modified: 2022/10/09 +modified: 2024/01/16 tags: - attack.t1091 - attack.t1200 @@ -14,12 +16,12 @@ logsource: product: windows service: security detection: - selection: + selection_disk: EventID: 6416 ClassName: 'DiskDrive' - selection2: + selection_usb: DeviceDescription: 'USB Mass Storage Device' - condition: selection or selection2 + condition: 1 of selection_* falsepositives: - - Legitimate administrative activity + - Likely level: low diff --git a/rules/windows/builtin/security/win_security_hidden_user_creation.yml b/rules/windows/builtin/security/win_security_hidden_user_creation.yml index 5892a727a..227f3f32e 100644 --- a/rules/windows/builtin/security/win_security_hidden_user_creation.yml +++ b/rules/windows/builtin/security/win_security_hidden_user_creation.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1387743867663958021 author: Christian Burkard (Nextron Systems) date: 2021/05/03 -modified: 2022/10/09 +modified: 2024/01/16 tags: - attack.persistence - attack.t1136.001 @@ -17,7 +17,9 @@ detection: selection: EventID: 4720 TargetUserName|endswith: '$' - condition: selection + filter_main_homegroup: + TargetUserName: 'HomeGroupUser$' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/security/win_security_metasploit_authentication.yml b/rules/windows/builtin/security/win_security_metasploit_authentication.yml index c0fed31e8..77fc94413 100644 --- a/rules/windows/builtin/security/win_security_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_security_metasploit_authentication.yml @@ -6,7 +6,7 @@ references: - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb author: Chakib Gzenayi (@Chak092), Hosni Mribah date: 2020/05/06 -modified: 2022/10/09 +modified: 2024/01/25 tags: - attack.lateral_movement - attack.t1021.002 @@ -22,7 +22,6 @@ detection: AuthenticationPackageName: 'NTLM' WorkstationName|re: '^[A-Za-z0-9]{16}$' selection2: - ProcessName: EventID: 4776 Workstation|re: '^[A-Za-z0-9]{16}$' condition: 1 of selection* diff --git a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml index 2cb0b5bbe..aea6eff2f 100644 --- a/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml @@ -1,10 +1,13 @@ -title: New or Renamed User Account with '$' in Attribute 'SamAccountName' +title: New or Renamed User Account with '$' Character id: cfeed607-6aa4-4bbd-9627-b637deb723c8 status: test -description: Detects possible bypass EDR and SIEM via abnormal user account name. +description: | + Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms. +references: + - https://twitter.com/SBousseaden/status/1387743867663958021 author: Ilyas Ochkov, oscd.community date: 2019/10/25 -modified: 2022/11/22 +modified: 2024/01/16 tags: - attack.defense_evasion - attack.t1036 @@ -12,18 +15,16 @@ logsource: product: windows service: security detection: - selection1: + selection_create: EventID: 4720 # create user SamAccountName|contains: '$' - selection2: + selection_rename: EventID: 4781 # rename user NewTargetUserName|contains: '$' - condition: 1 of selection* -fields: - - EventID - - SamAccountName - - SubjectUserName - - NewTargetUserName + filter_main_homegroup: + EventID: 4720 + TargetUserName: 'HomeGroupUser$' + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index 3bb39b227..e9b47576e 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -9,7 +9,7 @@ references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html - https://www.x86matthew.com/view_post?id=create_svc_rpc - https://twitter.com/SBousseaden/status/1490608838701166596 -author: Tim Rauch (Nextron Systems), Elastic +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/15 modified: 2023/01/04 tags: diff --git a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml index fdf8a2768..41fb8d1ea 100644 --- a/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml +++ b/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml @@ -1,9 +1,12 @@ -title: Addition of Domain Trusts +title: A New Trust Was Created To A Domain id: 0255a820-e564-4e40-af2b-6ac61160335c status: stable description: Addition of domains is seldom and should be verified for legitimacy. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 author: Thomas Patzke date: 2019/12/03 +modified: 2024/01/16 tags: - attack.persistence - attack.t1098 diff --git a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml index 0164af360..5ef3041be 100644 --- a/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml +++ b/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml @@ -1,10 +1,12 @@ title: Kerberos Manipulation id: f7644214-0eb0-4ace-9455-331ec4c09253 status: test -description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages +description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771 author: Florian Roth (Nextron Systems) date: 2017/02/10 -modified: 2021/11/27 +modified: 2024/01/16 tags: - attack.credential_access - attack.t1212 @@ -18,7 +20,7 @@ detection: - 4768 - 4769 - 4771 - FailureCode: + Status: - '0x9' - '0xA' - '0xB' diff --git a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml index aa02d0704..4d1fad92a 100644 --- a/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml @@ -5,6 +5,8 @@ related: type: similar status: test description: Detects known sensitive file extensions accessed on a network share +references: + - Internal Research author: Samir Bousseaden date: 2019/04/03 modified: 2022/10/09 @@ -18,24 +20,19 @@ detection: selection: EventID: 5145 RelativeTargetName|endswith: - - '.pst' - - '.ost' - - '.msg' - - '.nst' - - '.oab' - - '.edb' - - '.nsf' - '.bak' - '.dmp' + - '.edb' - '.kirbi' - - '\groups.xml' + - '.msg' + - '.nsf' + - '.nst' + - '.oab' + - '.ost' + - '.pst' - '.rdp' + - '\groups.xml' condition: selection -fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - RelativeTargetName falsepositives: - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index 8be8889b3..ff65a76a6 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -4,7 +4,10 @@ related: - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 type: derived status: test -description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +description: | + Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques. +references: + - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2022/11/29 @@ -14,12 +17,12 @@ tags: logsource: product: windows service: security - definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 + definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697' detection: selection: EventID: 4697 ServiceFileName|contains: 'tap0901' condition: selection falsepositives: - - Legitimate OpenVPN TAP insntallation -level: medium + - Legitimate OpenVPN TAP installation +level: low diff --git a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml index 70b83aea0..7fabb7bad 100644 --- a/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml @@ -1,7 +1,10 @@ -title: User Added to Local Administrators +title: User Added to Local Administrator Group id: c265cf08-3f99-46c1-8d59-328247057d57 status: stable -description: This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity +description: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4732 + - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers author: Florian Roth (Nextron Systems) date: 2017/03/14 modified: 2021/01/17 @@ -14,15 +17,14 @@ logsource: product: windows service: security detection: - selection: + selection_eid: EventID: 4732 - selection_group1: - TargetUserName|startswith: 'Administr' - selection_group2: - TargetSid: 'S-1-5-32-544' - filter: + selection_group: + - TargetUserName|startswith: 'Administr' + - TargetSid: 'S-1-5-32-544' + filter_main_computer_accounts: SubjectUserName|endswith: '$' - condition: selection and (1 of selection_group*) and not filter + condition: all of selection_* and not 1 of filter_* falsepositives: - Legitimate administrative activity level: medium diff --git a/rules/windows/builtin/security/win_security_user_creation.yml b/rules/windows/builtin/security/win_security_user_creation.yml index 1748014e3..78d7ba34d 100644 --- a/rules/windows/builtin/security/win_security_user_creation.yml +++ b/rules/windows/builtin/security/win_security_user_creation.yml @@ -1,7 +1,8 @@ title: Local User Creation id: 66b6be3d-55d0-4f47-9855-d69df21740ea status: test -description: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. +description: | + Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss @@ -17,10 +18,6 @@ detection: selection: EventID: 4720 condition: selection -fields: - - EventCode - - AccountName - - AccountDomain falsepositives: - Domain Controller Logs - Local accounts managed by privileged account management tools diff --git a/rules/windows/builtin/security/win_security_user_logoff.yml b/rules/windows/builtin/security/win_security_user_logoff.yml index 1d579621b..e85b1cd04 100644 --- a/rules/windows/builtin/security/win_security_user_logoff.yml +++ b/rules/windows/builtin/security/win_security_user_logoff.yml @@ -8,6 +8,9 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647 author: frack113 date: 2022/10/14 +tags: + - attack.impact + - attack.t1531 logsource: service: security product: windows diff --git a/rules/windows/builtin/security/win_security_workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml index 1db698df7..228c87f68 100644 --- a/rules/windows/builtin/security/win_security_workstation_was_locked.yml +++ b/rules/windows/builtin/security/win_security_workstation_was_locked.yml @@ -10,7 +10,8 @@ references: author: Alexandr Yampolskyi, SOC Prime date: 2019/03/26 modified: 2023/12/11 -# tags: +tags: + - attack.impact # - CSC16 # - CSC16.11 # - ISO27002-2013 A.9.1.1 diff --git a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml index b26250899..65e236589 100644 --- a/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml +++ b/rules/windows/builtin/system/application_popup/win_system_application_sysmon_crash.yml @@ -1,9 +1,12 @@ -title: Sysmon Crash +title: Sysmon Application Crashed id: 4d7f1827-1637-4def-8d8a-fd254f9454df status: test description: Detects application popup reporting a failure of the Sysmon service +references: + - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36 author: Tim Shelton date: 2022/04/26 +modified: 2024/01/17 tags: - attack.defense_evasion - attack.t1562 @@ -14,7 +17,9 @@ detection: selection: Provider_Name: 'Application Popup' EventID: 26 - Caption: 'sysmon64.exe - Application Error' + Caption: + - 'sysmon64.exe - Application Error' + - 'sysmon.exe - Application Error' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml deleted file mode 100644 index 2f6594cdc..000000000 --- a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_quarkspwdump_clearing_hive_access_history.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: QuarksPwDump Clearing Access History -id: 39f919f3-980b-4e6f-a975-8af7e507ef2b -status: test -description: Detects QuarksPwDump clearing access history in hive -author: Florian Roth (Nextron Systems) -date: 2017/05/15 -modified: 2022/04/14 -tags: - - attack.credential_access - - attack.t1003.002 -logsource: - product: windows - service: system -detection: - selection: - EventID: 16 - Provider_Name: Microsoft-Windows-Kernel-General - HiveName|contains: '\AppData\Local\Temp\SAM' - HiveName|endswith: '.dmp' - condition: selection -falsepositives: - - Unknown -level: critical diff --git a/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml new file mode 100644 index 000000000..b102505ba --- /dev/null +++ b/rules/windows/builtin/system/microsoft_windows_kernel_general/win_system_susp_critical_hive_location_access_bits_cleared.yml @@ -0,0 +1,32 @@ +title: Critical Hive In Suspicious Location Access Bits Cleared +id: 39f919f3-980b-4e6f-a975-8af7e507ef2b +related: + - id: 839dd1e8-eda8-4834-8145-01beeee33acd + type: obsoletes +status: test +description: | + Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. + This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). + Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior. +references: + - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md +author: Florian Roth (Nextron Systems) +date: 2017/05/15 +modified: 2024/01/18 +tags: + - attack.credential_access + - attack.t1003.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 16 + Provider_Name: Microsoft-Windows-Kernel-General + HiveName|contains: + - '\Temp\SAM' + - '\Temp\SECURITY' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml index 8371db7ff..eab993b0d 100644 --- a/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml +++ b/rules/windows/builtin/system/microsoft_windows_windows_update_client/win_system_susp_system_update_error.yml @@ -1,7 +1,10 @@ title: Windows Update Error id: 13cfeb75-9e33-4d04-b0f7-ab8faaa95a59 status: stable -description: Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KB aren't installed. +description: | + Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed. +references: + - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml author: frack113 date: 2021/12/04 modified: 2023/09/07 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml index 4428ac09a..f1f6aa136 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sups_unusal_client.yml @@ -7,7 +7,7 @@ status: test description: Detects a service installed by a client which has PID 0 or whose parent has PID 0 references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html -author: Tim Rauch (Nextron Systems), Elastic +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/15 modified: 2023/01/04 tags: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml index 3252a5178..a945fed5c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_susp.yml @@ -7,6 +7,8 @@ related: type: similar status: test description: Detects suspicious service installation commands +references: + - Internal Research author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) date: 2022/03/18 modified: 2023/12/04 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml index ed85623e6..940b69850 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml @@ -2,6 +2,8 @@ title: Tap Driver Installation id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +references: + - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2022/12/25 @@ -18,5 +20,5 @@ detection: ImagePath|contains: 'tap0901' condition: selection falsepositives: - - Legitimate OpenVPN TAP insntallation + - Legitimate OpenVPN TAP installation level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml index fe1a752fd..91dbb0e65 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml @@ -1,4 +1,4 @@ -title: Uncommon Service Installation +title: Uncommon Service Installation Image Path id: 26481afe-db26-4228-b264-25a29fe6efc7 related: - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53 @@ -6,7 +6,10 @@ related: - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b type: derived status: test -description: Detects uncommon service installation commands +description: | + Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc. +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2022/03/18 modified: 2023/12/04 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml index 6a2d67287..1300592fc 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder.yml @@ -3,8 +3,10 @@ id: 5e993621-67d4-488a-b9ae-b420d08b96cb status: test description: Detects service installation in suspicious folder appdata author: pH-T (Nextron Systems) +references: + - Internal Research date: 2022/03/18 -modified: 2022/10/12 +modified: 2024/01/18 tags: - attack.persistence - attack.privilege_escalation @@ -17,15 +19,14 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - selection_suspicious1: ImagePath|contains: - '\AppData\' - '\\\\127.0.0.1' - '\\\\localhost' - filter_zoom: + filter_optional_zoom: ServiceName: 'Zoom Sharing Service' - ImagePath|startswith: '"C:\Program Files\Common Files\Zoom\Support\CptService.exe' - condition: all of selection* and not 1 of filter* + ImagePath|contains: ':\Program Files\Common Files\Zoom\Support\CptService.exe' + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml index afa79606d..410d9b36f 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_folder_pattern.yml @@ -2,6 +2,8 @@ title: Service Installation with Suspicious Folder Pattern id: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2 status: test description: Detects service installation with suspicious folder patterns +references: + - Internal Research author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/03/24 diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml index 316802e1d..6785a6d39 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml @@ -2,6 +2,8 @@ title: Suspicious Service Installation Script id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a status: test description: Detects suspicious service installation scripts +references: + - Internal Research author: pH-T (Nextron Systems) date: 2022/03/18 modified: 2022/11/18 diff --git a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml index b5e8b8890..95cd96d8e 100644 --- a/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml +++ b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml @@ -6,7 +6,10 @@ related: - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog type: similar status: test -description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +description: | + Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities +references: + - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/ author: frack113 date: 2023/01/13 modified: 2023/02/07 diff --git a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml index 2c7753343..2e285226b 100644 --- a/rules/windows/driver_load/driver_load_win_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml @@ -2,6 +2,8 @@ title: Driver Load From A Temporary Directory id: 2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75 status: test description: Detects a driver load from a temporary directory +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/02/12 modified: 2021/11/27 diff --git a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml index 1cc4cb593..08eaddcd0 100644 --- a/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml +++ b/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml @@ -7,7 +7,7 @@ status: test description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html -author: Tim Rauch (Nextron Systems) +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/27 tags: - attack.initial_access diff --git a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml index 2b80ce655..3e85e23c4 100755 --- a/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml +++ b/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml @@ -2,9 +2,12 @@ title: Prefetch File Deleted id: 0a1f9d29-6465-4776-b091-7f43b26e4c89 status: test description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence +references: + - Internal Research + - https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/ author: Cedric MAURUGEON date: 2021/09/29 -modified: 2023/02/15 +modified: 2024/01/25 tags: - attack.defense_evasion - attack.t1070.004 @@ -13,14 +16,14 @@ logsource: category: file_delete detection: selection: - TargetFilename|startswith: 'C:\Windows\Prefetch\' + TargetFilename|contains: ':\Windows\Prefetch\' TargetFilename|endswith: '.pf' - filter: - Image: 'C:\windows\system32\svchost.exe' + filter_main_svchost: + Image|endswith: ':\windows\system32\svchost.exe' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml index c55ae88bd..1cca90ad5 100644 --- a/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml +++ b/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml @@ -7,7 +7,7 @@ status: test description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html -author: Tim Rauch (Nextron Systems) +author: Tim Rauch (Nextron Systems), Elastic (idea) date: 2022/09/27 modified: 2023/02/15 tags: diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 983af1f61..a425bd0fd 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -1,7 +1,10 @@ title: Files With System Process Name In Unsuspected Locations id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d status: test -description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc). +description: | + Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). +references: + - Internal Research author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020/05/26 modified: 2023/11/10 diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 586c9307f..ab1167ac9 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -28,7 +28,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2023/04/17 +modified: 2024/01/25 tags: - attack.execution - attack.t1059.001 @@ -52,6 +52,7 @@ detection: - '\Copy-VSS.ps1' - '\Create-MultipleSessions.ps1' - '\DNS_TXT_Pwnage.ps1' + - '\dnscat2.ps1' - '\Do-Exfiltration.ps1' - '\DomainPasswordSpray.ps1' - '\Download_Execute.ps1' diff --git a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml index 27662b783..7c28e3744 100755 --- a/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml +++ b/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml @@ -3,6 +3,8 @@ id: 52753ea4-b3a0-4365-910d-36cff487b789 status: test description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder author: Samir Bousseaden +references: + - Internal Research date: 2019/02/21 modified: 2021/11/27 tags: diff --git a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml index 67a3c7e88..091b8e453 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml @@ -25,8 +25,9 @@ references: - https://github.com/samratashok/nishang - https://github.com/DarkCoderSc/PowerRunAsSystem/ - https://github.com/besimorhino/powercat -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/01/23 +modified: 2024/01/25 tags: - attack.execution - attack.t1059.001 @@ -48,6 +49,7 @@ detection: - 'Copy-VSS.ps1' - 'Create-MultipleSessions.ps1' - 'DNS_TXT_Pwnage.ps1' + - 'dnscat2.ps1' - 'Do-Exfiltration.ps1' - 'DomainPasswordSpray.ps1' - 'Download_Execute.ps1' diff --git a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml index 7f38e48ff..03375b4ec 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml @@ -28,7 +28,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/20 -modified: 2023/04/17 +modified: 2024/01/25 tags: - attack.execution - attack.discovery @@ -236,6 +236,7 @@ detection: - 'Set-Wallpaper' - 'Show-TargetScreen' - 'Start-CaptureServer' + - 'Start-Dnscat2' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' condition: selection diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index 1741a9b79..ca747ba77 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -24,7 +24,6 @@ detection: filter_pwsh_archive: ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1' condition: selection and not 1 of filter_* - falsepositives: - Legitimate use remote PowerShell sessions level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 66054fa1f..c9731f4b9 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -5,6 +5,9 @@ related: type: derived status: test description: Detects suspicious PowerShell download command +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2023/01/20 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 5b22d096c..9859cbf49 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -7,6 +7,8 @@ related: type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/12 modified: 2023/01/03 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index e3e58c6b4..1d4efbe04 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived + type: obsoletes - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 modified: 2023/01/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 91ca9fc50..c09dd22f0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -32,7 +32,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 -modified: 2023/11/22 +modified: 2024/01/25 tags: - attack.execution - attack.discovery @@ -226,6 +226,7 @@ detection: - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner - 'Show-TargetScreen' - 'Start-CaptureServer' + - 'Start-Dnscat2' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' # - 'Check-VM' diff --git a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml index a32f845fc..bf32622be 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml @@ -4,7 +4,7 @@ status: test description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. references: - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/28 tags: - attack.credential_access diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index bf9d935aa..9cfed3da8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -5,6 +5,9 @@ related: type: derived status: test description: Detects suspicious PowerShell download command +references: + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 + - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 author: Florian Roth (Nextron Systems) date: 2017/03/05 modified: 2022/12/02 @@ -21,7 +24,9 @@ detection: download: ScriptBlockText|contains: - '.DownloadFile(' + - '.DownloadFileAsync(' - '.DownloadString(' + - '.DownloadStringAsync(' condition: webclient and download falsepositives: - PowerShell scripts that download content from the Internet diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml index 72f108610..cc2a63ed5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml @@ -7,6 +7,8 @@ related: type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/03/12 modified: 2023/01/03 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml index a1b662996..34266d9b0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml @@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived + type: obsoletes - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar - id: 536e2947-3729-478c-9903-745aaffe60d2 type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro date: 2017/03/05 modified: 2023/01/05 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 8bf849c51..7d65f5d12 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -7,7 +7,7 @@ status: test description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions references: - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/16 modified: 2022/11/26 tags: diff --git a/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml b/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml index 437a479b6..d0416d6cb 100644 --- a/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml +++ b/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml @@ -2,6 +2,8 @@ title: Potential Shellcode Injection id: 250ae82f-736e-4844-a68b-0b5e8cc887da status: test description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject +references: + - https://github.com/EmpireProject/PSInject author: Bhabesh Raj date: 2022/03/11 modified: 2023/11/29 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml index b18ef2844..00145c3f7 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml @@ -1,14 +1,18 @@ title: Monitoring For Persistence Via BITS id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d status: test -description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded +description: | + BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. + When the job runs on the system the command specified in the BITS job will be executed. + This can be abused by actors to create a backdoor within the system and for persistence. + It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394 author: Sreeman date: 2020/10/29 -modified: 2022/03/07 +modified: 2024/01/25 tags: - attack.defense_evasion - attack.t1197 @@ -16,24 +20,25 @@ logsource: product: windows category: process_creation detection: - selection_1: - CommandLine|contains|all: - - 'bitsadmin' - - '/SetNotifyCmdLine' + selection_img: + - Image|endswith: '\bitsadmin.exe' + - OriginalFileName: 'bitsadmin.exe' + selection_cli_notify_1: + CommandLine|contains: '/SetNotifyCmdLine' + selection_cli_notify_2: CommandLine|contains: - '%COMSPEC%' - 'cmd.exe' - 'regsvr32.exe' - selection_2: - CommandLine|contains|all: - - 'bitsadmin' - - '/Addfile' + selection_cli_add_1: + CommandLine|contains: '/Addfile' + selection_cli_add_2: CommandLine|contains: - 'http:' - 'https:' - 'ftp:' - 'ftps:' - condition: 1 of selection_* + condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*) falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml index 4c6d3687d..f08878e39 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious parent process for cmd.exe references: - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/21 modified: 2023/12/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml index cd0b375b7..562bbc765 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -4,7 +4,7 @@ status: experimental description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/28 modified: 2023/03/29 tags: diff --git a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml index 1fb5aeb93..09aef9696 100644 --- a/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml @@ -4,7 +4,7 @@ status: test description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. references: - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 tags: - attack.command_and_control diff --git a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml index 0aa75b634..70b508845 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml @@ -2,6 +2,9 @@ title: DNS Exfiltration and Tunneling Tools Execution id: 98a96a5a-64a0-4c42-92c5-489da3866cb0 status: test description: Well-known DNS Exfiltration tools execution +references: + - https://github.com/iagox86/dnscat2 + - https://github.com/yarrick/iodine author: Daniil Yugoslavskiy, oscd.community date: 2019/10/24 modified: 2021/11/27 diff --git a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml index 2c3ec73f7..4c887aad8 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml @@ -4,7 +4,7 @@ status: test description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) references: - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 modified: 2023/02/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml index f3dd1379a..fdb367ab3 100644 --- a/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml +++ b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml @@ -1,11 +1,12 @@ -title: Fake Instance Of Hxtsr.exe +title: Potential Fake Instance Of Hxtsr.EXE Executed id: 4e762605-34a8-406d-b72e-c1a089313320 status: test description: | HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". - Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe +references: + - Internal Research author: Sreeman date: 2020/04/17 modified: 2023/02/21 @@ -16,12 +17,13 @@ logsource: product: windows category: process_creation detection: + # TODO: Link this to the more generic system process rule selection: - Image: hxtsr.exe - filter: - CurrentDirectory|startswith: 'C:\program files\windowsapps\microsoft.windowscommunicationsapps_' + Image|endswith: '\hxtsr.exe' + filter_main_hxtsr: + CurrentDirectory|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_' CurrentDirectory|endswith: '\hxtsr.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml index 24b8c18b1..386622722 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml @@ -6,7 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ -author: Tim Rauch, Janantha Marasinghe +author: Tim Rauch, Janantha Marasinghe, Elastic (original idea) date: 2022/11/08 modified: 2023/01/22 tags: diff --git a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml index 257b4e90b..2d7cff58f 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml @@ -4,7 +4,7 @@ status: test description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/28 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml index 299f7a56a..76637ef15 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process.yml @@ -5,9 +5,11 @@ related: type: similar status: experimental description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Florian Roth date: 2021/12/17 -modified: 2023/11/09 +modified: 2024/01/18 tags: - attack.initial_access - attack.persistence @@ -20,7 +22,6 @@ detection: ParentImage|endswith: '\java.exe' Image|endswith: - '\AppVLP.exe' - - '\bash.exe' - '\bitsadmin.exe' - '\certutil.exe' - '\cscript.exe' diff --git a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml index 0255a32e2..70e02fb67 100644 --- a/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml +++ b/rules/windows/process_creation/proc_creation_win_java_susp_child_process_2.yml @@ -5,9 +5,11 @@ related: type: similar status: test description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali date: 2021/12/17 -modified: 2023/11/09 +modified: 2024/01/18 tags: - attack.initial_access - attack.persistence @@ -19,6 +21,7 @@ detection: selection: ParentImage|endswith: '\java.exe' Image|endswith: + - '\bash.exe' - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' diff --git a/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml b/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml deleted file mode 100644 index 354cc6c76..000000000 --- a/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: WScript or CScript Dropper -id: cea72823-df4d-4567-950c-0b579eaf0846 -status: test -description: Detects wscript/cscript executions of scripts located in user directories -author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community -date: 2019/01/16 -modified: 2021/11/27 -tags: - - attack.execution - - attack.t1059.005 - - attack.t1059.007 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image|endswith: - - '\wscript.exe' - - '\cscript.exe' - CommandLine|contains: - - 'C:\Users\' - - 'C:\ProgramData\' - selection2: - CommandLine|contains: - - '.jse' - - '.vbe' - - '.js' - - '.vba' - - '.vbs' - falsepositive: - ParentImage|contains: '\winzip' - condition: selection1 and selection2 and not falsepositive -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Winzip - - Other self-extractors -level: high diff --git a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml index 4114b891d..384920f5e 100644 --- a/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_mssql_susp_child_process.yml @@ -5,6 +5,8 @@ related: type: obsoletes status: experimental description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. +references: + - Internal Research author: FPT.EagleEye Team, wagga date: 2020/12/11 modified: 2023/05/04 diff --git a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml index fd74e1d76..9c77946d9 100644 --- a/rules/windows/process_creation/proc_creation_win_net_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_stop_service.yml @@ -4,7 +4,9 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes status: test -description: Detects the stopping of a Windows service +description: Detects the stopping of a Windows service via the "net" utility. +references: + - https://ss64.com/nt/net-service.html author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml index be17b11b8..28f643668 100644 --- a/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml +++ b/rules/windows/process_creation/proc_creation_win_office_outlook_execution_from_temp.yml @@ -1,8 +1,10 @@ -title: Execution in Outlook Temp Folder +title: Suspicious Execution From Outlook Temporary Folder id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39 status: test description: Detects a suspicious program execution in Outlook temp folder author: Florian Roth (Nextron Systems) +references: + - Internal Research date: 2019/10/01 modified: 2022/10/09 tags: @@ -15,9 +17,6 @@ detection: selection: Image|contains: '\Temporary Internet Files\Content.Outlook\' condition: selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml index 10827a725..422a39389 100644 --- a/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_plink_susp_tunneling.yml @@ -1,4 +1,4 @@ -title: Potential RDP Tunneling Via SSH Plink +title: Potential RDP Tunneling Via Plink id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da related: - id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe @@ -29,5 +29,5 @@ detection: - ' -P 22' condition: selection_a or all of selection_b* falsepositives: - - Administrative activity + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml index 2440573e3..272d5d7d1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_disable_firewall.yml @@ -7,7 +7,7 @@ status: test description: Detects attempts to disable the Windows Firewall using PowerShell references: - https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/14 modified: 2023/02/13 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml index 12631131e..195b3b0ea 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml @@ -5,6 +5,10 @@ related: type: derived status: test description: Detects a Powershell process that contains download commands in its command line string +references: + - https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html + - https://lab52.io/blog/winter-vivern-all-summer/ + - https://hatching.io/blog/powershell-analysis/ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2023/01/26 @@ -31,9 +35,6 @@ detection: - 'string(' - 'file(' condition: all of selection_* -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml index 3a676d2ea..8d71f2ac7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml @@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific - ProcessCreation id: 536e2947-3729-478c-9903-745aaffe60d2 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c - type: derived + type: obsoletes - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71 type: similar - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 type: similar status: test description: Detects suspicious PowerShell invocation command parameters +references: + - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml index be865cd0b..0c74b9472 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml @@ -28,7 +28,7 @@ references: - https://github.com/adrecon/AzureADRecon author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/02 -modified: 2023/04/17 +modified: 2024/01/25 tags: - attack.execution - attack.discovery @@ -235,6 +235,7 @@ detection: - 'Set-Wallpaper' - 'Show-TargetScreen' - 'Start-CaptureServer' + - 'Start-Dnscat2' - 'Start-WebcamRecorder' - 'VolumeShadowCopyTools' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml index b045fe33b..0685e8675 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml @@ -10,7 +10,7 @@ description: Detects deletion of Windows Volume Shadow Copies with PowerShell co references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/20 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml index 0ffc735fa..5653001de 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_stop_service.yml @@ -4,7 +4,9 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes status: test -description: Detects the stopping of a Windows service +description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index ceb02dd82..1ecfad9f2 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -1,10 +1,14 @@ title: Write Protect For Storage Disabled id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13 status: test -description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. +description: | + Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. + This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. +references: + - https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html author: Sreeman date: 2021/06/11 -modified: 2023/12/15 +modified: 2024/01/18 tags: - attack.defense_evasion - attack.t1562 @@ -17,9 +21,7 @@ detection: - '\System\CurrentControlSet\Control' - 'Write Protection' - '0' - CommandLine|contains: - 'storage' - - 'storagedevicepolicies' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml index c843dc503..021b959ae 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_stop_service.yml @@ -4,9 +4,12 @@ related: - id: eb87818d-db5d-49cc-a987-d5da331fbd90 type: obsoletes status: test -description: Detects the stopping of a Windows service +description: Detects the stopping of a Windows service via the "sc.exe" utility +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11) author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/03/05 +modified: 2024/01/18 tags: - attack.impact - attack.t1489 @@ -19,14 +22,7 @@ detection: - Image|endswith: '\sc.exe' selection_cli: CommandLine|contains: ' stop ' - filter_kaspersky: - CommandLine: - - 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop - - 'sc stop LGHUBUpdaterService' # Logitech LGHUB Updater Service - User|contains: # covers many language settings - - 'AUTHORI' - - 'AUTORI' - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* falsepositives: - - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly + - There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly level: low diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml index 14c91908c..34f3bcc07 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml @@ -1,10 +1,12 @@ -title: Scheduled Task Creation +title: Scheduled Task Creation Via Schtasks.EXE id: 92626ddd-662c-49e3-ac59-f6535f12d189 status: test -description: Detects the creation of scheduled tasks in user session +description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. +references: + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create author: Florian Roth (Nextron Systems) date: 2019/01/16 -modified: 2022/10/09 +modified: 2024/01/18 tags: - attack.execution - attack.persistence @@ -20,14 +22,11 @@ detection: selection: Image|endswith: '\schtasks.exe' CommandLine|contains: ' /create ' - filter: + filter_main_system_user: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine + condition: selection and not 1 of filter_main_* falsepositives: - Administrative activity - Software installation diff --git a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml index aede5ee40..1a7070539 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_rdp_tunneling.yml @@ -22,5 +22,5 @@ detection: CommandLine|contains: ':3389' condition: selection falsepositives: - - Administrative activity + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml index 4f2e2ab79..a5fce1866 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_priv_escalation_via_named_pipe.yml @@ -7,7 +7,7 @@ status: test description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. references: - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 modified: 2022/12/30 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml index bb098e728..b02f0a5e6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml @@ -4,7 +4,7 @@ status: test description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. references: - https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 tags: - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml similarity index 75% rename from rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml rename to rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml index 218f4e898..7534759ac 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sensitive_file_access_shadowcopy.yml @@ -1,14 +1,15 @@ -title: Sensitive Registry Access via Volume Shadow Copy +title: Sensitive File Access Via Volume Shadow Copy Backup id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d status: test -description: Detects a command that accesses password storing registry hives via volume shadow backups +description: | + Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) date: 2021/08/09 -modified: 2022/09/09 +modified: 2024/01/18 tags: - attack.impact - attack.t1490 @@ -25,8 +26,7 @@ detection: - '\\NTDS.dit' - '\\SYSTEM' - '\\SECURITY' - - 'C:\\tmp\\log' - condition: all of selection* + condition: all of selection_* falsepositives: - - Some rare backup scenarios + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml index 44107852e..7de9c1c05 