From c125ae7e7d3b28805636fb3e36143b2a2e980bbf Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 15 Nov 2023 15:35:43 +0100 Subject: [PATCH] Merge PR #4564 from @nasbench - Fix Further FPs Found In Testing remove: Abusing Findstr for Defense Evasion - Deprecate in favour of 2 splitted rules. 587254ee-a24b-4335-b3cd-065c0f1f4baa and 04936b66-3915-43ad-a8e5-809eadfd1141 remove: Windows Update Client LOLBIN - Deprecate in favour of 52d097e2-063e-4c9c-8fbb-855c8948d135 fix: Remote Thread Creation By Uncommon Source Image - Enhance filters to avoid false positives fix: Suspicious Shim Database Installation via Sdbinst.EXE - Add "null" and "empty" filters to account for cases where the CLI is null or empty new: Insenstive Subfolder Search Via Findstr.EXE new: Remote File Download Via Findstr.EXE new: Windows Defender Exclusion Deleted new: Windows Defender Exclusion List Modified new: Windows Defender Exclusion Reigstry Key - Write Access Requested update: Renamed Office Binary Execution - Add new binaries and filters to increase coverage and tune FPs update: EVTX Created In Uncommon Location - Enhance filters to cover other drives other than "C:" update: Findstr GPP Passwords - Add "find.exe" binary to increase coverage update: Findstr Launching .lnk File - Add "find.exe" binary to increase coverage update: LSASS Process Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Non-DLL Extension File Renamed With DLL Extension - Update title and logic update: Permission Misconfiguration Reconnaissance Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Potentially Suspicious Wuauclt Network Connection - Change the logic to use the "CommandLine" field in order to avoid false positives update: Proxy Execution Via Wuauclt.EXE - Update title and enhance filters update: Recon Command Output Piped To Findstr.EXE - Add "find.exe" binary to increase coverage update: Security Tools Keyword Lookup Via Findstr.EXE - Add "find.exe" binary to increase coverage update: Suspicious Appended Extension - Enhance list of extension update: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Add "find.exe" binary to increase coverage fix: Uncommon Userinit Child Process - Add the citrix process cmstart to the filtered processes and make it more strict to avoid abuse. Also enhances the other filters by removing the C: notation. fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Add FP filter for chrome installer spawning rundll32 without arguments --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> thanks: @vj-codes for #4554 thanks: @mezzofix for #4520 thanks: @rkmbaxed for #4566 and #4569 thanks: @celalettin-turgut for #4570 --- README.md | 2 +- .../proc_creation_win_lolbin_findstr.yml | 4 +- .../proc_creation_win_wuauclt_execution.yml | 4 +- .../file_rename_win_non_dll_to_dll_ext.yml | 47 ++++++++++++++ ..._defender_exclusions_registry_modified.yml | 30 +++++++++ ...ndows_defender_exclusions_write_access.yml | 35 ++++++++++ ...ows_defender_exclusions_write_deleted.yml} | 24 +++---- ...emote_thread_win_uncommon_source_image.yml | 17 +++-- ...t_win_create_evtx_non_common_locations.yml | 10 +-- .../file_rename_win_not_dll_to_dll.yml | 45 ------------- .../file_rename_win_ransomware.yml | 37 ++++++----- ...nection_win_wuauclt_network_connection.yml | 64 +++++++++++++++---- .../proc_creation_win_findstr_download.yml | 43 +++++++++++++ ...roc_creation_win_findstr_gpp_passwords.yml | 10 ++- .../proc_creation_win_findstr_lnk.yml | 10 ++- .../proc_creation_win_findstr_lsass.yml | 10 ++- ...oc_creation_win_findstr_recon_everyone.yml | 11 +++- ...creation_win_findstr_recon_pipe_output.yml | 22 ++++++- ...on_win_findstr_security_keyword_lookup.yml | 9 ++- ..._creation_win_findstr_subfolder_search.yml | 41 ++++++++++++ ..._sysmon_discovery_via_default_altitude.yml | 10 ++- ..._creation_win_renamed_office_processes.yml | 15 ++++- ...oc_creation_win_sdbinst_susp_extension.yml | 6 +- ...n_susp_bad_opsec_sacrificial_processes.yml | 14 +++- ..._win_userinit_uncommon_child_processes.yml | 19 ++++-- ...proc_creation_win_wuauclt_dll_loading.yml} | 25 +++++--- ...ion_win_wuauclt_no_cli_flags_execution.yml | 9 ++- 27 files changed, 435 insertions(+), 138 deletions(-) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_lolbin_findstr.yml (97%) rename {rules/windows/process_creation => deprecated/windows}/proc_creation_win_wuauclt_execution.yml (95%) create mode 100644 rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml create mode 100644 rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml rename rules/windows/builtin/security/{win_security_defender_bypass.yml => win_security_windows_defender_exclusions_write_deleted.yml} (54%) delete mode 100644 rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_download.yml create mode 100644 rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_wuauclt.yml => proc_creation_win_wuauclt_dll_loading.yml} (57%) diff --git a/README.md b/README.md index 134001975..2b1a586e4 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ If you find a false positive or would like to propose a new detection rule idea ## Credits -This project would've never reached this hight without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. +This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help. ## Licenses diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/deprecated/windows/proc_creation_win_lolbin_findstr.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml rename to deprecated/windows/proc_creation_win_lolbin_findstr.yml index e67e3bece..b6f955121 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml +++ b/deprecated/windows/proc_creation_win_lolbin_findstr.yml @@ -1,6 +1,6 @@ title: Abusing Findstr for Defense Evasion id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: test +status: deprecated description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism references: - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ @@ -8,7 +8,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' date: 2020/10/05 -modified: 2022/10/11 +modified: 2022/10/12 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml b/deprecated/windows/proc_creation_win_wuauclt_execution.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml rename to deprecated/windows/proc_creation_win_wuauclt_execution.yml index 7d0c45e92..2b053596d 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_execution.yml +++ b/deprecated/windows/proc_creation_win_wuauclt_execution.yml @@ -1,12 +1,12 @@ title: Windows Update Client LOLBIN id: d7825193-b70a-48a4-b992-8b5b3015cc11 -status: test +status: deprecated description: Detects code execution via the Windows Update client (wuauclt) references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.command_and_control - attack.execution diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml new file mode 100644 index 000000000..1f663fc29 --- /dev/null +++ b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml @@ -0,0 +1,47 @@ +title: Non-DLL Extension File Renamed With DLL Extension +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: experimental +description: | + Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1036.008 + - detection.threat_hunting +logsource: + product: windows + category: file_rename + definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' +detection: + selection: + TargetFilename|endswith: '.dll' + filter_main_dll: + # Note: To avoid file renames + SourceFilename|endswith: '.dll' + filter_main_installers: + SourceFilename|endswith: '.tmp' + filter_main_empty_source: + SourceFilename: '' + filter_main_null_source: + SourceFilename: null + filter_main_tiworker: + Image|contains: ':\Windows\WinSxS\' + Image|endswith: '\TiWorker.exe' + filter_main_upgrade: + - Image|endswith: ':\Windows\System32\wuauclt.exe' + - TargetFilename|contains: ':\$WINDOWS.~BT\Sources\' + filter_main_generic: + Image|contains: + - ':\Program Files (x86)\' + - ':\Program Files\' + filter_optional_squirrel: + SourceFilename|contains: '\SquirrelTemp\temp' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Likely from installers and temporary locations +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml new file mode 100644 index 000000000..7d4de724c --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_registry_modified.yml @@ -0,0 +1,30 @@ +title: Windows Defender Exclusion List Modified +id: 46a68649-f218-4f86-aea1-16a759d81820 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + EventID: 4657 # A registry value was modified. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Intended exclusions by administrators +level: medium diff --git a/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml new file mode 100644 index 000000000..b7dfbafed --- /dev/null +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_access.yml @@ -0,0 +1,35 @@ +title: Windows Defender Exclusion Reigstry Key - Write Access Requested +id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +related: + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived + - id: a33f8808-2812-4373-ae95-8cfb82134978 + type: derived +status: test +description: | + Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. +references: + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: '@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)' +date: 2019/10/26 +modified: 2023/11/11 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' +detection: + selection: + AccessList|contains: + - '%%4417' # WriteData + - '%%4418' # AppendData + EventID: + - 4656 # A handle to an object was requested. + - 4663 # An attempt was made to access an object. + ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/security/win_security_defender_bypass.yml b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml similarity index 54% rename from rules/windows/builtin/security/win_security_defender_bypass.yml rename to rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml index a975119ed..b207c81b4 