Merge pull request #504 from yugoslavskiy/oscd_ilyas_ochkov

[OSCD] Ilyas Ochkov contribution
2019-11-14 00:22:48 +03:00
parent a4331b0eec b47748399d
commit c8ee6e9631
13 changed files with 357 additions and 0 deletions
@@ -0,0 +1,22 @@
+title: Possible DNS Rebinding
+status: experimental
+description: 'Detects DNS-answer with TTL <10.'
+date: 2019/10/25
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    product: dns
+detection:
+    selection:
+        answer: '*'
+    filter1:
+        ttl: '>0'
+    filter2:
+        ttl: '<10'
+    timeframe: 30s
+    condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
+level: medium
@@ -0,0 +1,18 @@
+title: Suspicious reverse connect via HTTP proxy
+status: experimental
+description: Detects auth on proxy-server by machine account (aka SYSTEM) 
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    category: proxy
+detection:
+    selection:
+      username|re: '\S+\$$'
+    condition: selection
+falsepositives:
+    - Update OS or other softs which start by SYSTEM
+    - User account with $ in attribute "SamAccountName"
@@ -0,0 +1,26 @@
+title: New (or renamed) user account with '$' in attribute 'SamAccountName'.
+status: experimental
+description: Detects possible bypass EDR and SIEM via abnormal user account name.
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 
+            - 4720 # create user
+            - 4781 # rename user
+        UserName|contains: '$'    #SamAccountName
+    condition: selection
+fields:
+    - EventID
+    - UserName
+    - SubjectAccountName
+falsepositives:
+    - Unkown
+level: medium
@@ -0,0 +1,24 @@
+title: Possible DC Sync
+description: Detects DC sync via create new SPN
+status: experimental
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+references:
+    - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
+    - https://twitter.com/gentilkiwi/status/1003236624925413376
+    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
+    - https://jsecurity101.com/2019/Syncing-into-the-Shadows/
+tags:
+    - attack.credential_access
+    - attack.t1003
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4742
+        ServicePrincipalNames: '*GC/*'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high
@@ -0,0 +1,23 @@
+title: Register new logon process by Rubeus
+description: Detects potential use of Rubeus via registered new trusted logon process
+status: experimental
+references:
+    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+tags:
+    - attack.lateral_movement
+    - attack.privilege_escalation
+    - attack.t1208
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+logsource:
+    product: windows
+    service: security
+    definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end
+detection:
+    selection:
+        - EventID: 4611
+          LogonProcessName: 'User32LogonProcesss'
+    condition: selection
+falsepositives:
+    - Unkown
+level: high
@@ -0,0 +1,28 @@
+title: Suspicious outbound Kerberos connection
+status: experimental
+description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
+references:
+    - https://github.com/GhostPack/Rubeus8
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+modified: 2019/11/13
+tags:
+    - attack.lateral_movement
+    - attack.t1208
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 5156
+        DestinationPort: 88
+    filter:
+        Image|endswith:
+            - '\lsass.exe'
+            - '\opera.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+    condition: selection and not filter 
+falsepositives:
+    - Other browsers
+level: high
@@ -0,0 +1,23 @@
+title: User couldn't call a privileged service 'LsaRegisterLogonProcess'
+description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
+status: experimental
+references:
+    - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
+tags:
+    - attack.lateral_movement
+    - attack.privilege_escalation
+    - attack.t1208
+author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
+date: 2019/10/24
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        - EventID: 4673
+          Service: 'LsaRegisterLogonProcess()'
+          Keywords: '0x8010000000000000'   #failure
+    condition: selection
+falsepositives:
+    - Unkown
+level: high
@@ -0,0 +1,23 @@
+title: Clear PowerShell History
+status: experimental
+description: Detects keywords that could indicate clearing PowerShell history
+date: 2019/10/25
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
+tags:
+    - attack.defense_evasion
+    - attack.t1146
+logsource:
+    product: windows
+    service: powershell
+detection:
+    keywords:
+        - 'del (Get-PSReadlineOption).HistorySavePath'
+        - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing'
+        - 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
+        - 'rm (Get-PSReadlineOption).HistorySavePath'
+    condition: keywords
+falsepositives:
+    - some PS-scripts
+level: medium
@@ -0,0 +1,31 @@
+title: Disable security events logging adding reg key MiniNt
+status: experimental
+description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
+references:
+    - https://twitter.com/0gtweet/status/1182516740955226112
+tags:
+    - attack.defense_evasion
+    - attack.t1089
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+      - EventID: 12 # key create
+        TargetObject|contains: '\SYSTEM\'
+        TargetObject|endswith: '\Control\MiniNt'
+      - EventID: 14  # key rename
+        NewName|contains: '\SYSTEM\'
+        NewName|endswith: '\Control\MiniNt'
+    condition: selection
+fields:
+    - EventID
+    - Image
+    - TargetObject
+    - NewName
+falsepositives:
+    - Unkown
+level: high
@@ -0,0 +1,34 @@
+title: New DLL added to AppCertDlls registry key
+status: experimental
+description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. 
+references:
+    - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
+    - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
+tags:
+    - attack.persistence
+    - attack.t1182
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+      - EventID: 
+            - 12  # key create
+            - 13  # value set
+        TargetObject|contains: '\SYSTEM\'
+        TargetObject|endswith: '\Control\Session Manager\AppCertDlls'
+      - EventID: 14  # key rename
+        NewName|contains: '\SYSTEM\'
+        NewName|endswith: '\Control\Session Manager\AppCertDlls'
+    condition: selection
+fields:
+    - EventID
+    - Image
+    - TargetObject
+    - NewName
+falsepositives:
+    - Unkown
+level: medium
@@ -0,0 +1,33 @@
+title: New DLL added to AppInit_DLLs registry key
+status: experimental
+description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll 
+references:
+    - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
+tags:
+    - attack.persistence
+    - attack.t1103
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/25
+modified: 2019/11/13
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+      - EventID: 
+            - 12 # key create
+            - 13 # value set
+        TargetObject|contains: '\SOFTWARE\'
+        TargetObject|endswith: '\Windows\AppInit_Dlls'
+      - EventID: 14 # key rename
+        NewName|contains: '\SOFTWARE\'
+        NewName|endswith: '\Windows\AppInit_Dlls'
+    condition: selection
+fields:
+    - EventID
+    - Image
+    - TargetObject
+    - NewName
+falsepositives:
+    - Unkown
+level: medium
@@ -0,0 +1,43 @@
+title: Possible DNS Rebinding
+status: experimental
+description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
+date: 2019/10/25
+modified: 2019/11/13
+author: Ilyas Ochkov, oscd.community
+references:
+    - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
+tags:
+    - attack.command_and_control
+    - attack.t1043
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    dns_answer:
+        EventID: 22
+        QueryName: '*'
+        QueryStatus: '0' 
+    filter_int_ip:
+        QueryResults|startswith: 
+            - '(::ffff:)?10.'
+            - '(::ffff:)?192.168.'
+            - '(::ffff:)?172.16.'
+            - '(::ffff:)?172.17.'
+            - '(::ffff:)?172.18.'
+            - '(::ffff:)?172.19.'
+            - '(::ffff:)?172.20.'
+            - '(::ffff:)?172.21.'
+            - '(::ffff:)?172.22.'
+            - '(::ffff:)?172.23.'
+            - '(::ffff:)?172.24.'
+            - '(::ffff:)?172.25.'
+            - '(::ffff:)?172.26.'
+            - '(::ffff:)?172.27.'
+            - '(::ffff:)?172.28.'
+            - '(::ffff:)?172.29.'
+            - '(::ffff:)?172.30.'
+            - '(::ffff:)?172.31.'
+            - '(::ffff:)?127.'        
+    timeframe: 30s
+    condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3
+level: medium
@@ -0,0 +1,29 @@
+title: Suspicious outbound Kerberos connection
+status: experimental
+description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
+references:
+    - https://github.com/GhostPack/Rubeus8
+author: Ilyas Ochkov, oscd.community
+date: 2019/10/24
+modified: 2019/11/13
+tags:
+    - attack.lateral_movement
+    - attack.t1208
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 3
+        DestinationPort: 88
+        Initiated: 'true'
+    filter:
+        Image|endswith:
+            - '\lsass.exe'
+            - '\opera.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+    condition: selection and not filter 
+falsepositives:
+    - Other browsers
+level: high