diff --git a/rules/network/net_possible_dns_rebinding.yml b/rules/network/net_possible_dns_rebinding.yml new file mode 100644 index 000000000..cc8f2a234 --- /dev/null +++ b/rules/network/net_possible_dns_rebinding.yml @@ -0,0 +1,22 @@ +title: Possible DNS Rebinding +status: experimental +description: 'Detects DNS-answer with TTL <10.' +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: dns +detection: + selection: + answer: '*' + filter1: + ttl: '>0' + filter2: + ttl: '<10' + timeframe: 30s + condition: selection and filter1 and filter2 | count(answer) by src_ip > 3 +level: medium diff --git a/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml new file mode 100644 index 000000000..68a629cda --- /dev/null +++ b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml @@ -0,0 +1,18 @@ +title: Suspicious reverse connect via HTTP proxy +status: experimental +description: Detects auth on proxy-server by machine account (aka SYSTEM) +author: Ilyas Ochkov, oscd.community +references: + - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html +tags: + - attack.command_and_control + - attack.t1043 +logsource: + category: proxy +detection: + selection: + username|re: '\S+\$$' + condition: selection +falsepositives: + - Update OS or other softs which start by SYSTEM + - User account with $ in attribute "SamAccountName" diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml new file mode 100644 index 000000000..4b1924c1a --- /dev/null +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -0,0 +1,26 @@ +title: New (or renamed) user account with '$' in attribute 'SamAccountName'. +status: experimental +description: Detects possible bypass EDR and SIEM via abnormal user account name. +tags: + - attack.defense_evasion + - attack.t1036 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4720 # create user + - 4781 # rename user + UserName|contains: '$' #SamAccountName + condition: selection +fields: + - EventID + - UserName + - SubjectAccountName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml new file mode 100644 index 000000000..b73091fd4 --- /dev/null +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -0,0 +1,24 @@ +title: Possible DC Sync +description: Detects DC sync via create new SPN +status: experimental +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +references: + - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml + - https://twitter.com/gentilkiwi/status/1003236624925413376 + - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 + - https://jsecurity101.com/2019/Syncing-into-the-Shadows/ +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + ServicePrincipalNames: '*GC/*' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml new file mode 100644 index 000000000..7be412525 --- /dev/null +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -0,0 +1,23 @@ +title: Register new logon process by Rubeus +description: Detects potential use of Rubeus via registered new trusted logon process +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security + definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end +detection: + selection: + - EventID: 4611 + LogonProcessName: 'User32LogonProcesss' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..df534a554 --- /dev/null +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,28 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +modified: 2019/11/13 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestinationPort: 88 + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml new file mode 100644 index 000000000..90a55c0f1 --- /dev/null +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -0,0 +1,23 @@ +title: User couldn't call a privileged service 'LsaRegisterLogonProcess' +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security +detection: + selection: + - EventID: 4673 + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure + condition: selection +falsepositives: + - Unkown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml new file mode 100644 index 000000000..6f5eeed2c --- /dev/null +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -0,0 +1,23 @@ +title: Clear PowerShell History +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +tags: + - attack.defense_evasion + - attack.t1146 +logsource: + product: windows + service: powershell +detection: + keywords: + - 'del (Get-PSReadlineOption).HistorySavePath' + - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' + - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' + - 'rm (Get-PSReadlineOption).HistorySavePath' + condition: keywords +falsepositives: + - some PS-scripts +level: medium diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml new file mode 100644 index 000000000..57be53774 --- /dev/null +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -0,0 +1,31 @@ +title: Disable security events logging adding reg key MiniNt +status: experimental +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +references: + - https://twitter.com/0gtweet/status/1182516740955226112 +tags: + - attack.defense_evasion + - attack.t1089 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: 12 # key create + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\MiniNt' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\MiniNt' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: high diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml new file mode 100644 index 000000000..6ef46657c --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -0,0 +1,34 @@ +title: New DLL added to AppCertDlls registry key +status: experimental +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +references: + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +tags: + - attack.persistence + - attack.t1182 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\Session Manager\AppCertDlls' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\Session Manager\AppCertDlls' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml new file mode 100644 index 000000000..c660735b6 --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -0,0 +1,33 @@ +title: New DLL added to AppInit_DLLs registry key +status: experimental +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll +references: + - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html +tags: + - attack.persistence + - attack.t1103 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SOFTWARE\' + TargetObject|endswith: '\Windows\AppInit_Dlls' + - EventID: 14 # key rename + NewName|contains: '\SOFTWARE\' + NewName|endswith: '\Windows\AppInit_Dlls' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml new file mode 100644 index 000000000..a53182be2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -0,0 +1,43 @@ +title: Possible DNS Rebinding +status: experimental +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). +date: 2019/10/25 +modified: 2019/11/13 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: windows + service: sysmon +detection: + dns_answer: + EventID: 22 + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 +level: medium diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..8daac1661 --- /dev/null +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,29 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +modified: 2019/11/13 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: 88 + Initiated: 'true' + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high