From 4251d9f490cb566cfe37781fc61d1d8066f1fcd4 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 03:44:22 +0300 Subject: [PATCH 01/12] ilyas ochkov contribution --- rules/network/net_possible_dns_rebinding.yml | 22 +++++++++ ...picious_reverse_connect_via_http_proxy.yml | 18 +++++++ ..._renamed_user_account_with_dollar_sign.yml | 33 +++++++++++++ .../windows/builtin/win_possible_dc_sync.yml | 24 ++++++++++ ...n_register_new_logon_process_by_rubeus.yml | 23 +++++++++ ...uspicious_outbound_kerberos_connection.yml | 27 +++++++++++ ...ileged_service_lsaregisterlogonprocess.yml | 23 +++++++++ .../powershell_clear_powershell_history.yml | 23 +++++++++ ...y_events_logging_adding_reg_key_minint.yml | 38 +++++++++++++++ ..._dll_added_to_appcertdlls_registry_key.yml | 48 +++++++++++++++++++ ...dll_added_to_appinit_dlls_registry_key.yml | 47 ++++++++++++++++++ .../sysmon/sysmon_possible_dns_rebinding.yml | 42 ++++++++++++++++ ...uspicious_outbound_kerberos_connection.yml | 28 +++++++++++ 13 files changed, 396 insertions(+) create mode 100644 rules/network/net_possible_dns_rebinding.yml create mode 100644 rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml create mode 100644 rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml create mode 100644 rules/windows/builtin/win_possible_dc_sync.yml create mode 100644 rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml create mode 100644 rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml create mode 100644 rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml create mode 100644 rules/windows/powershell/powershell_clear_powershell_history.yml create mode 100644 rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml create mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml create mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml create mode 100644 rules/windows/sysmon/sysmon_possible_dns_rebinding.yml create mode 100644 rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml diff --git a/rules/network/net_possible_dns_rebinding.yml b/rules/network/net_possible_dns_rebinding.yml new file mode 100644 index 000000000..cc8f2a234 --- /dev/null +++ b/rules/network/net_possible_dns_rebinding.yml @@ -0,0 +1,22 @@ +title: Possible DNS Rebinding +status: experimental +description: 'Detects DNS-answer with TTL <10.' +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: dns +detection: + selection: + answer: '*' + filter1: + ttl: '>0' + filter2: + ttl: '<10' + timeframe: 30s + condition: selection and filter1 and filter2 | count(answer) by src_ip > 3 +level: medium diff --git a/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml new file mode 100644 index 000000000..68a629cda --- /dev/null +++ b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml @@ -0,0 +1,18 @@ +title: Suspicious reverse connect via HTTP proxy +status: experimental +description: Detects auth on proxy-server by machine account (aka SYSTEM) +author: Ilyas Ochkov, oscd.community +references: + - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html +tags: + - attack.command_and_control + - attack.t1043 +logsource: + category: proxy +detection: + selection: + username|re: '\S+\$$' + condition: selection +falsepositives: + - Update OS or other softs which start by SYSTEM + - User account with $ in attribute "SamAccountName" diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml new file mode 100644 index 000000000..420b71027 --- /dev/null +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -0,0 +1,33 @@ +title: New (or renamed) user account with '$' in attribute 'SamAccountName'. +status: experimental +description: Detects possible bypass EDR and SIEM via abnormal user account name. +tags: + - attack.defense_evasion + - attack.t1036 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - UserName + - SubjectAccountName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: security +detection: + create_user: + EventID: 4720 + UserName: '*$*' #SamAccountName +--- +logsource: + product: windows + service: security +detection: + rename_user: + EventID: 4781 + UserName: '*$*' #NewTargetUserName diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml new file mode 100644 index 000000000..73b44994d --- /dev/null +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -0,0 +1,24 @@ +title: Possible DC Sync +description: Detects DC sync via create new SPN +status: experimental +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +references: + - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml + - https://twitter.com/gentilkiwi/status/1003236624925413376 + - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 + - https://jsecurity101.com/2019/Syncing-into-the-Shadows/ +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + ServicePrincipalNames: '*GC/*' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml new file mode 100644 index 000000000..dd1635351 --- /dev/null +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -0,0 +1,23 @@ +title: Register new logon process by Rubeus +description: Detects potential use of Rubeus via registered new trusted logon process +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security + definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end +detection: + selection: + - EventID: 4611 + LogonProcessName: 'User32LogonProcesss' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..10d08ce14 --- /dev/null +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,27 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestinationPort: 88 + filter: + Image: + - '*\lsass.exe' + - '*\opera.exe' + - '*\chrome.exe' + - '*\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml new file mode 100644 index 000000000..0a7a760b8 --- /dev/null +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -0,0 +1,23 @@ +title: User couldn't call a privileged service 'LsaRegisterLogonProcess' +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security +detection: + selection: + - EventID: 4673 + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure + condition: selection +falsepositives: + - Unkown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml new file mode 100644 index 000000000..6f5eeed2c --- /dev/null +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -0,0 +1,23 @@ +title: Clear PowerShell History +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +tags: + - attack.defense_evasion + - attack.t1146 +logsource: + product: windows + service: powershell +detection: + keywords: + - 'del (Get-PSReadlineOption).HistorySavePath' + - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' + - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' + - 'rm (Get-PSReadlineOption).HistorySavePath' + condition: keywords +falsepositives: + - some PS-scripts +level: medium diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml new file mode 100644 index 000000000..0e3e926c2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -0,0 +1,38 @@ +title: Disable security events logging adding reg key MiniNt +status: experimental +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +references: + - https://twitter.com/0gtweet/status/1182516740955226112 +tags: + - attack.defense_evasion + - attack.t1089 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: high +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SYSTEM\*\Control\MiniNt' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SYSTEM\*\Control\MiniNt' diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml new file mode 100644 index 000000000..ae970f27a --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -0,0 +1,48 @@ +title: New DLL added to AppCertDlls registry key +status: experimental +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +references: + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +tags: + - attack.persistence + - attack.t1182 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' +--- +logsource: + product: windows + service: sysmon +detection: + value_set: + EventID: 13 + TargetObject: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml new file mode 100644 index 000000000..403ceeadc --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -0,0 +1,47 @@ +title: New DLL added to AppInit_DLLs registry key +status: experimental +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll +references: + - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html +tags: + - attack.persistence + - attack.t1103 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' +--- +logsource: + product: windows + service: sysmon +detection: + value_set: + EventID: 13 + TargetObject: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml new file mode 100644 index 000000000..015acde37 --- /dev/null +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -0,0 +1,42 @@ +title: Possible DNS Rebinding +status: experimental +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: windows + service: sysmon +detection: + dns_answer: + EventID: 22 + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults: + - '(::ffff:)?10.*' + - '(::ffff:)?192.168.*' + - '(::ffff:)?172.16.*' + - '(::ffff:)?172.17.*' + - '(::ffff:)?172.18.*' + - '(::ffff:)?172.19.*' + - '(::ffff:)?172.20.*' + - '(::ffff:)?172.21.*' + - '(::ffff:)?172.22.*' + - '(::ffff:)?172.23.*' + - '(::ffff:)?172.24.*' + - '(::ffff:)?172.25.*' + - '(::ffff:)?172.26.*' + - '(::ffff:)?172.27.*' + - '(::ffff:)?172.28.*' + - '(::ffff:)?172.29.*' + - '(::ffff:)?172.30.*' + - '(::ffff:)?172.31.*' + - '(::ffff:)?127.*' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 +level: medium diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..c644fda97 --- /dev/null +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,28 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: 88 + Initiated: 'true' + filter: + Image: + - '*\lsass.exe' + - '*\opera.exe' + - '*\chrome.exe' + - '*\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high From fd606cb3760c3003bc963465679617847c8e6e86 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 03:59:07 +0300 Subject: [PATCH 02/12] spaces fix --- .../win_new_or_renamed_user_account_with_dollar_sign.yml | 2 +- rules/windows/builtin/win_possible_dc_sync.yml | 2 +- .../builtin/win_register_new_logon_process_by_rubeus.yml | 2 +- .../builtin/win_suspicious_outbound_kerberos_connection.yml | 2 +- ..._couldnt_call_privileged_service_lsaregisterlogonprocess.yml | 2 +- ...on_disable_security_events_logging_adding_reg_key_minint.yml | 2 +- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 2 +- .../sysmon_new_dll_added_to_appinit_dlls_registry_key.yml | 2 +- .../sysmon/sysmon_suspicious_outbound_kerberos_connection.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 420b71027..4f55fd485 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -5,7 +5,7 @@ tags: - attack.defense_evasion - attack.t1036 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml index 73b44994d..b73091fd4 100644 --- a/rules/windows/builtin/win_possible_dc_sync.yml +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -2,7 +2,7 @@ title: Possible DC Sync description: Detects DC sync via create new SPN status: experimental author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 references: - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml - https://twitter.com/gentilkiwi/status/1003236624925413376 diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml index dd1635351..7be412525 100644 --- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -7,7 +7,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: product: windows diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 10d08ce14..4167b05c3 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -4,7 +4,7 @@ description: Detects suspicious outbound network activity via kerberos default p references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community -date: 2019/10/24 +date: 2019/10/24 tags: - attack.lateral_movement - attack.t1208 diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 0a7a760b8..90a55c0f1 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -7,7 +7,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 0e3e926c2..12afd3d55 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -7,7 +7,7 @@ tags: - attack.defense_evasion - attack.t1089 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index ae970f27a..1deb58c74 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -8,7 +8,7 @@ tags: - attack.persistence - attack.t1182 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 403ceeadc..77304269a 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -7,7 +7,7 @@ tags: - attack.persistence - attack.t1103 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index c644fda97..2bc9e19f9 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -4,7 +4,7 @@ description: Detects suspicious outbound network activity via kerberos default p references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community -date: 2019/10/24 +date: 2019/10/24 tags: - attack.lateral_movement - attack.t1208 From 26479485e61f31fe4875b1d7f63749c6e5fc278c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:34:46 +0300 Subject: [PATCH 03/12] Update win_new_or_renamed_user_account_with_dollar_sign.yml --- ..._renamed_user_account_with_dollar_sign.yml | 25 +++++++------------ 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 4f55fd485..393d8a45f 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -6,7 +6,16 @@ tags: - attack.t1036 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: security detection: + selection: + EventID: + - 4720 # create user + - 4781 # rename user + UserName|contains: '$' #SamAccountName condition: 1 of them fields: - EventID @@ -15,19 +24,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: security -detection: - create_user: - EventID: 4720 - UserName: '*$*' #SamAccountName ---- -logsource: - product: windows - service: security -detection: - rename_user: - EventID: 4781 - UserName: '*$*' #NewTargetUserName From 7f01a5b1bba2f3784acd469be30b4baf77e4c126 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:35:59 +0300 Subject: [PATCH 04/12] Update win_new_or_renamed_user_account_with_dollar_sign.yml --- .../win_new_or_renamed_user_account_with_dollar_sign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 393d8a45f..4b1924c1a 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -16,7 +16,7 @@ detection: - 4720 # create user - 4781 # rename user UserName|contains: '$' #SamAccountName - condition: 1 of them + condition: selection fields: - EventID - UserName From d8447946d6c01687eae6ba2800b2ac34aa38f3a9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:37:25 +0300 Subject: [PATCH 05/12] Update win_suspicious_outbound_kerberos_connection.yml --- .../win_suspicious_outbound_kerberos_connection.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 4167b05c3..df534a554 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -5,6 +5,7 @@ references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community date: 2019/10/24 +modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 @@ -16,12 +17,12 @@ detection: EventID: 5156 DestinationPort: 88 filter: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' condition: selection and not filter falsepositives: - Other browsers -level: high \ No newline at end of file +level: high From e6e308ef519b2b8c70c0627acd87ab71a241ffce Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:40:29 +0300 Subject: [PATCH 06/12] Update sysmon_disable_security_events_logging_adding_reg_key_minint.yml --- ...y_events_logging_adding_reg_key_minint.yml | 31 +++++++------------ 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 12afd3d55..57be53774 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -8,8 +8,19 @@ tags: - attack.t1089 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon detection: - condition: 1 of them + selection: + - EventID: 12 # key create + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\MiniNt' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\MiniNt' + condition: selection fields: - EventID - Image @@ -18,21 +29,3 @@ fields: falsepositives: - Unkown level: high ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SYSTEM\*\Control\MiniNt' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SYSTEM\*\Control\MiniNt' From bba360212ab0c09034d7bad38f3ca4f78c7af9b1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:43:45 +0300 Subject: [PATCH 07/12] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- ..._dll_added_to_appcertdlls_registry_key.yml | 41 +++++++------------ 1 file changed, 14 insertions(+), 27 deletions(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 1deb58c74..b943d0c56 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -9,7 +9,21 @@ tags: - attack.t1182 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 detection: +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\Session Manager\AppCertDlls' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\Session Manager\AppCertDlls' condition: 1 of them fields: - EventID @@ -19,30 +33,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' ---- -logsource: - product: windows - service: sysmon -detection: - value_set: - EventID: 13 - TargetObject: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' From 0cb1d4fdbd5e0751df6622b554f68c34f45b18a2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:44:03 +0300 Subject: [PATCH 08/12] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index b943d0c56..8ae921c7c 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -24,7 +24,7 @@ detection: - EventID: 14 # key rename NewName|contains: '\SYSTEM\' NewName|endswith: '\Control\Session Manager\AppCertDlls' - condition: 1 of them + condition: selection fields: - EventID - Image From ded75d033afc097c1dcbc62ad64aad1a624ff92e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:47:24 +0300 Subject: [PATCH 09/12] Update sysmon_new_dll_added_to_appinit_dlls_registry_key.yml --- ...dll_added_to_appinit_dlls_registry_key.yml | 42 +++++++------------ 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 77304269a..c660735b6 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -8,8 +8,21 @@ tags: - attack.t1103 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon detection: - condition: 1 of them + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SOFTWARE\' + TargetObject|endswith: '\Windows\AppInit_Dlls' + - EventID: 14 # key rename + NewName|contains: '\SOFTWARE\' + NewName|endswith: '\Windows\AppInit_Dlls' + condition: selection fields: - EventID - Image @@ -18,30 +31,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' ---- -logsource: - product: windows - service: sysmon -detection: - value_set: - EventID: 13 - TargetObject: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' From 07ad11f3ae5af174ddc0a6d4b12afe5308eb3c9d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:08:50 +0300 Subject: [PATCH 10/12] Update sysmon_possible_dns_rebinding.yml --- .../sysmon/sysmon_possible_dns_rebinding.yml | 41 ++++++++++--------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml index 015acde37..a53182be2 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -2,6 +2,7 @@ title: Possible DNS Rebinding status: experimental description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). date: 2019/10/25 +modified: 2019/11/13 author: Ilyas Ochkov, oscd.community references: - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 @@ -17,26 +18,26 @@ detection: QueryName: '*' QueryStatus: '0' filter_int_ip: - QueryResults: - - '(::ffff:)?10.*' - - '(::ffff:)?192.168.*' - - '(::ffff:)?172.16.*' - - '(::ffff:)?172.17.*' - - '(::ffff:)?172.18.*' - - '(::ffff:)?172.19.*' - - '(::ffff:)?172.20.*' - - '(::ffff:)?172.21.*' - - '(::ffff:)?172.22.*' - - '(::ffff:)?172.23.*' - - '(::ffff:)?172.24.*' - - '(::ffff:)?172.25.*' - - '(::ffff:)?172.26.*' - - '(::ffff:)?172.27.*' - - '(::ffff:)?172.28.*' - - '(::ffff:)?172.29.*' - - '(::ffff:)?172.30.*' - - '(::ffff:)?172.31.*' - - '(::ffff:)?127.*' + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' timeframe: 30s condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 level: medium From 1fe7f55d4785a407ba7d2efe5e2c4fb886c2bbb5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:10:05 +0300 Subject: [PATCH 11/12] Update sysmon_suspicious_outbound_kerberos_connection.yml --- ...sysmon_suspicious_outbound_kerberos_connection.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index 2bc9e19f9..8daac1661 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -5,6 +5,7 @@ references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community date: 2019/10/24 +modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 @@ -17,11 +18,11 @@ detection: DestinationPort: 88 Initiated: 'true' filter: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' condition: selection and not filter falsepositives: - Other browsers From b47748399d3b6d2851a71353a5fd88f4ed2cd6dd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:19:30 +0300 Subject: [PATCH 12/12] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 8ae921c7c..6ef46657c 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -10,7 +10,6 @@ tags: author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 -detection: logsource: product: windows service: sysmon