From cb7a7766231dbd7a353ade3e2a27acdb062159ca Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 6 Mar 2022 12:10:51 +0100 Subject: [PATCH 1/7] Add lolbas rules --- ...reation_win_lolbas_offlinescannershell.yml | 23 +++++++++++++++++++ .../proc_creation_win_lolbas_replace.yml | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml create mode 100644 rules/windows/process_creation/proc_creation_win_lolbas_replace.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml new file mode 100644 index 000000000..ddbf2b18e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml @@ -0,0 +1,23 @@ +title: Suspicious OfflineScannerShell.exe Execution From Another Folder +id: 02b18447-ea83-4b1b-8805-714a8a34546a +status: experimental +description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory +references: + - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ +author: frack113 +date: 2022/03/06 +logsource: + category: process_creation + product: windows +detection: + lolbas: + Image|endswith: '\OfflineScannerShell.exe' + filter: + CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' + condition: lolbas and not filter +falsepositives: + - unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1218 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml new file mode 100644 index 000000000..b22fbc7e9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml @@ -0,0 +1,23 @@ +title: Suspicious Replace.exe Execution +id: 9292293b-8496-4715-9db6-37028dcda4b3 +status: experimental +description: Replace.exe is used to replace file with another file +references: + - https://lolbas-project.github.io/lolbas/Binaries/Replace/ +author: frack113 +date: 2022/03/06 +logsource: + category: process_creation + product: windows +detection: + lolbas: + CommandLine|contains|all: + - 'replace ' + - '/A' + condition: lolbas +falsepositives: + - unknown +level: medium +tags: + - attack.command_and_control + - attack.t1105 \ No newline at end of file From d7b73be2c73ef79b03d24e569d778d9ac161348f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 6 Mar 2022 13:22:30 +0100 Subject: [PATCH 2/7] Add Missing CurrentDirectory filter --- .../proc_creation_win_lolbas_offlinescannershell.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml index ddbf2b18e..9aec80749 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml @@ -12,12 +12,14 @@ logsource: detection: lolbas: Image|endswith: '\OfflineScannerShell.exe' - filter: + filter_correct: CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' - condition: lolbas and not filter + filter_missing: + CurrentDirectory: null + condition: lolbas and not 1 of filter_* falsepositives: - unknown level: medium tags: - attack.defense_evasion - - attack.t1218 \ No newline at end of file + - attack.t1218 From 18bb38857445095ef39f249afdeca3026da8d04b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 6 Mar 2022 13:38:47 +0100 Subject: [PATCH 3/7] refactor: regex --- ...eation_win_detecting_fake_instances_of_hxtsr.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml index d51356154..6abc90c2d 100644 --- a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml @@ -4,10 +4,7 @@ status: experimental description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe author: Sreeman date: 2020/04/17 -modified: 2021/07/07 -tags: - - attack.defense_evasion - - attack.t1036 +modified: 2022/03/06 logsource: product: windows category: process_creation @@ -15,8 +12,12 @@ detection: selection: Image: hxtsr.exe filter: - CurrentDirectory|re: '(?i)c:\\\\program files\\\\windowsapps\\\\microsoft\.windowscommunicationsapps_.*\\\\hxtsr\.exe' + CurrentDirectory|startswith: 'C:\program files\windowsapps\microsoft.windowscommunicationsapps_' + CurrentDirectory|endswith: '\hxtsr.exe' condition: selection and not filter falsepositives: - unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1036 \ No newline at end of file From 793bf99c8550b6e9677881a06caa022e1705216d Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 6 Mar 2022 20:15:32 +0100 Subject: [PATCH 4/7] refactor regex --- ...fuscation_via_rundll_services_security.yml | 8 ++- ...ion_via_use_rundll32_services_security.yml | 13 ++++- ...oke_obfuscation_via_use_mshta_services.yml | 12 +++-- ..._modif_of_services_for_via_commandline.yml | 54 +++++++++++++++++-- 4 files changed, 75 insertions(+), 12 deletions(-) diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml index 48f56dab0..b4d6ee2fd 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/09/18 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -21,7 +21,11 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ServiceFileName|contains|all: + - 'rundll32.exe' + - 'shell32.dll' + - 'shellexec_rundll' + - 'powershell' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml index 85ecda2c3..e63329502 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -21,7 +21,16 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + ServiceFileName|contains|all: + - '&&' + - 'rundll32' + - 'shell32.dll' + - 'shellexec_rundll' + ServiceFileName|contains: + - value + - invoke + - comspec + - iex condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml index 03356573d..738629c54 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_use_mshta_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/11/30 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -19,8 +19,14 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + ImagePath|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index f818a52a8..f72320893 100644 --- a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -10,18 +10,62 @@ tags: - attack.t1574.011 author: Sreeman date: 2020/09/29 -modified: 2021/08/10 +modified: 2022/03/06 logsource: category: process_creation product: windows detection: selection_cmdline_1: - CommandLine|re: '(?i)sc config.*binpath=.*' + CommandLine|contain|all: + - 'sc ' + - 'config ' + - 'binpath=' selection_cmdline_2: - CommandLine|re: '(?i)sc failure.*command=.*' + CommandLine|contain|all: + - 'sc ' + - 'failure' + - 'command=' selection_cmdline_3: - CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin$|\.bat|\.cmd|\.js|\.msh$|\.reg$|\.scr|\.ps|\.vb|\.jar|\.pl).*' - condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3 + CommandLine|contain|all: + - 'reg ' + - 'add ' + - 'FailureCommand' + CommandLine|contain: + - '.sh' + - '.exe' + - '.dll' + - '.bin$' + - '.bat' + - '.cmd' + - '.js' + - '.msh$' + - '.reg$' + - '.scr' + - '.ps' + - '.vb' + - '.jar' + - '.pl' + selection_cmdline_4: + CommandLine|contain|all: + - 'reg ' + - 'add ' + - 'ImagePath' + CommandLine|contain: + - '.sh' + - '.exe' + - '.dll' + - '.bin$' + - '.bat' + - '.cmd' + - '.js' + - '.msh$' + - '.reg$' + - '.scr' + - '.ps' + - '.vb' + - '.jar' + - '.pl' + condition: 1 of selection_cmdline_* falsepositives: - unknown level: medium From 67189b6e518d0dc937d45cd92a26382686c1ff65 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 6 Mar 2022 20:40:21 +0100 Subject: [PATCH 5/7] refactor regex --- ...voke_obfuscation_via_compress_services.yml | 22 ++++++++++++------- ..._modif_of_services_for_via_commandline.yml | 10 ++++----- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml index 7b8e90921..18d546dea 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml @@ -4,14 +4,9 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/11/30 +modified: 2022/03/06 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 falsepositives: - unknown level: medium @@ -22,5 +17,16 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection \ No newline at end of file + ImagePath|contain|all: + - 'new-object' + - 'text.encoding]::ascii' + - 'readtoend' + ImagePath|contain: + - ':system.io.compression.deflatestream' + - 'system.io.streamreader' + condition: selection +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index f72320893..c6e406fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection_cmdline_1: - CommandLine|contain|all: + CommandLine|contain|all: - 'sc ' - 'config ' - 'binpath=' @@ -30,7 +30,7 @@ detection: - 'reg ' - 'add ' - 'FailureCommand' - CommandLine|contain: + CommandLine|contain: - '.sh' - '.exe' - '.dll' @@ -46,11 +46,11 @@ detection: - '.jar' - '.pl' selection_cmdline_4: - CommandLine|contain|all: + CommandLine|contain|all: - 'reg ' - 'add ' - 'ImagePath' - CommandLine|contain: + CommandLine|contain: - '.sh' - '.exe' - '.dll' @@ -64,7 +64,7 @@ detection: - '.ps' - '.vb' - '.jar' - - '.pl' + - '.pl' condition: 1 of selection_cmdline_* falsepositives: - unknown From 4db5798dd0fb00205915b63cd3df518c87d5d4ec Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 6 Mar 2022 20:43:34 +0100 Subject: [PATCH 6/7] fix error --- .../proc_creation_win_modif_of_services_for_via_commandline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index c6e406fb9..ae49cd8c9 100644 --- a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -65,7 +65,7 @@ detection: - '.vb' - '.jar' - '.pl' - condition: 1 of selection_cmdline_* + condition: 1 of selection_cmdline_* falsepositives: - unknown level: medium From 5d4035ea0566f644827149331ed3081cc80e2847 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 6 Mar 2022 20:50:19 +0100 Subject: [PATCH 7/7] Fix contains --- .../win_invoke_obfuscation_via_compress_services.yml | 4 ++-- ...ion_win_modif_of_services_for_via_commandline.yml | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml index 18d546dea..7823e7d4c 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_via_compress_services.yml @@ -17,11 +17,11 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|contain|all: + ImagePath|contains|all: - 'new-object' - 'text.encoding]::ascii' - 'readtoend' - ImagePath|contain: + ImagePath|contains: - ':system.io.compression.deflatestream' - 'system.io.streamreader' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml index ae49cd8c9..0adec45fa 100644 --- a/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml @@ -16,21 +16,21 @@ logsource: product: windows detection: selection_cmdline_1: - CommandLine|contain|all: + CommandLine|contains|all: - 'sc ' - 'config ' - 'binpath=' selection_cmdline_2: - CommandLine|contain|all: + CommandLine|contains|all: - 'sc ' - 'failure' - 'command=' selection_cmdline_3: - CommandLine|contain|all: + CommandLine|contains|all: - 'reg ' - 'add ' - 'FailureCommand' - CommandLine|contain: + CommandLine|contains: - '.sh' - '.exe' - '.dll' @@ -46,11 +46,11 @@ detection: - '.jar' - '.pl' selection_cmdline_4: - CommandLine|contain|all: + CommandLine|contains|all: - 'reg ' - 'add ' - 'ImagePath' - CommandLine|contain: + CommandLine|contains: - '.sh' - '.exe' - '.dll'