diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml index 8a311ec4b..21c65eff0 100644 --- a/rules/linux/auditd/lnx_auditd_coinminer.yml +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -27,7 +27,7 @@ detection: a6|startswith: '--cpu-priority' cmd7: a7|startswith: '--cpu-priority' - condition: 1 of them + condition: 1 of cmd* falsepositives: - Other tools that use a --cpu-priority flag level: critical \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 2a85474b2..b8c330a13 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -27,7 +27,7 @@ detection: type: 'EXECVE' a0: 'cp' a1: '/bin/sh' - condition: 1 of them + condition: 1 of cmd* falsepositives: - Admin activity level: medium diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 7fd4fd508..adb8e6e0f 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -22,7 +22,7 @@ detection: type: 'execve' a0: 'tar' a1|contains: '-c' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate use of archiving tools by legitimate user. level: low diff --git a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index 89376d456..e8fe87ee7 100644 --- a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -27,10 +27,10 @@ detection: - '/bin/sh -i <&3 >&3 2>&3' - 'uname -a; w; id; /bin/bash -i' - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' - - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');" + - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');' - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' - - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:" + - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:' - 'rm -f /tmp/p; mknod /tmp/p p &&' - ' | /bin/bash | telnet ' - ',echo=0,raw tcp-listen:' diff --git a/rules/linux/macos/process_creation/macos_creds_from_keychain.yml b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml index 3cd1a7ab3..41b22a6b2 100644 --- a/rules/linux/macos/process_creation/macos_creds_from_keychain.yml +++ b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml @@ -21,7 +21,7 @@ detection: CommandLine|contains: - ' dump-keychain ' - ' login-keychain ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: medium diff --git a/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml index 3e25319e3..c4159b43a 100644 --- a/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml +++ b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml @@ -11,19 +11,19 @@ logsource: category: process_creation product: macos detection: - file_with_asterisk: + select_file_with_asterisk: Image: '/usr/bin/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline - recursive_ls: + select_recursive_ls: Image: '/bin/ls' CommandLine|contains: '-R' - find_execution: + select_find_execution: Image: '/usr/bin/find' - mdfind_execution: + select_mdfind_execution: Image: '/usr/bin/mdfind' - tree_execution|endswith: + select_tree_execution|endswith: Image: '/tree' - condition: 1 of them + condition: 1 of select* falsepositives: - Legitimate activities level: informational diff --git a/rules/linux/macos/process_creation/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml index 7f3722d7d..5274f9fbc 100644 --- a/rules/linux/macos/process_creation/macos_local_account.yml +++ b/rules/linux/macos/process_creation/macos_local_account.yml @@ -25,7 +25,7 @@ detection: - 'user' selection_3: CommandLine|contains: - - "'x:0:'" + - '''x:0:''' selection_4: Image|endswith: - '/cat' @@ -40,7 +40,7 @@ detection: - '/lsof' CommandLine|contains: - '-u' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/macos/process_creation/macos_local_groups.yml b/rules/linux/macos/process_creation/macos_local_groups.yml index 377287618..ff1fa3e08 100644 --- a/rules/linux/macos/process_creation/macos_local_groups.yml +++ b/rules/linux/macos/process_creation/macos_local_groups.yml @@ -28,7 +28,7 @@ detection: CommandLine|contains|all: - '-list' - '/groups' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: informational diff --git a/rules/linux/macos/process_creation/macos_remote_system_discovery.yml b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml index b32ff1d98..2ebcdf856 100644 --- a/rules/linux/macos/process_creation/macos_remote_system_discovery.yml +++ b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml @@ -40,7 +40,7 @@ detection: - ' 172.31.' - ' 127.' #127.0.0.0/8 - ' 169.254.' #169.254.0.0/16 - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: informational diff --git a/rules/linux/other/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml index 80b9d2c51..9109c095c 100644 --- a/rules/linux/other/lnx_susp_vsftp.yml +++ b/rules/linux/other/lnx_susp_vsftp.yml @@ -22,7 +22,7 @@ detection: - 'bug: pid active in ptrace_sandbox_free' - 'PTRACE_SETOPTIONS failure' - 'weird status:' - - "couldn't handle sandbox event" + - 'couldn''t handle sandbox event' - 'syscall * out of bounds' - 'syscall not permitted:' - 'syscall validate failed:' diff --git a/rules/linux/process_creation/lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/lnx_file_and_directory_discovery.yml index c26db2e42..ca2781257 100644 --- a/rules/linux/process_creation/lnx_file_and_directory_discovery.yml +++ b/rules/linux/process_creation/lnx_file_and_directory_discovery.yml @@ -11,17 +11,17 @@ logsource: category: process_creation product: linux detection: - file_with_asterisk: + select_file_with_asterisk: Image|endswith: '/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline - recursive_ls: + select_recursive_ls: Image|endswith: '/ls' CommandLine|contains: '-R' - find_execution: + select_find_execution: Image|endswith: '/find' - tree_execution: + select_tree_execution: Image|endswith: '/tree' - condition: 1 of them + condition: 1 of select* falsepositives: - Legitimate activities level: informational diff --git a/rules/linux/process_creation/lnx_local_account.yml b/rules/linux/process_creation/lnx_local_account.yml index a59756079..a8e4cdaf2 100644 --- a/rules/linux/process_creation/lnx_local_account.yml +++ b/rules/linux/process_creation/lnx_local_account.yml @@ -16,7 +16,7 @@ detection: - '/lastlog' selection_2: CommandLine|contains: - - "'x:0:'" + - '''x:0:''' selection_3: Image|endswith: - '/cat' @@ -31,7 +31,7 @@ detection: - '/lsof' CommandLine|contains: - '-u' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/process_creation/lnx_local_groups.yml b/rules/linux/process_creation/lnx_local_groups.yml index b8a13846f..1dad31c4d 100644 --- a/rules/linux/process_creation/lnx_local_groups.yml +++ b/rules/linux/process_creation/lnx_local_groups.yml @@ -19,7 +19,7 @@ detection: - '/cat' CommandLine|contains: - '/etc/group' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/process_creation/lnx_remote_system_discovery.yml b/rules/linux/process_creation/lnx_remote_system_discovery.yml index 632cde7af..c54f9d6f2 100644 --- a/rules/linux/process_creation/lnx_remote_system_discovery.yml +++ b/rules/linux/process_creation/lnx_remote_system_discovery.yml @@ -37,7 +37,7 @@ detection: - ' 172.31.' - ' 127.' #127.0.0.0/8 - ' 169.254.' #169.254.0.0/16 - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/process_creation/lnx_security_tools_disabling.yml b/rules/linux/process_creation/lnx_security_tools_disabling.yml index b8e5b816b..56bc28af5 100644 --- a/rules/linux/process_creation/lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/lnx_security_tools_disabling.yml @@ -15,70 +15,70 @@ logsource: category: process_creation product: linux detection: - iptables_1: + selection_iptables_1: Image|endswith: '/service' CommandLine|contains|all: - 'iptables' - 'stop' - iptables_2: + selection_iptables_2: Image|endswith: '/service' CommandLine|contains|all: - 'ip6tables' - 'stop' - iptables_3: + selection_iptables_3: Image|endswith: '/chkconfig' CommandLine|contains|all: - 'iptables' - 'stop' - iptables_4: + selection_iptables_4: Image|endswith: '/chkconfig' CommandLine|contains|all: - 'ip6tables' - 'stop' - firewall_1: + selection_firewall_1: Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'stop' - firewall_2: + selection_firewall_2: Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'disable' - carbonblack_1: + selection_carbonblack_1: Image|endswith: '/service' CommandLine|contains|all: - 'cbdaemon' - 'stop' - carbonblack_2: + selection_carbonblack_2: Image|endswith: '/chkconfig' CommandLine|contains|all: - 'cbdaemon' - 'off' - carbonblack_3: + selection_carbonblack_3: Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'stop' - carbonblack_4: + selection_carbonblack_4: Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'disable' - selinux: + selection_selinux: Image|endswith: '/setenforce' CommandLine|contains: '0' - crowdstrike_1: + selection_crowdstrike_1: Image|endswith: '/systemctl' CommandLine|contains|all: - 'stop' - 'falcon-sensor' - crowdstrike_2: + selection_crowdstrike_2: Image|endswith: '/systemctl' CommandLine|contains|all: - 'disable' - 'falcon-sensor' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: medium \ No newline at end of file diff --git a/rules/network/net_apt_equationgroup_c2.yml b/rules/network/net_apt_equationgroup_c2.yml index 162c60a74..859e91da0 100755 --- a/rules/network/net_apt_equationgroup_c2.yml +++ b/rules/network/net_apt_equationgroup_c2.yml @@ -11,15 +11,15 @@ modified: 2021/11/27 logsource: category: firewall detection: - outgoing: + select_outgoing: dst_ip: - '69.42.98.86' - '89.185.234.145' - incoming: + select_incoming: src_ip: - '69.42.98.86' - '89.185.234.145' - condition: 1 of them + condition: 1 of select* falsepositives: - Unknown level: high diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 05716fee9..d07c4f8ab 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -17,7 +17,7 @@ detection: - 'post.1' selection2: query|contains: '.stage.123456.' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index e8b7378fd..316835f92 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -2,8 +2,8 @@ title: Domain User Enumeration Network Recon 01 description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29 id: 66a0bdc6-ee04-441a-9125-99d2eb547942 references: - - "https://github.com/OTRF/detection-hackathon-apt29" - - "https://github.com/OTRF/detection-hackathon-apt29/issues/37" + - https://github.com/OTRF/detection-hackathon-apt29 + - https://github.com/OTRF/detection-hackathon-apt29/issues/37 author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)' date: 2020/05/03 modified: 2021/11/14 diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 0f3048cee..b586d3831 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -41,7 +41,7 @@ detection: op10: endpoint: 'svcctl' operation: 'StartServiceW' - condition: 1 of them + condition: 1 of op* falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 4e2eef82d..4621e4f36 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -29,7 +29,7 @@ detection: op6: endpoint: 'ISecLogon' operation: 'SeclCreateProcessWithLogonExW' - condition: 1 of them + condition: 1 of op* falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index da006cf6b..c8c0ccfad 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -25,12 +25,12 @@ logsource: detection: printer_operation: operation: - - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e - - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c - - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e - - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59 - - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09 - - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 condition: printer_operation falsepositives: - Legitimate remote alteration of a printer driver. diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index 75b258d15..a3b19690c 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -12,12 +12,12 @@ logsource: detection: selection1: c-useragent: - - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" - - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)' + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )' + - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08' selection2: c-useragent|endswith: '; MANM; MANM)' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/proxy/proxy_ursnif_malware_c2_url.yml b/rules/proxy/proxy_ursnif_malware_c2_url.yml index c1e0b5ca1..d9f0aa5df 100644 --- a/rules/proxy/proxy_ursnif_malware_c2_url.yml +++ b/rules/proxy/proxy_ursnif_malware_c2_url.yml @@ -12,12 +12,12 @@ logsource: detection: b64encoding: c-uri|contains: - - "_2f" - - "_2b" + - '_2f' + - '_2b' urlpatterns: c-uri|contains|all: - - ".avi" - - "/images/" + - '.avi' + - '/images/' condition: b64encoding and urlpatterns fields: - c-ip diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml index 4d65fbdfe..4e74868c8 100644 --- a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -19,7 +19,7 @@ detection: - '/pcidss/report' - 'type=all_signatures' - 'sig_name=_default_signature_' - condition: 1 of them + condition: 1 of selection* fields: - client_ip - vhost diff --git a/rules/web/web_exchange_cve_2020_0688_exploit.yml b/rules/web/web_exchange_cve_2020_0688_exploit.yml index 7e25ca23a..1c086ad22 100644 --- a/rules/web/web_exchange_cve_2020_0688_exploit.yml +++ b/rules/web/web_exchange_cve_2020_0688_exploit.yml @@ -12,9 +12,9 @@ logsource: detection: selection: c-uri|contains|all: - - "/ecp/default.aspx" - - "__VIEWSTATEGENERATOR=" - - "__VIEWSTATE=" + - '/ecp/default.aspx' + - '__VIEWSTATEGENERATOR=' + - '__VIEWSTATE=' condition: selection falsepositives: - Unknown diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml index cb06e1d0f..d9bdd9bd7 100644 --- a/rules/web/web_exchange_exploitation_hafnium.yml +++ b/rules/web/web_exchange_exploitation_hafnium.yml @@ -56,7 +56,7 @@ detection: c-uri|contains|all: - '/ecp/' - '.js' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related level: high \ No newline at end of file diff --git a/rules/web/web_unc2546_dewmode_php_webshell.yml b/rules/web/web_unc2546_dewmode_php_webshell.yml index 5bb939af3..2bf1fa7d1 100644 --- a/rules/web/web_unc2546_dewmode_php_webshell.yml +++ b/rules/web/web_unc2546_dewmode_php_webshell.yml @@ -22,7 +22,7 @@ detection: - '&dwn=' - '?fn=' - '.html?' - condition: 1 of them + condition: 1 of selection* fields: - client_ip - response diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml index 1b18f26cc..f6ddb6e44 100644 --- a/rules/windows/builtin/security/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml @@ -20,8 +20,8 @@ detection: EventID: 4624 LogonType: 10 IpAddress: - - "::1" - - "127.0.0.1" + - '::1' + - '127.0.0.1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/deprecated/sysmon_rclone_execution.yml b/rules/windows/deprecated/sysmon_rclone_execution.yml index b895b3a05..324e0709b 100644 --- a/rules/windows/deprecated/sysmon_rclone_execution.yml +++ b/rules/windows/deprecated/sysmon_rclone_execution.yml @@ -43,4 +43,4 @@ detection: - '--auto-confirm' - '--transfers' - '--multi-thread-streams' - condition: 1 of them + condition: 1 of selection* diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml index 42fc9bc23..7f3e6b0a4 100644 --- a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -21,7 +21,7 @@ detection: - 'post.1' selection2: QueryName|contains: '.stage.123456.' - condition: 1 of them + condition: 1 of selection* fields: - Image - CommandLine diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml index 1204a2901..c2cee9c49 100644 --- a/rules/windows/file_event/file_event_susp_task_write.yml +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -1,11 +1,12 @@ -title: Suspicious Scheduled Task Writ to System32 Tasks +title: Suspicious Scheduled Task Write to System32 Tasks id: 80e1f67a-4596-4351-98f5-a9c3efabac95 status: experimental -description: +description: Detects the creation of tasks from processes executed from suspicious locations references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ + - Internal Research author: Florian Roth date: 2021/11/16 +modified: 2022/01/12 tags: - attack.persistence - attack.execution diff --git a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml new file mode 100644 index 000000000..b28196367 --- /dev/null +++ b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml @@ -0,0 +1,36 @@ +title: WScript or CScript Dropper +id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 +status: experimental +description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe +related: + - id: cea72823-df4d-4567-950c-0b579eaf0846 + type: derived +references: + - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) +author: Tim Shelton +date: 2022/01/10 +modified: 2022/01/11 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + TargetFilename|startswith: + - 'C:\Users\' + - 'C:\ProgramData' + TargetFilename|endswith: + - '.jse' + - '.vbe' + - '.js' + - '.vba' + - '.vbs' + condition: selection +fields: + - Image + - TargetFilename +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml index 1bd01a7e9..9de9a86c8 100644 --- a/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml @@ -38,7 +38,7 @@ detection: - 'C:\PerfLogs' - '\AppData\' - 'C:\Windows\Temp' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 9b2f87abb..971fdb340 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/11/25 +modified: 2022/01/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html @@ -48,6 +48,8 @@ detection: - '\explorer.exe' - '\opera_autoupdate.exe' - '\MsMpEng.exe' + - '\thor64.exe' + - '\thor.exe' filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to Image|startswith: - 'C:\Program Files\' diff --git a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml index e050210da..9f8cb2a8f 100644 --- a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml +++ b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml @@ -14,14 +14,12 @@ logsource: detection: selection1: CommandLine|contains: - - "=[char][byte]('0x'+" + - '=[char][byte](''0x''+' - ' -work worker0 -path ' selection2: - ParentCommandLine|contains: - - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - Image|contains: - - '\AppData\Local\Temp\' - condition: 1 of them + ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + Image|contains: '\AppData\Local\Temp\' + condition: 1 of selection* falsepositives: - Unknown - UAC bypass method used by other malware diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 67e1f7a93..d55792423 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -30,7 +30,7 @@ detection: PipeName|startswith: '\status_' selection_msagent: PipeName|startswith: '\msagent_' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml index 747f5270c..1859ba45a 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml @@ -17,14 +17,14 @@ logsource: category: ps_module definition: Script block logging must be enabled detection: - convert_b64: + selection_convert_b64: ContextInfo|contains|all: - '-nop' - ' -w ' - 'hidden' - ' -c ' - '[Convert]::FromBase64String' - iex_selection: + selection_iex: ContextInfo|contains|all: - ' -w ' - 'hidden' @@ -33,20 +33,20 @@ detection: - ' -c ' - 'iex' - 'New-Object' - enc_selection: + selection_enc: ContextInfo|contains|all: - ' -w ' - 'hidden' - '-ep' - 'bypass' - '-Enc' - reg_selection: + selection_reg: ContextInfo|contains|all: - 'powershell' - 'reg' - 'add' - 'HKCU\software\microsoft\windows\currentversion\run' - webclient_selection: + selection_webclient: ContextInfo|contains|all: - 'bypass' - '-noprofile' @@ -55,13 +55,13 @@ detection: - 'new-object' - 'system.net.webclient' - '.download' - iex_webclient: + selection_iex_webclient: ContextInfo|contains|all: - 'iex' - 'New-Object' - 'Net.WebClient' - '.Download' - condition: 1 of them + condition: 1 of selection* falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml new file mode 100644 index 000000000..6c098c110 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -0,0 +1,26 @@ +title: Create Volume Shadow Copy with Powershell +id: afd12fed-b0ec-45c9-a13d-aa86625dac81 +status: experimental +description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - win32_shadowcopy + - ').Create(' + - ClientAccessible + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: high +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml new file mode 100644 index 000000000..de0c276a4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml @@ -0,0 +1,25 @@ +title: Suspicious Get-WmiObject +id: 0332a266-b584-47b4-933d-a00b103e1b37 +status: experimental +description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - Get-WmiObject + - gwmi + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.persistence + - attack.t1546 diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml index 491e1d7c5..6adae36db 100644 --- a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml @@ -1,20 +1,20 @@ title: AzureHound PowerShell Commands id: 83083ac6-1816-4e76-97d7-59af9a9ae46e status: experimental -description: +description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound references: - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Austin Songer (@austinsonger) date: 2021/10/23 +modified: 2022/01/12 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: - ScriptBlockText|contains: - - "Invoke-AzureHound" + ScriptBlockText|contains: Invoke-AzureHound condition: selection tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml index 7ba724b77..fa8335566 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -22,11 +22,10 @@ logsource: detection: selection_content: ScriptBlockText|contains: - - "set-content" - - "add-content" + - set-content + - add-content selection_stream: - ScriptBlockText|contains: - - "-stream" + ScriptBlockText|contains: '-stream' condition: all of selection* falsepositives: - unknown diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml index 89489c328..929a6581f 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml @@ -17,14 +17,14 @@ logsource: category: ps_script definition: Script block logging must be enabled detection: - convert_b64: + select_convert_b64: ScriptBlockText|contains|all: - '-nop' - ' -w ' - 'hidden' - ' -c ' - '[Convert]::FromBase64String' - iex_selection: + select_iex_selection: ScriptBlockText|contains|all: - ' -w ' - 'hidden' @@ -33,20 +33,20 @@ detection: - ' -c ' - 'iex' - 'New-Object' - enc_selection: + select_enc_selection: ScriptBlockText|contains|all: - ' -w ' - 'hidden' - '-ep' - 'bypass' - '-Enc' - reg_selection: + select_reg_selection: ScriptBlockText|contains|all: - 'powershell' - 'reg' - 'add' - 'HKCU\software\microsoft\windows\currentversion\run' - webclient_selection: + select_webclient_selection: ScriptBlockText|contains|all: - 'bypass' - '-noprofile' @@ -55,13 +55,13 @@ detection: - 'new-object' - 'system.net.webclient' - '.download' - iex_webclient: + select_iex_webclient: ScriptBlockText|contains|all: - 'iex' - 'New-Object' - 'Net.WebClient' - '.Download' - condition: 1 of them + condition: 1 of select* falsepositives: - Penetration tests level: high diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index b88705799..9b873293a 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/12/10 +modified: 2022/01/12 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -82,6 +82,14 @@ detection: filter9: SourceImage|endswith: '\explorer.exe' GrantedAccess: '0x401' + filter10: + SourceImage: 'C:\Windows\system32\wininit.exe' + GrantedAccess: '0x1000000' + filter11: + SourceImage: 'C:\Windows\system32\MRT.exe' # Windows Malicious Software Removal Tool + GrantedAccess: + - '0x1410' + - '0x1418' filter_generic: SourceImage|startswith: - 'C:\Program Files\' diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index e7724a1fa..11bc6e347 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags author: Florian Roth date: 2021/11/22 -modified: 2022/01/08 +modified: 2022/01/13 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -62,6 +62,7 @@ detection: - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\System32\lsass.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' diff --git a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml index 9adb6d3c1..13073ec7d 100644 --- a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml +++ b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml @@ -4,7 +4,7 @@ description: Detects shell spawn from Java host process, which could a maintenan status: experimental author: Andreas Hunkeler (@Karneades) date: 2021/12/17 -modified: 2021/12/18 +modified: 2022/01/12 tags: - attack.initial_access - attack.persistence @@ -17,7 +17,10 @@ detection: ParentImage|endswith: '\java.exe' Image|endswith: - '\cmd.exe' - condition: selection + filter: + ParentImage|contains: 'build' # excluding CI build agents + CommandLine|contains: 'build' # excluding CI build agents + condition: selection and not filter falsepositives: - Legitimate calls to system binaries - Company specific internal usage diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml index 6cc9b2ce6..024f9e164 100644 --- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml +++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml @@ -35,6 +35,9 @@ detection: filter_nvidia: Image|contains: 'NVIDIA\NvBackend\' Image|endswith: '.dat' + filter_com: + Image|startswith: 'C:\Windows\System32\' + Image|endswith: '.com' condition: not image_exe and not 1 of filter* falsepositives: - unknown diff --git a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml index 63c8dd1b8..7da6f41fd 100644 --- a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml @@ -43,7 +43,7 @@ detection: - '\nslookup.exe' - '-q=TXT' ParentImage|contains: '\Autoit' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index ad472d872..4ee34b3c6 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -16,7 +16,7 @@ detection: CommandLine|contains: '\Windows\Caches\NavShExt.dll ' selection2: CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index d2f5677ae..5590dd0df 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -17,7 +17,7 @@ detection: selection_regsvr32: CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' Description: 'Microsoft(C) Registerserver' - condition: 1 of them + condition: 1 of selection* falsepositives: - Very Unlikely level: critical diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 73646153f..239bec27a 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -18,7 +18,7 @@ detection: CommandLine|endswith: ',dll_u' selection2: CommandLine|contains: ' -export dll_u ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index 443beebb3..6a1b7e668 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -50,7 +50,7 @@ detection: - '\programdata\oracle\java.exe' - 'CSIDL_COMMON_APPDATA\comms\comms.exe' - '\Programdata\VMware\Vmware.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml index 30c41f2ba..aba2a631d 100644 --- a/rules/windows/process_creation/win_apt_hafnium.yml +++ b/rules/windows/process_creation/win_apt_hafnium.yml @@ -66,7 +66,7 @@ detection: - 'dsquery' - ' -uco ' - '\inetpub\wwwroot' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml index 2acce96ce..9926930f7 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml @@ -29,7 +29,7 @@ detection: - ':\Users\Public\' Image: - 'C:\Windows\System32\rundll32.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Should not be any false positives level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml index 6b5fcccaf..dec51827b 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml @@ -34,7 +34,7 @@ detection: selection4: CommandLine|contains: - '.255 10 C:\ProgramData\' - condition: 1 of them + condition: 1 of selection* falsepositives: - Overlap with legitimate process activity in some cases (especially selection 3 and 4) level: critical diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index c1bac606d..ad9ddff19 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -26,7 +26,7 @@ detection: - '/F' selection2: Image|endswith: 'Temp\winwsh.exe' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index c30876f52..308d6f6b3 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains|all: - 'net use https://docs.live.net' - '@aol.co.uk' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index 1994397ba..595829255 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -27,7 +27,7 @@ detection: selection5: ParentImage|startswith: 'C:\ProgramData\DRM\Windows' Image|endswith: '\SearchFilterHost.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unlikely level: critical diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 3dba59566..3a4d55978 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -21,7 +21,7 @@ detection: - '-x:0' - '-x:1' - '-x:2' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate setups that use similar flags level: critical diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 928f9aea7..9d7154328 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -27,7 +27,7 @@ detection: CommandLine|contains|all: - 'format:' - 'http' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml index 894add395..57d611743 100644 --- a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml @@ -34,7 +34,7 @@ detection: Image|endswith: '\cmd.exe' ParentImage|endswith: '\runonce.exe' ParentCommandLine|endswith: '\runonce.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Other programs that cause these patterns (please report) level: high diff --git a/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml index 3b377a1c2..6c7523e0d 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml @@ -22,7 +22,7 @@ detection: - '\..\..\' selection2: CommandLine|contains: '.exe\..\' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml index c83f97404..8f8be3398 100644 --- a/rules/windows/process_creation/win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -35,7 +35,7 @@ detection: selection3: CommandLine|endswith: 'shadowcopy delete' CommandLine|contains: '\..\..\system32' - condition: 1 of them + condition: 1 of selection* fields: - ComputerName - User diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 32bcf3f1e..0427c2e97 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -47,7 +47,7 @@ detection: - 'trace' - '--p' - '-ets' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 4902f643d..3288e0325 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -30,7 +30,7 @@ detection: CommandLine|contains|all: - ' DCOnly ' - ' --NoSaveCache ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Other programs that use these command line option and accepts an 'All' parameter level: high diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index 8b29ea34b..3555ed2db 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -23,7 +23,7 @@ detection: Image|endswith: 'PasswordDump.exe' selection3: OriginalFileName|endswith: 'PasswordDump.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - unlikely level: critical diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index ea76cc39e..a54f7b140 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -19,7 +19,7 @@ detection: Image|contains: '\CreateMiniDump.exe' selection2: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml index 6821201cf..7911e9cc3 100644 --- a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml @@ -5,7 +5,7 @@ status: experimental references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install author: Sreeman, Florian Roth, Frack113 -date: 2020/21/04 +date: 2020/04/21 modified: 2022/01/11 tags: - attack.defense_evasion @@ -27,4 +27,4 @@ falsepositives: - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users. fields: - CommandLine -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index f1519e1f8..1401ee4b8 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -12,18 +12,18 @@ logsource: category: process_creation product: windows detection: - pipe_com: + select_pipe_com: CommandLine|contains|all: - '\AppData\Local\Temp\' - '\\.\pipe\\' - rundll32_dash1: + select_rundll32_dash1: Image|endswith: '\rundll32.exe' CommandLine|endswith: - '.dat,#1' - '.dat #1' # Sysmon removes comma - perfc_keyword: + select_perfc_keyword: - '\perfc.dat' - condition: 1 of them + condition: 1 of select* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index aac188521..5498fac78 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -44,7 +44,7 @@ detection: - 'catalog' - '-quiet' - CommandLine|contains: '@Please_Read_Me@.txt' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index fc112e749..1bef8de86 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -23,7 +23,7 @@ detection: - action=allow - protocol=TCP - localport=3389 - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration level: high diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml new file mode 100644 index 000000000..e9a92cdbb --- /dev/null +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -0,0 +1,24 @@ +title: Uninstall Sysinternals Sysmon +id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 +status: experimental +description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon +author: frack113 +date: 2022/01/12 +logsource: + category: process_creation + product: windows +detection: + sysmon: + Image|endswith: + - \Sysmon64.exe + - \Sysmon.exe + CommandLine|contains: '-u' + condition: sysmon +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index 4d5072552..f9cdc7643 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -22,18 +22,18 @@ detection: CommandLine|contains: - '-DisableBehaviorMonitoring $true' - '-DisableRuntimeMonitoring $true' - tamper_cmd_stop: + selection_tamper_cmd_stop: CommandLine|contains|all: - sc - stop - WinDefend - tamper_cmd_disabled: + selection_tamper_cmd_disabled: CommandLine|contains|all: - sc - config - WinDefend - 'start=disabled' - condition: 1 of them + condition: 1 of selection* falsepositives: - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.' level: high diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 55ed270f2..c09ec56b0 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -16,7 +16,7 @@ detection: CommandLine|contains: - 'bxor' - '-join ' - - "-join'" + - '-join''' - '-join"' - '-join`' - 'char' diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml index 1d0969a5f..987211efa 100644 --- a/rules/windows/process_creation/win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -1,10 +1,10 @@ title: PurpleSharp Indicator id: ff23ffbc-3378-435e-992f-0624dcf93ab4 status: experimental -description: Detect +description: Detects the execution of the PurpleSharp adversary simulation tool author: Florian Roth date: 2021/06/18 -modified: 2021/07/06 +modified: 2022/01/12 references: - https://github.com/mvelazc0/PurpleSharp logsource: @@ -16,8 +16,7 @@ detection: - xyz123456.exe - PurpleSharp selection2: - OriginalFileName: - - 'PurpleSharp.exe' + OriginalFileName: 'PurpleSharp.exe' condition: selection1 or selection2 falsepositives: - Unlikely diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 18cddb9e6..fc9cb34de 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -6,7 +6,7 @@ references: - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf status: experimental date: 2020/02/18 -modified: 2021/06/11 +modified: 2022/01/11 author: Sreeman tags: - attack.t1015 # an old one @@ -17,8 +17,7 @@ logsource: category: process_creation detection: selection: - CommandLine: - - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe" + CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 1a3cdca0b..587425522 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -18,11 +18,11 @@ detection: CommandLine|contains: - 'join*split' # Line 343ff - - "( $ShellId[1]+$ShellId[13]+'x')" + - '( $ShellId[1]+$ShellId[13]+''x'')' - '( $PSHome[*]+$PSHOME[*]+' - - "( $env:Public[13]+$env:Public[5]+'x')" - - "( $env:ComSpec[4,*,25]-Join'')" - - "[1,3]+'x'-Join'')" + - '( $env:Public[13]+$env:Public[5]+''x'')' + - '( $env:ComSpec[4,*,25]-Join'''')' + - '[1,3]+''x''-Join'''')' condition: powershell_execution and snippets fields: - ComputerName diff --git a/rules/windows/process_creation/win_susp_disable_ie_features.yml b/rules/windows/process_creation/win_susp_disable_ie_features.yml index df82ef723..96cb4a40a 100644 --- a/rules/windows/process_creation/win_susp_disable_ie_features.yml +++ b/rules/windows/process_creation/win_susp_disable_ie_features.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains|all: - ' -name DisableFirstRunCustomize ' - ' -value 2 ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown, maybe some security software installer disables these features temporarily level: high diff --git a/rules/windows/process_creation/win_susp_disable_raccine.yml b/rules/windows/process_creation/win_susp_disable_raccine.yml index 15c00f7fb..2f2336e35 100644 --- a/rules/windows/process_creation/win_susp_disable_raccine.yml +++ b/rules/windows/process_creation/win_susp_disable_raccine.yml @@ -28,7 +28,7 @@ detection: - 'schtasks' - '/DELETE' - 'Raccine Rules Updater' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate deinstallation by administrative staff level: high diff --git a/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml index f5e70dfcf..104842f68 100644 --- a/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml +++ b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml @@ -26,7 +26,7 @@ detection: CommandLine|endswith: - '.dll,Control_RunDLL' - '.dll",Control_RunDLL' - - ".dll',Control_RunDLL" + - '.dll'',Control_RunDLL' filter_ide: ParentImage|endswith: - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml index 285ccec90..9dc7023c9 100644 --- a/rules/windows/process_creation/win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -38,7 +38,7 @@ detection: - ' tcp ' - ' http ' - ' authtoken ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Another tool that uses the command line switches of Ngrok - ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index c8f937c85..0e98a9e1f 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -50,7 +50,7 @@ detection: CommandLine|contains: - '\AppData\Local' - 'C:\Users\Public' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml b/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml index 09dffbc8d..1029690e0 100644 --- a/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml +++ b/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml @@ -55,8 +55,8 @@ detection: Image|endswith: \netsh.exe suspicious_netsh_filter: CommandLine|contains: - - "add portopening" - - "rule name" + - 'add portopening' + - 'rule name' suspicious_powershell: Image|endswith: \powershell.exe suspicious_powershell_filter: diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index c8b351ed9..ea3b72cae 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2021/12/07 +modified: 2022/01/12 logsource: category: process_creation product: windows @@ -24,10 +24,11 @@ detection: - '--createShortcut' CommandLine|contains|all: - '.exe' - filter: + filter1: CommandLine|contains|all: - - 'C:\\Users\\' - - '\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe' + - 'C:\Users\' + - '\AppData\Local\Discord\Update.exe' + - ' --processStart Discord.exe' condition: selection and not 1 of filter* falsepositives: - 1Clipboard diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 7d3009e74..02b621faf 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -36,7 +36,7 @@ detection: CommandLine|contains|all: - '-filter' - 'trustedDomain' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate use of the utilities by legitimate user for legitimate reason level: medium diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index ecf8aba9b..bfdd0738b 100644 --- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -11,7 +11,7 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/09/24 +modified: 2022/01/13 fields: - EventID - CommandLine @@ -22,6 +22,7 @@ logsource: category: registry_event detection: selection: + EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' Details|endswith: - .sh diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index 0d3faa4e0..5c95188e2 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/10/18 +modified: 2022/01/13 author: Ján Trenčanský, frack113, AlertIQ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -27,6 +27,7 @@ detection: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus' Details: 'DWORD (0x00000001)' selection2: + EventType: SetValue TargetObject: - 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend' - 'HKLM\SOFTWARE\Microsoft\Windows Defender' diff --git a/rules/windows/registry_event/registry_event_mal_adwind.yml b/rules/windows/registry_event/registry_event_mal_adwind.yml index 3bdba761b..1cc8bfc66 100644 --- a/rules/windows/registry_event/registry_event_mal_adwind.yml +++ b/rules/windows/registry_event/registry_event_mal_adwind.yml @@ -10,7 +10,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2021/09/19 +modified: 2022/01/13 tags: - attack.execution - attack.t1059.005 @@ -21,6 +21,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection diff --git a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml index 4d969f09a..25b700088 100644 --- a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml +++ b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml @@ -21,7 +21,7 @@ detection: selection2: EventType: DeleteKey TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\' - condition: 1 of them + condition: 1 of selection* falsepositives: - unknown level: high diff --git a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml index 43efa10c9..5280038f2 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml @@ -3,6 +3,7 @@ id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) author: Christian Burkard date: 2021/08/30 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|' TargetObject|endswith: '\LowerCaseLongPath' Details|startswith: 'c:\users\' diff --git a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml index 22f04a705..ea145d3c0 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml @@ -3,6 +3,7 @@ id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) author: Christian Burkard date: 2021/08/23 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' Details: 'Binary Data' condition: selection diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml index 2cb80ab88..44b01ed98 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: classes_base: + EventType: SetValue TargetObject|contains: '\Software\Classes' classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml index e9d0e9331..f797c50fe 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: main_selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml index 1b1bd16f6..8e3ffd89c 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: system_control_base: + EventType: SetValue TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' system_control: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 9c4e8b390..46bffafb9 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml index b6bdedcbc..095e0837e 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' nt_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml index 13a3112d1..b78b65a14 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: ie: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Internet Explorer' - '\Software\Microsoft\Internet Explorer' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml index 46a4479e5..235706a41 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: office: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Office' - '\Software\Microsoft\Office' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml index 08830dc05..7ccafcdcc 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: session_manager_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager' session_manager: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml index 0b721eb8b..41cbd4739 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: scripts_base: + EventType: SetValue TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts' scripts: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml index b283e6a61..318b9db59 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/01/08 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: winsock_parameters_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml index e7d956008..6a49c0f88 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/19 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' wow_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml index c91ab45d0..41cc28651 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_classes_base: + EventType: SetValue TargetObject|contains: '\Software\Wow6432Node\Classes' wow_classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml index 2f07e05a1..a0b9eba10 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' wow_nt_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_cve_2020_1048.yml b/rules/windows/registry_event/sysmon_cve_2020_1048.yml index f87f36d85..c5e24e178 100644 --- a/rules/windows/registry_event/sysmon_cve_2020_1048.yml +++ b/rules/windows/registry_event/sysmon_cve_2020_1048.yml @@ -6,12 +6,13 @@ author: EagleEye Team, Florian Roth, NVISO references: - https://windows-internals.com/printdemon-cve-2020-1048/ date: 2020/05/13 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' Details|contains: - '.dll' diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index c5138d2bf..55b34be14 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -1,33 +1,36 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 -date: 2021/07/22 -modified: 2021/09/08 +status: experimental description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. author: Austin Songer -status: experimental references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1112 +date: 2021/07/22 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection_edge: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection_chrome: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection_firefox: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' Details: 'DWORD (1)' - condition: selection_edge or selection_chrome or selection_firefox + condition: 1 of selection_* falsepositives: - Unlikely level: medium +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_etw_disabled.yml b/rules/windows/registry_event/sysmon_etw_disabled.yml index 0694d6440..5253af2c4 100644 --- a/rules/windows/registry_event/sysmon_etw_disabled.yml +++ b/rules/windows/registry_event/sysmon_etw_disabled.yml @@ -14,12 +14,13 @@ references: - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code date: 2020/06/05 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml index f9e53a3dc..3dbb8e686 100644 --- a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -3,6 +3,7 @@ id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. status: experimental date: 2021/04/12 +modified: 2022/01/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.resource_development @@ -16,6 +17,7 @@ detection: selection1: TargetObject|contains: '\Services\HybridConnectionManager' selection2: + EventType: SetValue Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe' condition: selection1 or selection2 falsepositives: diff --git a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml index 82b14f362..2e07a2d8c 100755 --- a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml @@ -16,7 +16,7 @@ detection: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' selection2: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' - condition: 1 of them + condition: 1 of selection* falsepositives: - unknown level: high diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml index a297c6680..2da308f2c 100644 --- a/rules/windows/registry_event/sysmon_powershell_as_service.yml +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -4,7 +4,7 @@ description: Detects that a powershell code is written to the registry as a serv status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/05/21 +modified: 2022/01/13 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -15,6 +15,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Services\' TargetObject|endswith: '\ImagePath' Details|contains: diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 65ffce511..b95d8e580 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -6,12 +6,13 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html date: 2019/09/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index 190f33f2c..08f1c07fb 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -7,6 +7,7 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ date: 2021/02/26 +modified: 2022/01/13 tags: - attack.persistence - attack.t1546.012 @@ -14,7 +15,8 @@ logsource: category: registry_event product: windows detection: - selection: + selection: + EventType: SetValue TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' condition: selection diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml index 058178fcf..abdb2b3c4 100644 --- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -3,6 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 +modified: 2022/01/13 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -11,6 +12,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' Details|contains: - 'vbscript' diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 7b830997d..0dcdc843b 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/01/08 +modified: 2022/01/13 tags: - attack.persistence - attack.t1546.015 @@ -16,6 +16,7 @@ logsource: product: windows detection: selection: # Detect new COM servers in the user hive + EventType: SetValue TargetObject|startswith: - 'HKCR\CLSID\' - 'HKCU\Software\Classes\CLSID\' diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 42cbead5a..90ee32fba 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -6,12 +6,13 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 598a7756b..11e4cb99d 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -6,12 +6,13 @@ author: Florian Roth, oscd.community references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ date: 2018/07/18 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' selection2: - Details|startswith: diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 1bbe17aec..6e6f8b0c8 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -10,12 +10,13 @@ tags: - attack.t1060 # an old one - attack.t1547.001 date: 2018/08/25 -modified: 2021/10/30 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 4fa03b7ea..9ede1214d 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -6,12 +6,13 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ date: 2019/04/08 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_1: + EventType: SetValue TargetObject: - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index c6a0fd1fb..c02cf18c9 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -7,13 +7,14 @@ references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files date: 2019/10/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: + EventType: SetValue TargetObject|contains: - '\Keyboard Layout\Preload\' - '\Keyboard Layout\Substitutes\' diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 01c566580..378e7f623 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -7,7 +7,7 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2021/09/17 +modified: 2022/01/13 logsource: category: registry_event product: windows @@ -15,6 +15,7 @@ detection: selection1: TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: + EventType: SetValue TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml index 351020fc0..195ddd91b 100644 --- a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -10,13 +10,14 @@ tags: - attack.defense_evasion - attack.t1218 date: 2020/10/13 -modified: 2021/05/21 +modified: 2022/01/13 author: oscd.community, Natalia Shornikova logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath' filter: Details: '%CommonProgramFiles%\System\wab32.dll' diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 62dbf900b..8f438c6a1 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -6,13 +6,14 @@ author: Lednyov Alexey, oscd.community references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ date: 2020/10/16 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' detection: selection: + EventType: SetValue TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - '\Command' diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml index 148886a9a..a6b8a353b 100644 --- a/rules/windows/registry_event/win_outlook_c2_registry_key.yml +++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml @@ -12,12 +12,13 @@ tags: - attack.t1008 - attack.t1546 date: 2021/04/05 -modified: 2021/09/13 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_registry: + EventType: SetValue TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level' Details|contains: '0x00000001' condition: selection_registry diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml index 336b5dc84..089a8cc53 100644 --- a/rules/windows/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -6,6 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 +modified: 2022/01/13 tags: - attack.persistence - attack.t1112 @@ -18,6 +19,7 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: + EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: diff --git a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml index 8c30a7931..cb73fa4c4 100644 --- a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml +++ b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml @@ -3,7 +3,7 @@ id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 -modified: 2021/11/19 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -20,11 +20,13 @@ logsource: product: windows detection: selection1: + EventType: SetValue TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: + EventType: SetValue TargetObject|endswith: - 'Classes\ms-settings\shell\open\command\(Default)' - 'Classes\exefile\shell\open\command\(Default)' diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml new file mode 100644 index 000000000..698bd1fb3 --- /dev/null +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -0,0 +1,24 @@ +title: Sysmon Configuration Change +id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 +description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration +status: experimental +author: frack113 +date: 2022/01/12 +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 16 + # To avoid FP just add + # filter: + # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' + # condition: selection and not filter + condition: selection +falsepositives: + - legitimate administrative action +level: medium +tags: + - attack.defense_evasion diff --git a/tests/test_rules.py b/tests/test_rules.py index be340f84d..b83726cee 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -375,6 +375,23 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") + def test_missing_description(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + descriptionfield = self.get_rule_part(file_path=file, part_name="description") + if not descriptionfield: + print(Fore.YELLOW + "Rule {} has no field 'description'.".format(file)) + faulty_rules.append(file) + elif not isinstance(descriptionfield, str): + print(Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) + faulty_rules.append(file) + elif len(descriptionfield) < 16: + print(Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with missing or malformed 'description' field. (create one, e.g. description: Detects the suspicious behaviour of process XY doing YZ)") + def test_optional_date_modified(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules):