Merge PR #4681 from @nasbench - Add Missing Ref & Tags

fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode" fix: Metasploit SMB Authentication - Remove unnecessary field fix: Service Installation in Suspicious Folder - Update FP filter update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2" remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules remove: SAM Dump to AppData update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2" update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2" update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1" update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1" update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only update: New or Renamed User Account with '$' Character - Reduced level to "medium" update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium" update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic update: Prefetch File Deleted - Update selection to remove 'C:' prefix update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule) update: Shell Process Spawned by Java.EXE - Add "bash.exe" update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic update: Sysmon Application Crashed - Add 32bit version of sysmon binary update: Tap Driver Installation - Security - Reduce level to "low" update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2024-01-29 13:37:20 +01:00
parent 7f582c3d16
commit be359ef3f2
114 changed files with 482 additions and 342 deletions
@@ -1,23 +0,0 @@
-title: Dnscat Execution
-id: a6d67db4-6220-436d-8afc-f3842fe05d43
-status: test
-description: Dnscat exfiltration tool execution
-author: Daniil Yugoslavskiy, oscd.community
-date: 2019/10/24
-modified: 2022/12/25
-tags:
-    - attack.exfiltration
-    - attack.t1048
-    - attack.execution
-    - attack.t1059.001
-logsource:
-    product: windows
-    category: ps_script
-    definition: 'Requirements: Script Block Logging must be enabled'
-detection:
-    selection:
-        ScriptBlockText|contains: 'Start-Dnscat2'
-    condition: selection
-falsepositives:
-    - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
-level: critical
@@ -32,7 +32,7 @@ references:
    - https://github.com/adrecon/AzureADRecon
 author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
 date: 2017/03/05
-modified: 2023/11/22
+modified: 2024/01/25
 tags:
    - attack.execution
    - attack.discovery
@@ -226,6 +226,7 @@ detection:
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
+            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'VolumeShadowCopyTools'
            # - 'Check-VM'
@@ -4,7 +4,7 @@ status: test
 description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
 references:
    - https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/28
 tags:
    - attack.credential_access
@@ -5,6 +5,9 @@ related:
      type: derived
 status: test
 description: Detects suspicious PowerShell download command
+references:
+    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
+    - https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
 author: Florian Roth (Nextron Systems)
 date: 2017/03/05
 modified: 2022/12/02
@@ -21,7 +24,9 @@ detection:
    download:
        ScriptBlockText|contains:
            - '.DownloadFile('
+            - '.DownloadFileAsync('
            - '.DownloadString('
+            - '.DownloadStringAsync('
    condition: webclient and download
 falsepositives:
    - PowerShell scripts that download content from the Internet
@@ -7,6 +7,8 @@ related:
      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems)
 date: 2017/03/12
 modified: 2023/01/03
@@ -2,13 +2,15 @@ title: Suspicious PowerShell Invocations - Specific
 id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 related:
    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
-      type: derived
+      type: obsoletes
    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
      type: similar
    - id: 536e2947-3729-478c-9903-745aaffe60d2
      type: similar
 status: test
 description: Detects suspicious PowerShell invocation command parameters
+references:
+    - Internal Research
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017/03/05
 modified: 2023/01/05
@@ -7,7 +7,7 @@ status: test
 description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
 references:
    - https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
-author: Tim Rauch
+author: Tim Rauch, Elastic (idea)
 date: 2022/09/16
 modified: 2022/11/26
 tags: