security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix FP Found In Testing

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-10-10 17:33:14 +02:00
parent cb73e9725a
commit bf28e42f01
6 changed files with 74 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/image_load/image_load_in_memory_powershell.yml
+4 -2
View File
@@ -7,7 +7,7 @@ status: experimental
description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
date: 2019/11/14
modified: 2022/04/21
modified: 2022/10/10
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
@@ -23,7 +23,9 @@ detection:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
filter:
- Image: 'C:\Windows\System32\dsac.exe'
- Image:
- 'C:\Windows\System32\dsac.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe' #PowerShell 7
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml
+57 -57
View File
@@ -4,68 +4,68 @@ status: test
description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
author: Perez Diego (@darkquassar), oscd.community, Ecco
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
date: 2019/10/27
modified: 2022/09/15
logsource:
category: image_load
product: windows
category: image_load
product: windows
detection:
signedprocess:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\msbuild.exe'
- '\cmd.exe'
# - '\svchost.exe' triggered by installing common software
- '\rundll32.exe'
# - '\powershell.exe' triggered by installing common software
- '\word.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
- '\monitoringhost.exe'
- '\wmic.exe'
# - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert
- '\bash.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
# - '\regsvr32.exe' triggered by installing common software
# - '\schtasks.exe' triggered by installing software
- '\dnx.exe'
- '\regsvcs.exe'
- '\sc.exe'
- '\scriptrunner.exe'
unsignedprocess:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'FALSE'
filter1:
- Image|contains: 'Visual Studio'
- CommandLine|contains:
- '-k LocalSystemNetworkRestricted'
- '-k UnistackSvcGroup -s WpnUserService'
filter2: # Not available in Sysmon, but in Aurora
CommandLine:
- 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv'
- 'C:\Windows\System32\svchost.exe -k WerSvcGroup'
filter3:
CommandLine|startswith: 'C:\WINDOWS\winsxs\'
CommandLine|endswith: '\TiWorker.exe -Embedding'
condition: (signedprocess or unsignedprocess) and not 1 of filter*
signedprocess:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\msbuild.exe'
- '\cmd.exe'
# - '\svchost.exe' triggered by installing common software
- '\rundll32.exe'
# - '\powershell.exe' triggered by installing common software
- '\word.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
- '\monitoringhost.exe'
- '\wmic.exe'
# - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert
- '\bash.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
# - '\regsvr32.exe' triggered by installing common software
# - '\schtasks.exe' triggered by installing software
- '\dnx.exe'
- '\regsvcs.exe'
- '\sc.exe'
- '\scriptrunner.exe'
unsignedprocess:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'FALSE'
filter1:
- Image|contains: 'Visual Studio'
- CommandLine|contains:
- '-k LocalSystemNetworkRestricted'
- '-k UnistackSvcGroup -s WpnUserService'
filter2: # Not available in Sysmon, but in Aurora
CommandLine:
- 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv'
- 'C:\Windows\System32\svchost.exe -k WerSvcGroup'
filter3:
CommandLine|startswith: 'C:\WINDOWS\winsxs\'
CommandLine|endswith: '\TiWorker.exe -Embedding'
condition: (signedprocess or unsignedprocess) and not 1 of filter*
fields:
- ComputerName
- User
- Image
- ImageLoaded
- ComputerName
- User
- Image
- ImageLoaded
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.credential_access
- attack.t1003.001
- attack.credential_access
- attack.t1003.001
rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml
+4 -2
View File
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
date: 2019/09/12
modified: 2022/04/21
modified: 2022/10/10
logsource:
product: windows
category: pipe_created
@@ -36,7 +36,9 @@ detection:
- 'C:\Program Files\Citrix\'
- 'C:\Program Files\Microsoft\Exchange Server\'
filter5:
Image: 'C:\Windows\system32\ServerManager.exe'
Image:
- 'C:\Windows\system32\ServerManager.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
condition: selection and not 1 of filter*
fields:
- ComputerName
rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml
+8 -2
View File
@@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: test
date: 2019/08/11
modified: 2022/10/05
modified: 2022/10/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
@@ -18,7 +18,13 @@ detection:
selection:
ContextInfo|contains: '*'
filter:
ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
# This filter covers the following use cases
# - When powershell is called directly from commandline via keyword powershell or powershell.exe
# - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
ContextInfo|contains:
- '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
- '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
filter_citrix:
ContextInfo|contains: 'ConfigSyncRun.exe'
filter_adace: # Active Directory Administrative Center Enhancements
rules/windows/process_creation/proc_creation_win_susp_conhost.yml
+1 -1
View File
@@ -18,7 +18,7 @@ detection:
ParentImage|endswith: '\conhost.exe'
filter_provider:
Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora
# Note that some of these git events occure because of a sppofed parent image
# Note that some of these git events occure because of a spoofed parent image
filter_git:
# Example FP:
# ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file
rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml
-1
View File
@@ -23,7 +23,6 @@ detection:
condition: all of selection*
falsepositives:
- Legitimate use for administartive purposes. Unlikely
level: medium
tags:
- attack.defense_evasion