From bf28e42f01980bea0b5d90eb22b2a0201aba379a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 10 Oct 2022 17:33:14 +0200 Subject: [PATCH] Fix FP Found In Testing --- .../image_load_in_memory_powershell.yml | 6 +- .../image_load_susp_dbghelp_dbgcore_load.yml | 114 +++++++++--------- ...reated_alternate_powershell_hosts_pipe.yml | 6 +- .../posh_pm_alternate_powershell_hosts.yml | 10 +- .../proc_creation_win_susp_conhost.yml | 2 +- ...proc_creation_win_susp_winrm_execution.yml | 1 - 6 files changed, 74 insertions(+), 65 deletions(-) diff --git a/rules/windows/image_load/image_load_in_memory_powershell.yml b/rules/windows/image_load/image_load_in_memory_powershell.yml index 554148efc..2eed58f5a 100755 --- a/rules/windows/image_load/image_load_in_memory_powershell.yml +++ b/rules/windows/image_load/image_load_in_memory_powershell.yml @@ -7,7 +7,7 @@ status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton date: 2019/11/14 -modified: 2022/04/21 +modified: 2022/10/10 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -23,7 +23,9 @@ detection: - '\System.Management.Automation.Dll' - '\System.Management.Automation.ni.Dll' filter: - - Image: 'C:\Windows\System32\dsac.exe' + - Image: + - 'C:\Windows\System32\dsac.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' #PowerShell 7 - Image|endswith: - '\powershell.exe' - '\powershell_ise.exe' diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 36d307d82..2ff0422cc 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -4,68 +4,68 @@ status: test description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. author: Perez Diego (@darkquassar), oscd.community, Ecco references: - - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump + - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html + - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 modified: 2022/09/15 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - signedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Image|endswith: - - '\msbuild.exe' - - '\cmd.exe' - # - '\svchost.exe' triggered by installing common software - - '\rundll32.exe' - # - '\powershell.exe' triggered by installing common software - - '\word.exe' - - '\excel.exe' - - '\powerpnt.exe' - - '\outlook.exe' - - '\monitoringhost.exe' - - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - - '\bash.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - # - '\regsvr32.exe' triggered by installing common software - # - '\schtasks.exe' triggered by installing software - - '\dnx.exe' - - '\regsvcs.exe' - - '\sc.exe' - - '\scriptrunner.exe' - unsignedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Signed: 'FALSE' - filter1: - - Image|contains: 'Visual Studio' - - CommandLine|contains: - - '-k LocalSystemNetworkRestricted' - - '-k UnistackSvcGroup -s WpnUserService' - filter2: # Not available in Sysmon, but in Aurora - CommandLine: - - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' - filter3: - CommandLine|startswith: 'C:\WINDOWS\winsxs\' - CommandLine|endswith: '\TiWorker.exe -Embedding' - condition: (signedprocess or unsignedprocess) and not 1 of filter* + signedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Image|endswith: + - '\msbuild.exe' + - '\cmd.exe' + # - '\svchost.exe' triggered by installing common software + - '\rundll32.exe' + # - '\powershell.exe' triggered by installing common software + - '\word.exe' + - '\excel.exe' + - '\powerpnt.exe' + - '\outlook.exe' + - '\monitoringhost.exe' + - '\wmic.exe' + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert + - '\bash.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + # - '\regsvr32.exe' triggered by installing common software + # - '\schtasks.exe' triggered by installing software + - '\dnx.exe' + - '\regsvcs.exe' + - '\sc.exe' + - '\scriptrunner.exe' + unsignedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Signed: 'FALSE' + filter1: + - Image|contains: 'Visual Studio' + - CommandLine|contains: + - '-k LocalSystemNetworkRestricted' + - '-k UnistackSvcGroup -s WpnUserService' + filter2: # Not available in Sysmon, but in Aurora + CommandLine: + - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' + - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' + filter3: + CommandLine|startswith: 'C:\WINDOWS\winsxs\' + CommandLine|endswith: '\TiWorker.exe -Embedding' + condition: (signedprocess or unsignedprocess) and not 1 of filter* fields: - - ComputerName - - User - - Image - - ImageLoaded + - ComputerName + - User + - Image + - ImageLoaded falsepositives: - - Unknown + - Unknown level: high tags: - - attack.credential_access - - attack.t1003.001 + - attack.credential_access + - attack.t1003.001 diff --git a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml index 7e0b89a94..2cf89d293 100644 --- a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2022/04/21 +modified: 2022/10/10 logsource: product: windows category: pipe_created @@ -36,7 +36,9 @@ detection: - 'C:\Program Files\Citrix\' - 'C:\Program Files\Microsoft\Exchange Server\' filter5: - Image: 'C:\Windows\system32\ServerManager.exe' + Image: + - 'C:\Windows\system32\ServerManager.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 2ec92afbf..fa4bfe828 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/10/05 +modified: 2022/10/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html @@ -18,7 +18,13 @@ detection: selection: ContextInfo|contains: '*' filter: - ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event + # This filter covers the following use cases + # - When powershell is called directly from commandline via keyword powershell or powershell.exe + # - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell + ContextInfo|contains: + - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event + - '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell' + - '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell' filter_citrix: ContextInfo|contains: 'ConfigSyncRun.exe' filter_adace: # Active Directory Administrative Center Enhancements diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index c04f74a1d..c0aa4efb4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -18,7 +18,7 @@ detection: ParentImage|endswith: '\conhost.exe' filter_provider: Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora - # Note that some of these git events occure because of a sppofed parent image + # Note that some of these git events occure because of a spoofed parent image filter_git: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml index 7cba36749..b54b22876 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml @@ -23,7 +23,6 @@ detection: condition: all of selection* falsepositives: - Legitimate use for administartive purposes. Unlikely - level: medium tags: - attack.defense_evasion