100644 --- a/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_svchost_uncommon_parent_process.yml @@ -2,6 +2,8 @@ title: Uncommon Svchost Parent Process id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d status: test description: Detects an uncommon svchost parent process +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2017/08/15 modified: 2022/06/28 diff --git a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml index 77a18b175..df3f962ad 100644 --- a/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml @@ -2,6 +2,8 @@ title: Tap Installer Execution id: 99793437-3e16-439b-be0f-078782cf953d status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques +references: + - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 modified: 2023/12/11 @@ -24,5 +26,5 @@ detection: Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\' condition: selection and not 1 of filter_optional_* falsepositives: - - Legitimate OpenVPN TAP insntallation + - Legitimate OpenVPN TAP installation level: medium diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml index df99d755c..a7826d46a 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_localsystem.yml @@ -2,6 +2,8 @@ title: Taskmgr as LOCAL_SYSTEM id: 9fff585c-c33e-4a86-b3cd-39312079a65f status: test description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2018/03/18 modified: 2022/05/27 diff --git a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml index c87d37ee9..a94726166 100644 --- a/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_taskmgr_susp_child_process.yml @@ -1,10 +1,12 @@ -title: Taskmgr as Parent +title: New Process Created Via Taskmgr.EXE id: 3d7679bd-0c00-440c-97b0-3f204273e6c7 status: test -description: Detects the creation of a process from Windows task manager +description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC +references: + - https://twitter.com/ReneFreingruber/status/1172244989335810049 author: Florian Roth (Nextron Systems) date: 2018/03/13 -modified: 2021/11/27 +modified: 2024/01/18 tags: - attack.defense_evasion - attack.t1036 @@ -14,16 +16,12 @@ logsource: detection: selection: ParentImage|endswith: '\taskmgr.exe' - filter: + filter_main_generic: Image|endswith: - - '\resmon.exe' - - '\mmc.exe' - - '\taskmgr.exe' - condition: selection and not filter -fields: - - Image - - CommandLine - - ParentCommandLine + - ':\Windows\System32\mmc.exe' + - ':\Windows\System32\resmon.exe' + - ':\Windows\System32\Taskmgr.exe' + condition: selection and not 1 of filter_main_* falsepositives: - Administrative activity level: low diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml index 369b65dca..f0b0f5ce4 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml @@ -4,7 +4,7 @@ status: test description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack -author: Tim Rauch +author: Tim Rauch, Elastic (idea) date: 2022/09/27 tags: - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index 5194cf3f3..7934fc77b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -4,7 +4,7 @@ status: test description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Elastic (idea) date: 2022/09/13 modified: 2022/09/27 tags: diff --git a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml index 9bb200110..67f29fe1e 100644 --- a/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_winrm_susp_child_process.yml @@ -3,6 +3,8 @@ id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 status: test description: Detects suspicious processes including shells spawnd from WinRM host process author: Andreas Hunkeler (@Karneades), Markus Neis +references: + - Internal Research date: 2021/05/20 modified: 2022/07/14 tags: diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml new file mode 100644 index 000000000..6a1be6e4f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml @@ -0,0 +1,44 @@ +title: Potential Dropper Script Execution Via WScript/CScript +id: cea72823-df4d-4567-950c-0b579eaf0846 +related: + - id: 1e33157c-53b1-41ad-bbcc-780b80b58288 + type: similar +status: deprecated +description: Detects wscript/cscript executions of scripts located in user directories +references: + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://redcanary.com/blog/gootloader/ +author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2019/01/16 +modified: 2024/01/18 +tags: + - attack.execution + - attack.t1059.005 + - attack.t1059.007 +logsource: + category: process_creation + product: windows +detection: + selection_exec: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + selection_paths: + CommandLine|contains: + - ':\Temp\' + - ':\Tmp\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' + selection_ext: + CommandLine|contains: + - '.js' + - '.jse' + - '.vba' + - '.vbe' + - '.vbs' + - '.wsf' + condition: all of selection_* +falsepositives: + - Some installers might generate a similar behavior. An initial baseline is required +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml index 10be02086..e790dde45 100644 --- a/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml @@ -2,6 +2,8 @@ title: Cscript/Wscript Uncommon Script Extension Execution id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee status: experimental description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension +references: + - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 modified: 2023/06/19 diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index 797e4361a..f49f503e8 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -2,6 +2,10 @@ title: WMI Event Subscription id: 0f06a3a5-6a09-413f-8743-e6cf35561297 status: test description: Detects creation of WMI event subscription persistence method +references: + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected + - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 modified: 2021/11/27 diff --git a/tests/thor.yml b/tests/thor.yml index 7d2d2831e..3665d602d 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -548,6 +548,11 @@ logsources: service: hyper-v-worker sources: - 'WinEventLog:Microsoft-Windows-Hyper-V-Worker' + windows-kernel-event-tracing: + product: windows + service: kernel-event-tracing + sources: + - 'WinEventLog:Microsoft-Windows-Kernel-EventTracing' apache: category: webserver sources: