diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml index 48f56dab0..b4d6ee2fd 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/09/18 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -21,7 +21,11 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ServiceFileName|contains|all: + - 'rundll32.exe' + - 'shell32.dll' + - 'shellexec_rundll' + - 'powershell' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml index 85ecda2c3..e63329502 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -21,7 +21,16 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + ServiceFileName|contains|all: + - '&&' + - 'rundll32' + - 'shell32.dll' + - 'shellexec_rundll' + ServiceFileName|contains: + - value + - invoke + - comspec + - iex condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml index 7b8e90921..7823e7d4c 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml @@ -4,14 +4,9 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/11/30 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 falsepositives: - unknown level: medium @@ -22,5 +17,16 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection \ No newline at end of file + ImagePath|contains|all: + - 'new-object' + - 'text.encoding]::ascii' + - 'readtoend' + ImagePath|contains: + - ':system.io.compression.deflatestream' + - 'system.io.streamreader' + condition: selection +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml index 03356573d..738629c54 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/11/30 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -19,8 +19,14 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + ImagePath|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml index d51356154..6abc90c2d 100644 --- a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml @@ -4,10 +4,7 @@ status: experimental description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe author: Sreeman date: 2020/04/17 -modified: 2021/07/07 -tags: - - attack.defense_evasion - - attack.t1036 +modified: 2022/03/06 logsource: product: windows category: process_creation @@ -15,8 +12,12 @@ detection: selection: Image: hxtsr.exe filter: - CurrentDirectory|re: '(?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe' + CurrentDirectory|startswith: 'C:\program files\windowsapps\microsoft.windowscommunicationsapps_' + CurrentDirectory|endswith: '\hxtsr.exe' condition: selection and not filter falsepositives: - unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1036 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml new file mode 100644 index 000000000..9aec80749 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml @@ -0,0 +1,25 @@ +title: Suspicious OfflineScannerShell.exe Execution From Another Folder +id: 02b18447-ea83-4b1b-8805-714a8a34546a +status: experimental +description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory +references: + - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ +author: frack113 +date: 2022/03/06 +logsource: + category: process_creation + product: windows +detection: + lolbas: + Image|endswith: '\OfflineScannerShell.exe' + filter_correct: + CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' + filter_missing: + CurrentDirectory: null + condition: lolbas and not 1 of filter_* +falsepositives: + - unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml new file mode 100644 index 000000000..b22fbc7e9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml @@ -0,0 +1,23 @@ +title: Suspicious Replace.exe Execution +id: 9292293b-8496-4715-9db6-37028dcda4b3 +status: experimental +description: Replace.exe is used to replace file with another file +references: + - https://lolbas-project.github.io/lolbas/Binaries/Replace/ +author: frack113 +date: 2022/03/06 +logsource: + category: process_creation + product: windows +detection: + lolbas: + CommandLine|contains|all: + - 'replace ' + - '/A' + condition: lolbas +falsepositives: + - unknown +level: medium +tags: + - attack.command_and_control + - attack.t1105 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index f818a52a8..0adec45fa 100644 --- a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -10,18 +10,62 @@ tags: - attack.t1574.011 author: Sreeman date: 2020/09/29 -modified: 2021/08/10 +modified: 2022/03/06 logsource: category: process_creation product: windows detection: selection_cmdline_1: - CommandLine|re: '(?i)sc config.*binpath=.*' + CommandLine|contains|all: + - 'sc ' + - 'config ' + - 'binpath=' selection_cmdline_2: - CommandLine|re: '(?i)sc failure.*command=.*' + CommandLine|contains|all: + - 'sc ' + - 'failure' + - 'command=' selection_cmdline_3: - CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin$|\.bat|\.cmd|\.js|\.msh$|\.reg$|\.scr|\.ps|\.vb|\.jar|\.pl).*' - condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3 + CommandLine|contains|all: + - 'reg ' + - 'add ' + - 'FailureCommand' + CommandLine|contains: + - '.sh' + - '.exe' + - '.dll' + - '.bin$' + - '.bat' + - '.cmd' + - '.js' + - '.msh$' + - '.reg$' + - '.scr' + - '.ps' + - '.vb' + - '.jar' + - '.pl' + selection_cmdline_4: + CommandLine|contains|all: + - 'reg ' + - 'add ' + - 'ImagePath' + CommandLine|contains: + - '.sh' + - '.exe' + - '.dll' + - '.bin$' + - '.bat' + - '.cmd' + - '.js' + - '.msh$' + - '.reg$' + - '.scr' + - '.ps' + - '.vb' + - '.jar' + - '.pl' + condition: 1 of selection_cmdline_* falsepositives: - unknown level: medium