100644 --- a/rules/windows/builtin/security/win_security_defender_bypass.yml +++ b/rules/windows/builtin/security/win_security_windows_defender_exclusions_write_deleted.yml @@ -1,12 +1,18 @@ -title: Windows Defender Exclusion Set -id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d +title: Windows Defender Exclusion Deleted +id: a33f8808-2812-4373-ae95-8cfb82134978 +related: + - id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d + type: derived + - id: 46a68649-f218-4f86-aea1-16a759d81820 + type: derived status: test -description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender +description: | + Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' date: 2019/10/26 -modified: 2021/11/27 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,13 +22,9 @@ logsource: definition: 'Requirements: Audit Policy : Security Settings/Local Policies/Audit Policy, Registry System Access Control (SACL): Auditing/User' detection: selection: - EventID: - - 4657 - - 4656 - - 4660 - - 4663 + EventID: 4660 # An object was deleted. ObjectName|contains: '\Microsoft\Windows Defender\Exclusions\' condition: selection falsepositives: - - Intended inclusions by administrator -level: high + - Unknown +level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 321e57290..af4ed0f32 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -7,7 +7,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2023/09/06 +modified: 2023/11/11 tags: - attack.privilege_escalation - attack.defense_evasion @@ -72,9 +72,9 @@ detection: - ':\Windows\System32\services.exe' # happens on Windows 7 - ':\Windows\System32\wininit.exe' # happens on Windows 7 - ':\Windows\System32\csrss.exe' # multiple OS + - ':\Windows\System32\LogonUI.exe' # multiple OS filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' - TargetParentImage: 'System' TargetParentProcessId: 4 filter_main_schtasks_conhost: SourceImage|endswith: @@ -84,10 +84,19 @@ detection: filter_main_explorer: SourceImage|endswith: ':\Windows\explorer.exe' TargetImage|endswith: - - ':\Windows\System32\mmc.exe' - - ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' + - ':\Program Files (x86)\' + - ':\Program Files\' + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' filter_main_system: TargetImage: 'System' + filter_main_msiexec: + # Note: MSI installers will trigger this + SourceImage|endswith: '\msiexec.exe' + TargetImage|contains: + - '\AppData\Local\' + - ':\Program Files (x86)\' + - ':\Program Files\' filter_optional_powerpnt: # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 SourceImage|contains: '\Microsoft Office\' diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 9e973c66e..02eedbdff 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -18,14 +18,14 @@ detection: selection: TargetFilename|endswith: '.evtx' filter_main_path: - TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' + TargetFilename|contains: ':\Windows\System32\winevt\Logs\' filter_main_baseimage: - TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|contains: ':\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' filter_main_generic_img: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\system32\dllhost.exe' + Image|endswith: + - ':\Windows\explorer.exe' + - ':\Windows\system32\dllhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Administrator or backup activity diff --git a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml deleted file mode 100644 index 23de6de33..000000000 --- a/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml +++ /dev/null @@ -1,45 +0,0 @@ -title: Rename Common File to DLL File -id: bbfd974c-248e-4435-8de6-1e938c79c5c1 -status: test -description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection -references: - - https://twitter.com/ffforward/status/1481672378639912960 - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location -author: frack113 -date: 2022/02/19 -modified: 2023/01/02 -tags: - - attack.defense_evasion - - attack.t1036.008 -logsource: - product: windows - category: file_rename - definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword' -detection: - to_dll: - TargetFilename|endswith: '.dll' - filter_from_dll: - - SourceFilename|endswith: - - '.dll' - - '.tmp' # VSCode FP - - SourceFilename|contains: - - '.dll.' - - '\SquirrelTemp\temp' - filter_empty_source: - SourceFilename: '' - filter_non_existing_source: - SourceFilename: null - filter_tiworker: - Image|startswith: 'C:\Windows\WinSxS\' - Image|endswith: '\TiWorker.exe' - filter_upgrade: - - Image: 'C:\Windows\System32\wuauclt.exe' - - TargetFilename|startswith: 'C:\$WINDOWS.~BT\Sources\' - filter_program_files: - Image|startswith: - - 'C:\Program Files (x86)\' - - 'C:\Program Files\' - condition: to_dll and not 1 of filter* -falsepositives: - - Application installation -level: medium diff --git a/rules/windows/file/file_rename/file_rename_win_ransomware.yml b/rules/windows/file/file_rename/file_rename_win_ransomware.yml index f0cca6f2c..b1b6e9a28 100644 --- a/rules/windows/file/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2023/01/02 +modified: 2023/11/11 tags: - attack.impact - attack.t1486 @@ -18,35 +18,40 @@ logsource: detection: selection: SourceFilename|endswith: - - '.lnk' - - '.rtf' - - '.pst' + - '.doc' - '.docx' - - '.xlsx' - - '.jpg' - '.jpeg' - - '.png' + - '.jpg' + - '.lnk' - '.pdf' + - '.png' + - '.pst' + - '.rtf' + - '.xls' + - '.xlsx' TargetFilename|contains: - - '.lnk.' - - '.rtf.' - - '.pst.' + - '.doc.' - '.docx.' - - '.xlsx.' - - '.jpg.' - '.jpeg.' - - '.png.' + - '.jpg.' + - '.lnk.' - '.pdf.' + - '.png.' + - '.pst.' + - '.rtf.' + - '.xls.' + - '.xlsx.' filter_main_generic: TargetFilename|endswith: - - '.tmp' + # Note: Please add more used extensions by backup or recovery software + - '.backup' - '.bak' - '.old' - '.orig' - - '.backup' - '.temp' + - '.tmp' filter_optional_anaconda: - TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' + TargetFilename|contains: ':\ProgramData\Anaconda3\' TargetFilename|endswith: '.c~' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index c9771233e..f79a6af85 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -1,27 +1,58 @@ -title: Wuauclt Network Connection +title: Potentially Suspicious Wuauclt Network Connection id: c649a6c7-cd8c-4a78-9c04-000fc76df954 status: test description: | - Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. - One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. + Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. + One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2023/01/20 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 logsource: category: network_connection product: windows + definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.' detection: selection: Image|contains: 'wuauclt' + CommandLine|contains: ' /RunHandlerComServer' # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer - filter_msrange: # Sysmon + filter_main_ipv4: + DestinationIp|startswith: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml + - '10.' + - '127.' + - '169.254.' # link-local address + - '172.16' + - '172.17' + - '172.18' + - '172.19' + - '172.20' + - '172.21' + - '172.22' + - '172.23' + - '172.24' + - '172.25' + - '172.26' + - '172.27' + - '172.28' + - '172.29' + - '172.30' + - '172.31' + - '192.168' + filter_main_ipv6: DestinationIp|startswith: - # Subnet: 20.184.0.0/13 + - '::1' + - '0:0:0:0:0:0:0:1' # IPv6 loopback variant + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 + filter_main_msrange: # Sysmon + DestinationIp|startswith: + # Subnet: 20.184.0.0/13, 51.103.210.0/23 and others - '20.184.' - '20.185.' - '20.186.' @@ -30,16 +61,27 @@ detection: - '20.189.' - '20.190.' - '20.191.' + - '20.220.' + - '20.221.' - '23.79.' - '51.10.' - # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' - '52.239.' - filter_cmdline: - CommandLine|contains: '\UpdateDeploy.dll /ClassId ' - condition: selection and not 1 of filter_* + filter_main_uus: + CommandLine|contains: + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs|all: + CommandLine|contains: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + filter_main_cli_null: + CommandLine: null + filter_main_cli_empty: + CommandLine: '' + condition: selection and not 1 of filter_main_* falsepositives: - - Legitimate use of wuauclt.exe over the network. + - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml new file mode 100644 index 000000000..cef27141c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -0,0 +1,43 @@ +title: Remote File Download Via Findstr.EXE +id: 587254ee-a24b-4335-b3cd-065c0f1f4baa +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_download_1: + CommandLine|contains: + - ' /v ' + - ' -v ' + selection_cli_download_2: + CommandLine|contains: + - ' /l ' + - ' -l ' + selection_cli_download_3: + CommandLine|contains: '\\\\' + condition: selection_findstr and all of selection_cli_download_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 2c5d81cd8..0da446234 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr author: frack113 date: 2021/12/27 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains|all: - 'cpassword' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index 9618ac0a6..a37c9d8bf 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick date: 2020/05/01 -modified: 2023/03/06 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -17,8 +17,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: '.lnk' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index e9b33ee1f..5941a31c9 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -6,7 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 -modified: 2023/07/13 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: 'lsass' selection_special: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml index 859caea95..3285947e8 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml @@ -6,7 +6,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 -modified: 2023/03/05 +modified: 2023/11/11 tags: - attack.credential_access - attack.t1552.006 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_findstr_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_findstr_cli: CommandLine|contains: - '"Everyone"' @@ -28,6 +32,7 @@ detection: # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone" # You could extend it for other groups and users # Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users" + # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c" - 'icacls ' - 'findstr ' - 'Everyone' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index 8cf7a5f6a..1d30a9c23 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -12,7 +12,7 @@ references: - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/07/06 -modified: 2023/10/20 +modified: 2023/11/11 tags: - attack.discovery - attack.t1057 @@ -23,25 +23,45 @@ detection: selection: CommandLine|contains: # Note: Add additional CLI to increase and enhance coverage + - 'ipconfig /all | find ' - 'ipconfig /all | findstr ' + - 'ipconfig | find ' - 'ipconfig | findstr ' + - 'ipconfig.exe /all | find ' - 'ipconfig.exe /all | findstr ' + - 'ipconfig.exe | find ' - 'ipconfig.exe | findstr ' + - 'net start | find' - 'net start | findstr' + - 'net.exe start | find' - 'net.exe start | findstr' + - 'net1 start | find' - 'net1 start | findstr' + - 'net1.exe start | find' - 'net1.exe start | findstr' + - 'netstat -ano | find' - 'netstat -ano | findstr' + - 'netstat | find' - 'netstat | findstr' + - 'netstat.exe -ano | find' - 'netstat.exe -ano | findstr' + - 'netstat.exe | find' - 'netstat.exe | findstr' + - 'ping | find' - 'ping | findstr' + - 'ping.exe | find' - 'ping.exe | findstr' + - 'systeminfo | find ' - 'systeminfo | findstr ' + - 'systeminfo.exe | find ' - 'systeminfo.exe | findstr ' + - 'tasklist | find ' - 'tasklist | findstr ' + - 'tasklist.exe | find ' - 'tasklist.exe | findstr ' + - 'whoami /all | find ' - 'whoami /all | findstr ' + - 'whoami.exe /all | find ' - 'whoami.exe /all | findstr ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml index dcecd4f14..d4656b0d2 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml @@ -13,6 +13,7 @@ references: - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023/10/20 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -21,8 +22,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|endswith: # Note: Add additional keywords to increase and enhance coverage diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml new file mode 100644 index 000000000..5a6705ab7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -0,0 +1,41 @@ +title: Insensitive Subfolder Search Via Findstr.EXE +id: 04936b66-3915-43ad-a8e5-809eadfd1141 +related: + - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f + type: obsoletes +status: experimental +description: | + Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) +date: 2020/10/05 +modified: 2023/11/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_search_subfolder: + CommandLine|contains: + - ' /s ' + - ' -s ' + selection_cli_search_insensitive: + CommandLine|contains: + - ' /i ' + - ' -i ' + condition: selection_findstr and all of selection_cli_search_* +falsepositives: + - Administrative or software activity +level: low diff --git a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml index 08cccff9a..6ee265561 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service author: frack113 date: 2021/12/16 -modified: 2023/03/06 +modified: 2023/11/14 tags: - attack.discovery - attack.t1518.001 @@ -15,8 +15,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: '\findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' + - Image|endswith: + - '\find.exe' + - '\findstr.exe' + - OriginalFileName: + - 'FIND.EXE' + - 'FINDSTR.EXE' selection_cli: CommandLine|contains: ' 385201' # Sysmon driver default altitude condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index b34fa1087..4189681c7 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -6,6 +6,7 @@ references: - https://infosec.exchange/@sbousseaden/109542254124022664 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/20 +modified: 2023/11/13 tags: - attack.defense_evasion logsource: @@ -16,23 +17,33 @@ detection: - OriginalFileName: - 'Excel.exe' - 'MSACCESS.EXE' + - 'MSPUB.EXE' - 'OneNote.exe' + - 'OneNoteM.exe' + - 'OUTLOOK.EXE' - 'POWERPNT.EXE' - 'WinWord.exe' - Description: - 'Microsoft Access' - 'Microsoft Excel' - 'Microsoft OneNote' + - 'Microsoft Outlook' - 'Microsoft PowerPoint' + - 'Microsoft Publisher' - 'Microsoft Word' - filter: + - 'Sent to OneNote Tool' + filter_main_legit_names: Image|endswith: - '\EXCEL.exe' + - '\excelcnv.exe' - '\MSACCESS.exe' + - '\MSPUB.EXE' - '\ONENOTE.EXE' + - '\ONENOTEM.EXE' + - '\OUTLOOK.EXE' - '\POWERPNT.EXE' - '\WINWORD.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml index a325b4f30..fe5e51754 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html author: Nasreddine Bencherchali (Nextron Systems) date: 2023/08/01 -modified: 2023/10/17 +modified: 2023/11/11 tags: - attack.persistence - attack.privilege_escalation @@ -33,6 +33,10 @@ detection: ParentImage|endswith: ':\Windows\System32\svchost.exe' Image|endswith: ':\Windows\System32\sdbinst.exe' CommandLine|endswith: ' -mm' + filter_main_null: + CommandLine: null + filter_main_empty: + CommandLine: '' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml index 5130e4700..96b133b7e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml @@ -18,7 +18,7 @@ references: - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2020/10/23 -modified: 2023/11/10 +modified: 2023/11/14 tags: - attack.defense_evasion - attack.t1218.011 @@ -45,8 +45,16 @@ detection: ParentImage|contains|all: - ':\Users\' - '\AppData\Local\Microsoft\EdgeUpdate\Install\{' - ParentImage|endswith: '\setup.exe' - condition: 1 of selection_* and not 1 of filter_main_* + filter_optional_chrome_installer: + # As reported in https://github.com/SigmaHQ/sigma/issues/4570 + ParentImage|contains|all: + - ':\Users\' + - '\AppData\Local\Google\Chrome\Application\' + ParentImage|endswith: '\Installer\setup.exe' + ParentCommandLine|contains: '--uninstall --channel=stable' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' + condition: 1 of selection_* and not 1 of filter_main_* and 1 of filter_optional_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index d55f1e293..3e349b6f6 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019/01/12 -modified: 2023/06/21 +modified: 2023/11/14 tags: - attack.t1037.001 - attack.persistence @@ -21,7 +21,7 @@ detection: selection: ParentImage|endswith: '\userinit.exe' filter_main_explorer: - Image: 'C:\WINDOWS\explorer.exe' + Image|endswith: ':\WINDOWS\explorer.exe' filter_optional_logonscripts: CommandLine|contains: - 'netlogon.bat' @@ -31,11 +31,18 @@ detection: # https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core CommandLine: 'PowerShell.exe' filter_optional_proquota: - Image: - - 'C:\Windows\System32\proquota.exe' - - 'C:\Windows\SysWOW64\proquota.exe' + Image|endswith: + - ':\Windows\System32\proquota.exe' + - ':\Windows\SysWOW64\proquota.exe' filter_optional_citrix: - Image|endswith: '\Citrix\System32\icast.exe' + Image|endswith: + # As reported by https://github.com/SigmaHQ/sigma/issues/4569 + - ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files (x86)\Citrix\System32\icast.exe' + - ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command + - ':\Program Files\Citrix\System32\icast.exe' filter_optional_image_null: Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml rename to rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml index e5780d68d..712d72f91 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_dll_loading.yml @@ -1,4 +1,4 @@ -title: Proxy Execution via Wuauclt +title: Proxy Execution Via Wuauclt.EXE id: af77cf95-c469-471c-b6a0-946c685c4798 related: - id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 @@ -6,13 +6,13 @@ related: - id: d7825193-b70a-48a4-b992-8b5b3015cc11 type: obsoletes status: test -description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. +description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. references: - https://dtm.uk/wuauclt/ - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team date: 2020/10/12 -modified: 2023/02/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1218 @@ -27,13 +27,22 @@ detection: selection_cli: CommandLine|contains|all: - 'UpdateDeploymentProvider' - - '.dll' - 'RunHandlerComServer' - filter: + filter_main_generic: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + filter_main_wuaueng: + # Note: Please enhance this if you find the full path + CommandLine|contains: ' wuaueng.dll ' + filter_main_uus: CommandLine|contains: - - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' - - ' wuaueng.dll ' - condition: all of selection_* and not filter + - ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId' + - ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId' + filter_main_winsxs: + CommandLine|contains|all: + - ':\Windows\WinSxS\' + - '\UpdateDeploy.dll /ClassId ' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml index 202121360..8f29a67ea 100644 --- a/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml @@ -1,12 +1,13 @@ title: Suspicious Windows Update Agent Empty Cmdline id: 52d097e2-063e-4c9c-8fbb-855c8948d135 status: test -description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +description: | + Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags references: - https://redcanary.com/blog/blackbyte-ransomware/ author: Florian Roth (Nextron Systems) date: 2022/02/26 -modified: 2022/05/13 +modified: 2023/11/11 tags: - attack.defense_evasion - attack.t1036 @@ -18,7 +19,9 @@ detection: - Image|endswith: '\Wuauclt.exe' - OriginalFileName: 'Wuauclt.exe' selection_cli: - CommandLine|endswith: '\Wuauclt.exe' + CommandLine|endswith: + - 'Wuauclt' + - 'Wuauclt.exe' condition: all of selection* falsepositives: - Unknown