Merge PR #4681 from @nasbench - Add Missing Ref & Tags
Create Release / Create Release (push) Has been cancelled
Create Release / Create Release (push) Has been cancelled
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode" fix: Metasploit SMB Authentication - Remove unnecessary field fix: Service Installation in Suspicious Folder - Update FP filter update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2" remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules remove: SAM Dump to AppData update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2" update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2" update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1" update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1" update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only update: New or Renamed User Account with '$' Character - Reduced level to "medium" update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium" update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic update: Prefetch File Deleted - Update selection to remove 'C:' prefix update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule) update: Shell Process Spawned by Java.EXE - Add "bash.exe" update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic update: Sysmon Application Crashed - Add 32bit version of sysmon binary update: Tap Driver Installation - Security - Reduce level to "low" update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
committed by
GitHub
GitHub
parent
7f582c3d16
commit
be359ef3f2
@@ -25,8 +25,9 @@ references:
|
||||
- https://github.com/samratashok/nishang
|
||||
- https://github.com/DarkCoderSc/PowerRunAsSystem/
|
||||
- https://github.com/besimorhino/powercat
|
||||
author: frack113, Nasreddine Bencherchali
|
||||
author: frack113, Nasreddine Bencherchali (Nextron Systems)
|
||||
date: 2023/01/23
|
||||
modified: 2024/01/25
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
@@ -48,6 +49,7 @@ detection:
|
||||
- 'Copy-VSS.ps1'
|
||||
- 'Create-MultipleSessions.ps1'
|
||||
- 'DNS_TXT_Pwnage.ps1'
|
||||
- 'dnscat2.ps1'
|
||||
- 'Do-Exfiltration.ps1'
|
||||
- 'DomainPasswordSpray.ps1'
|
||||
- 'Download_Execute.ps1'
|
||||
|
||||
@@ -28,7 +28,7 @@ references:
|
||||
- https://github.com/adrecon/AzureADRecon
|
||||
author: Nasreddine Bencherchali (Nextron Systems)
|
||||
date: 2023/01/20
|
||||
modified: 2023/04/17
|
||||
modified: 2024/01/25
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.discovery
|
||||
@@ -236,6 +236,7 @@ detection:
|
||||
- 'Set-Wallpaper'
|
||||
- 'Show-TargetScreen'
|
||||
- 'Start-CaptureServer'
|
||||
- 'Start-Dnscat2'
|
||||
- 'Start-WebcamRecorder'
|
||||
- 'VolumeShadowCopyTools'
|
||||
condition: selection
|
||||
|
||||
@@ -24,7 +24,6 @@ detection:
|
||||
filter_pwsh_archive:
|
||||
ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
|
||||
condition: selection and not 1 of filter_*
|
||||
|
||||
falsepositives:
|
||||
- Legitimate use remote PowerShell sessions
|
||||
level: high
|
||||
|
||||
@@ -5,6 +5,9 @@ related:
|
||||
type: derived
|
||||
status: test
|
||||
description: Detects suspicious PowerShell download command
|
||||
references:
|
||||
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
|
||||
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
|
||||
author: Florian Roth (Nextron Systems)
|
||||
date: 2017/03/05
|
||||
modified: 2023/01/20
|
||||
|
||||
@@ -7,6 +7,8 @@ related:
|
||||
type: similar
|
||||
status: test
|
||||
description: Detects suspicious PowerShell invocation command parameters
|
||||
references:
|
||||
- Internal Research
|
||||
author: Florian Roth (Nextron Systems)
|
||||
date: 2017/03/12
|
||||
modified: 2023/01/03
|
||||
|
||||
@@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific - PowerShell Module
|
||||
id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
|
||||
related:
|
||||
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
|
||||
type: derived
|
||||
type: obsoletes
|
||||
- id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
|
||||
type: similar
|
||||
- id: 536e2947-3729-478c-9903-745aaffe60d2
|
||||
type: similar
|
||||
status: test
|
||||
description: Detects suspicious PowerShell invocation command parameters
|
||||
references:
|
||||
- Internal Research
|
||||
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
|
||||
date: 2017/03/05
|
||||
modified: 2023/01/05
|
||||
|
||||
Reference in New Issue
Block a user