From cca339a81eda297a6ba5f2fa52cd72aebe639b84 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 10 Jan 2022 23:17:51 +0000 Subject: [PATCH 01/20] Updating id --- ...file_event_win_cscript_wscript_dropper.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml diff --git a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml new file mode 100644 index 000000000..16549f4e3 --- /dev/null +++ b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml @@ -0,0 +1,34 @@ +title: WScript or CScript Dropper +id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 +status: experimental +description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe +related: cea72823-df4d-4567-950c-0b579eaf0846 +references: + - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) +author: Tim Shelton +date: 2022/01/10 +modified: 2022/01/10 +logsource: + category: file_event + product: windows +detection: + selection1: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + TargetFilename|startswith: + - 'C:\Users\' + - 'C:\ProgramData' + TargetFilename|endswith: + - '.jse' + - '.vbe' + - '.js' + - '.vba' + - '.vbs' + condition: 1 of selection* +fields: + - Image + - TargetFilename +falsepositives: + - Unknown +level: high From 50d76f2c8989116677dc70dbec6c2dd0a1ed2fea Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 11 Jan 2022 00:09:49 +0000 Subject: [PATCH 02/20] fixing related field, didnt properly format --- .../file_event/file_event_win_cscript_wscript_dropper.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml index 16549f4e3..b25ae4ba6 100644 --- a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml @@ -2,7 +2,9 @@ title: WScript or CScript Dropper id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 status: experimental description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe -related: cea72823-df4d-4567-950c-0b579eaf0846 +related: + - id: cea72823-df4d-4567-950c-0b579eaf0846 + type: derived references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton From e055ec1d52e0d8694ad068663a06964829af5a7b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 11 Jan 2022 10:59:57 +0100 Subject: [PATCH 03/20] refactor: change all " of them" expressions --- rules/linux/auditd/lnx_auditd_coinminer.yml | 2 +- rules/linux/auditd/lnx_auditd_susp_cmds.yml | 2 +- rules/linux/auditd/lnx_data_compressed.yml | 2 +- .../macos_creds_from_keychain.yml | 2 +- .../macos_file_and_directory_discovery.yml | 12 ++++---- .../process_creation/macos_local_account.yml | 2 +- .../process_creation/macos_local_groups.yml | 2 +- .../macos_remote_system_discovery.yml | 2 +- .../lnx_file_and_directory_discovery.yml | 10 +++---- .../process_creation/lnx_local_account.yml | 2 +- .../process_creation/lnx_local_groups.yml | 2 +- .../lnx_remote_system_discovery.yml | 2 +- .../lnx_security_tools_disabling.yml | 28 +++++++++---------- rules/network/net_apt_equationgroup_c2.yml | 6 ++-- rules/network/net_mal_dns_cobaltstrike.yml | 2 +- .../zeek_dce_rpc_mitre_bzar_execution.yml | 2 +- .../zeek_dce_rpc_mitre_bzar_persistence.yml | 2 +- rules/proxy/proxy_cobalt_malformed_uas.yml | 2 +- .../web_citrix_cve_2020_8193_8195_exploit.yml | 2 +- .../web/web_exchange_exploitation_hafnium.yml | 2 +- .../web/web_unc2546_dewmode_php_webshell.yml | 2 +- .../deprecated/sysmon_rclone_execution.yml | 2 +- .../dns_query/dns_net_mal_cobaltstrike.yml | 2 +- ...e_event_win_shell_write_susp_directory.yml | 2 +- ...ocess_creation_mal_darkside_ransomware.yml | 2 +- .../pipe_created/sysmon_mal_cobaltstrike.yml | 2 +- ...ous_invocation_specific_in_contextinfo.yml | 2 +- ..._invocation_specific_in_scripblocktext.yml | 14 +++++----- .../wim_pc_apt_chafer_mar18.yml | 2 +- .../process_creation/win_apt_elise.yml | 2 +- .../process_creation/win_apt_empiremonkey.yml | 2 +- .../win_apt_equationgroup_dll_u_load.yml | 2 +- .../win_apt_greenbug_may20.yml | 2 +- .../process_creation/win_apt_hafnium.yml | 2 +- .../win_apt_lazarus_activity_apr21.yml | 2 +- .../win_apt_lazarus_activity_dec20.yml | 2 +- .../process_creation/win_apt_mustangpanda.yml | 2 +- .../win_apt_turla_comrat_may20.yml | 2 +- .../win_apt_winnti_mal_hk_jan20.yml | 2 +- .../win_apt_winnti_pipemon.yml | 2 +- .../win_bypass_squiblytwo.yml | 2 +- .../win_cobaltstrike_process_patterns.yml | 2 +- ...win_commandline_path_traversal_evasion.yml | 2 +- .../win_crime_maze_ransomware.yml | 2 +- .../win_etw_trace_evasion.yml | 2 +- .../process_creation/win_hack_bloodhound.yml | 2 +- .../win_hack_secutyxploded.yml | 2 +- .../win_hktl_createminidump.yml | 2 +- .../process_creation/win_malware_notpetya.yml | 8 +++--- .../process_creation/win_malware_wannacry.yml | 2 +- .../win_netsh_allow_port_rdp.yml | 2 +- .../win_powershell_disable_windef_av.yml | 6 ++-- .../win_susp_disable_ie_features.yml | 2 +- .../win_susp_disable_raccine.yml | 2 +- .../process_creation/win_susp_ngrok_pua.yml | 2 +- .../win_susp_regsvr32_anomalies.yml | 2 +- .../process_creation/win_trust_discovery.yml | 2 +- .../registry_event_mstsc_history_cleared.yml | 2 +- .../sysmon_narrator_feedback_persistance.yml | 2 +- 59 files changed, 94 insertions(+), 94 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_coinminer.yml b/rules/linux/auditd/lnx_auditd_coinminer.yml index 8a311ec4b..21c65eff0 100644 --- a/rules/linux/auditd/lnx_auditd_coinminer.yml +++ b/rules/linux/auditd/lnx_auditd_coinminer.yml @@ -27,7 +27,7 @@ detection: a6|startswith: '--cpu-priority' cmd7: a7|startswith: '--cpu-priority' - condition: 1 of them + condition: 1 of cmd* falsepositives: - Other tools that use a --cpu-priority flag level: critical \ No newline at end of file diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml index 2a85474b2..b8c330a13 100644 --- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml +++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml @@ -27,7 +27,7 @@ detection: type: 'EXECVE' a0: 'cp' a1: '/bin/sh' - condition: 1 of them + condition: 1 of cmd* falsepositives: - Admin activity level: medium diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 7fd4fd508..adb8e6e0f 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -22,7 +22,7 @@ detection: type: 'execve' a0: 'tar' a1|contains: '-c' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate use of archiving tools by legitimate user. level: low diff --git a/rules/linux/macos/process_creation/macos_creds_from_keychain.yml b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml index 3cd1a7ab3..41b22a6b2 100644 --- a/rules/linux/macos/process_creation/macos_creds_from_keychain.yml +++ b/rules/linux/macos/process_creation/macos_creds_from_keychain.yml @@ -21,7 +21,7 @@ detection: CommandLine|contains: - ' dump-keychain ' - ' login-keychain ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: medium diff --git a/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml index 3e25319e3..c4159b43a 100644 --- a/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml +++ b/rules/linux/macos/process_creation/macos_file_and_directory_discovery.yml @@ -11,19 +11,19 @@ logsource: category: process_creation product: macos detection: - file_with_asterisk: + select_file_with_asterisk: Image: '/usr/bin/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline - recursive_ls: + select_recursive_ls: Image: '/bin/ls' CommandLine|contains: '-R' - find_execution: + select_find_execution: Image: '/usr/bin/find' - mdfind_execution: + select_mdfind_execution: Image: '/usr/bin/mdfind' - tree_execution|endswith: + select_tree_execution|endswith: Image: '/tree' - condition: 1 of them + condition: 1 of select* falsepositives: - Legitimate activities level: informational diff --git a/rules/linux/macos/process_creation/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml index 7f3722d7d..799398f8c 100644 --- a/rules/linux/macos/process_creation/macos_local_account.yml +++ b/rules/linux/macos/process_creation/macos_local_account.yml @@ -40,7 +40,7 @@ detection: - '/lsof' CommandLine|contains: - '-u' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/macos/process_creation/macos_local_groups.yml b/rules/linux/macos/process_creation/macos_local_groups.yml index 377287618..ff1fa3e08 100644 --- a/rules/linux/macos/process_creation/macos_local_groups.yml +++ b/rules/linux/macos/process_creation/macos_local_groups.yml @@ -28,7 +28,7 @@ detection: CommandLine|contains|all: - '-list' - '/groups' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: informational diff --git a/rules/linux/macos/process_creation/macos_remote_system_discovery.yml b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml index b32ff1d98..2ebcdf856 100644 --- a/rules/linux/macos/process_creation/macos_remote_system_discovery.yml +++ b/rules/linux/macos/process_creation/macos_remote_system_discovery.yml @@ -40,7 +40,7 @@ detection: - ' 172.31.' - ' 127.' #127.0.0.0/8 - ' 169.254.' #169.254.0.0/16 - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: informational diff --git a/rules/linux/process_creation/lnx_file_and_directory_discovery.yml b/rules/linux/process_creation/lnx_file_and_directory_discovery.yml index c26db2e42..ca2781257 100644 --- a/rules/linux/process_creation/lnx_file_and_directory_discovery.yml +++ b/rules/linux/process_creation/lnx_file_and_directory_discovery.yml @@ -11,17 +11,17 @@ logsource: category: process_creation product: linux detection: - file_with_asterisk: + select_file_with_asterisk: Image|endswith: '/file' CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline - recursive_ls: + select_recursive_ls: Image|endswith: '/ls' CommandLine|contains: '-R' - find_execution: + select_find_execution: Image|endswith: '/find' - tree_execution: + select_tree_execution: Image|endswith: '/tree' - condition: 1 of them + condition: 1 of select* falsepositives: - Legitimate activities level: informational diff --git a/rules/linux/process_creation/lnx_local_account.yml b/rules/linux/process_creation/lnx_local_account.yml index a59756079..881b6c683 100644 --- a/rules/linux/process_creation/lnx_local_account.yml +++ b/rules/linux/process_creation/lnx_local_account.yml @@ -31,7 +31,7 @@ detection: - '/lsof' CommandLine|contains: - '-u' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/process_creation/lnx_local_groups.yml b/rules/linux/process_creation/lnx_local_groups.yml index b8a13846f..1dad31c4d 100644 --- a/rules/linux/process_creation/lnx_local_groups.yml +++ b/rules/linux/process_creation/lnx_local_groups.yml @@ -19,7 +19,7 @@ detection: - '/cat' CommandLine|contains: - '/etc/group' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/process_creation/lnx_remote_system_discovery.yml b/rules/linux/process_creation/lnx_remote_system_discovery.yml index 632cde7af..c54f9d6f2 100644 --- a/rules/linux/process_creation/lnx_remote_system_discovery.yml +++ b/rules/linux/process_creation/lnx_remote_system_discovery.yml @@ -37,7 +37,7 @@ detection: - ' 172.31.' - ' 127.' #127.0.0.0/8 - ' 169.254.' #169.254.0.0/16 - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/process_creation/lnx_security_tools_disabling.yml b/rules/linux/process_creation/lnx_security_tools_disabling.yml index b8e5b816b..56bc28af5 100644 --- a/rules/linux/process_creation/lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/lnx_security_tools_disabling.yml @@ -15,70 +15,70 @@ logsource: category: process_creation product: linux detection: - iptables_1: + selection_iptables_1: Image|endswith: '/service' CommandLine|contains|all: - 'iptables' - 'stop' - iptables_2: + selection_iptables_2: Image|endswith: '/service' CommandLine|contains|all: - 'ip6tables' - 'stop' - iptables_3: + selection_iptables_3: Image|endswith: '/chkconfig' CommandLine|contains|all: - 'iptables' - 'stop' - iptables_4: + selection_iptables_4: Image|endswith: '/chkconfig' CommandLine|contains|all: - 'ip6tables' - 'stop' - firewall_1: + selection_firewall_1: Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'stop' - firewall_2: + selection_firewall_2: Image|endswith: '/systemctl' CommandLine|contains|all: - 'firewalld' - 'disable' - carbonblack_1: + selection_carbonblack_1: Image|endswith: '/service' CommandLine|contains|all: - 'cbdaemon' - 'stop' - carbonblack_2: + selection_carbonblack_2: Image|endswith: '/chkconfig' CommandLine|contains|all: - 'cbdaemon' - 'off' - carbonblack_3: + selection_carbonblack_3: Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'stop' - carbonblack_4: + selection_carbonblack_4: Image|endswith: '/systemctl' CommandLine|contains|all: - 'cbdaemon' - 'disable' - selinux: + selection_selinux: Image|endswith: '/setenforce' CommandLine|contains: '0' - crowdstrike_1: + selection_crowdstrike_1: Image|endswith: '/systemctl' CommandLine|contains|all: - 'stop' - 'falcon-sensor' - crowdstrike_2: + selection_crowdstrike_2: Image|endswith: '/systemctl' CommandLine|contains|all: - 'disable' - 'falcon-sensor' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration activities level: medium \ No newline at end of file diff --git a/rules/network/net_apt_equationgroup_c2.yml b/rules/network/net_apt_equationgroup_c2.yml index 162c60a74..859e91da0 100755 --- a/rules/network/net_apt_equationgroup_c2.yml +++ b/rules/network/net_apt_equationgroup_c2.yml @@ -11,15 +11,15 @@ modified: 2021/11/27 logsource: category: firewall detection: - outgoing: + select_outgoing: dst_ip: - '69.42.98.86' - '89.185.234.145' - incoming: + select_incoming: src_ip: - '69.42.98.86' - '89.185.234.145' - condition: 1 of them + condition: 1 of select* falsepositives: - Unknown level: high diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 05716fee9..d07c4f8ab 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -17,7 +17,7 @@ detection: - 'post.1' selection2: query|contains: '.stage.123456.' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index 0f3048cee..b586d3831 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -41,7 +41,7 @@ detection: op10: endpoint: 'svcctl' operation: 'StartServiceW' - condition: 1 of them + condition: 1 of op* falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index 4e2eef82d..4621e4f36 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -29,7 +29,7 @@ detection: op6: endpoint: 'ISecLogon' operation: 'SeclCreateProcessWithLogonExW' - condition: 1 of them + condition: 1 of op* falsepositives: - 'Windows administrator tasks or troubleshooting' - 'Windows management scripts or software' diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index 75b258d15..c40499fe3 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -17,7 +17,7 @@ detection: - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" selection2: c-useragent|endswith: '; MANM; MANM)' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml index 4d65fbdfe..4e74868c8 100644 --- a/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml +++ b/rules/web/web_citrix_cve_2020_8193_8195_exploit.yml @@ -19,7 +19,7 @@ detection: - '/pcidss/report' - 'type=all_signatures' - 'sig_name=_default_signature_' - condition: 1 of them + condition: 1 of selection* fields: - client_ip - vhost diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml index cb06e1d0f..d9bdd9bd7 100644 --- a/rules/web/web_exchange_exploitation_hafnium.yml +++ b/rules/web/web_exchange_exploitation_hafnium.yml @@ -56,7 +56,7 @@ detection: c-uri|contains|all: - '/ecp/' - '.js' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related level: high \ No newline at end of file diff --git a/rules/web/web_unc2546_dewmode_php_webshell.yml b/rules/web/web_unc2546_dewmode_php_webshell.yml index 5bb939af3..2bf1fa7d1 100644 --- a/rules/web/web_unc2546_dewmode_php_webshell.yml +++ b/rules/web/web_unc2546_dewmode_php_webshell.yml @@ -22,7 +22,7 @@ detection: - '&dwn=' - '?fn=' - '.html?' - condition: 1 of them + condition: 1 of selection* fields: - client_ip - response diff --git a/rules/windows/deprecated/sysmon_rclone_execution.yml b/rules/windows/deprecated/sysmon_rclone_execution.yml index b895b3a05..324e0709b 100644 --- a/rules/windows/deprecated/sysmon_rclone_execution.yml +++ b/rules/windows/deprecated/sysmon_rclone_execution.yml @@ -43,4 +43,4 @@ detection: - '--auto-confirm' - '--transfers' - '--multi-thread-streams' - condition: 1 of them + condition: 1 of selection* diff --git a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml index 42fc9bc23..7f3e6b0a4 100644 --- a/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_net_mal_cobaltstrike.yml @@ -21,7 +21,7 @@ detection: - 'post.1' selection2: QueryName|contains: '.stage.123456.' - condition: 1 of them + condition: 1 of selection* fields: - Image - CommandLine diff --git a/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml index 1bd01a7e9..9de9a86c8 100644 --- a/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file_event/file_event_win_shell_write_susp_directory.yml @@ -38,7 +38,7 @@ detection: - 'C:\PerfLogs' - '\AppData\' - 'C:\Windows\Temp' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml index e050210da..52e5887a8 100644 --- a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml +++ b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml @@ -21,7 +21,7 @@ detection: - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' Image|contains: - '\AppData\Local\Temp\' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown - UAC bypass method used by other malware diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml index 67e1f7a93..d55792423 100644 --- a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -30,7 +30,7 @@ detection: PipeName|startswith: '\status_' selection_msagent: PipeName|startswith: '\msagent_' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml index 747f5270c..6af74afc1 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml @@ -61,7 +61,7 @@ detection: - 'New-Object' - 'Net.WebClient' - '.Download' - condition: 1 of them + condition: 1 of selection* falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml index 89489c328..929a6581f 100644 --- a/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml @@ -17,14 +17,14 @@ logsource: category: ps_script definition: Script block logging must be enabled detection: - convert_b64: + select_convert_b64: ScriptBlockText|contains|all: - '-nop' - ' -w ' - 'hidden' - ' -c ' - '[Convert]::FromBase64String' - iex_selection: + select_iex_selection: ScriptBlockText|contains|all: - ' -w ' - 'hidden' @@ -33,20 +33,20 @@ detection: - ' -c ' - 'iex' - 'New-Object' - enc_selection: + select_enc_selection: ScriptBlockText|contains|all: - ' -w ' - 'hidden' - '-ep' - 'bypass' - '-Enc' - reg_selection: + select_reg_selection: ScriptBlockText|contains|all: - 'powershell' - 'reg' - 'add' - 'HKCU\software\microsoft\windows\currentversion\run' - webclient_selection: + select_webclient_selection: ScriptBlockText|contains|all: - 'bypass' - '-noprofile' @@ -55,13 +55,13 @@ detection: - 'new-object' - 'system.net.webclient' - '.download' - iex_webclient: + select_iex_webclient: ScriptBlockText|contains|all: - 'iex' - 'New-Object' - 'Net.WebClient' - '.Download' - condition: 1 of them + condition: 1 of select* falsepositives: - Penetration tests level: high diff --git a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml index 63c8dd1b8..7da6f41fd 100644 --- a/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/wim_pc_apt_chafer_mar18.yml @@ -43,7 +43,7 @@ detection: - '\nslookup.exe' - '-q=TXT' ParentImage|contains: '\Autoit' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index ad472d872..4ee34b3c6 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -16,7 +16,7 @@ detection: CommandLine|contains: '\Windows\Caches\NavShExt.dll ' selection2: CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index d2f5677ae..5590dd0df 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -17,7 +17,7 @@ detection: selection_regsvr32: CommandLine|endswith: '/i:%APPDATA%\logs.txt scrobj.dll' Description: 'Microsoft(C) Registerserver' - condition: 1 of them + condition: 1 of selection* falsepositives: - Very Unlikely level: critical diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 73646153f..239bec27a 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -18,7 +18,7 @@ detection: CommandLine|endswith: ',dll_u' selection2: CommandLine|contains: ' -export dll_u ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index 443beebb3..6a1b7e668 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -50,7 +50,7 @@ detection: - '\programdata\oracle\java.exe' - 'CSIDL_COMMON_APPDATA\comms\comms.exe' - '\Programdata\VMware\Vmware.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml index 30c41f2ba..aba2a631d 100644 --- a/rules/windows/process_creation/win_apt_hafnium.yml +++ b/rules/windows/process_creation/win_apt_hafnium.yml @@ -66,7 +66,7 @@ detection: - 'dsquery' - ' -uco ' - '\inetpub\wwwroot' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml index 2acce96ce..9926930f7 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml @@ -29,7 +29,7 @@ detection: - ':\Users\Public\' Image: - 'C:\Windows\System32\rundll32.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Should not be any false positives level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml index 6b5fcccaf..dec51827b 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml @@ -34,7 +34,7 @@ detection: selection4: CommandLine|contains: - '.255 10 C:\ProgramData\' - condition: 1 of them + condition: 1 of selection* falsepositives: - Overlap with legitimate process activity in some cases (especially selection 3 and 4) level: critical diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index c1bac606d..ad9ddff19 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -26,7 +26,7 @@ detection: - '/F' selection2: Image|endswith: 'Temp\winwsh.exe' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml index c30876f52..308d6f6b3 100644 --- a/rules/windows/process_creation/win_apt_turla_comrat_may20.yml +++ b/rules/windows/process_creation/win_apt_turla_comrat_may20.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains|all: - 'net use https://docs.live.net' - '@aol.co.uk' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml index 1994397ba..595829255 100644 --- a/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml +++ b/rules/windows/process_creation/win_apt_winnti_mal_hk_jan20.yml @@ -27,7 +27,7 @@ detection: selection5: ParentImage|startswith: 'C:\ProgramData\DRM\Windows' Image|endswith: '\SearchFilterHost.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unlikely level: critical diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 3dba59566..3a4d55978 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -21,7 +21,7 @@ detection: - '-x:0' - '-x:1' - '-x:2' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate setups that use similar flags level: critical diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 928f9aea7..9d7154328 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -27,7 +27,7 @@ detection: CommandLine|contains|all: - 'format:' - 'http' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml index 894add395..57d611743 100644 --- a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml @@ -34,7 +34,7 @@ detection: Image|endswith: '\cmd.exe' ParentImage|endswith: '\runonce.exe' ParentCommandLine|endswith: '\runonce.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - Other programs that cause these patterns (please report) level: high diff --git a/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml index 3b377a1c2..6c7523e0d 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml @@ -22,7 +22,7 @@ detection: - '\..\..\' selection2: CommandLine|contains: '.exe\..\' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml index c83f97404..8f8be3398 100644 --- a/rules/windows/process_creation/win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -35,7 +35,7 @@ detection: selection3: CommandLine|endswith: 'shadowcopy delete' CommandLine|contains: '\..\..\system32' - condition: 1 of them + condition: 1 of selection* fields: - ComputerName - User diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index 32bcf3f1e..0427c2e97 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -47,7 +47,7 @@ detection: - 'trace' - '--p' - '-ets' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_hack_bloodhound.yml b/rules/windows/process_creation/win_hack_bloodhound.yml index 4902f643d..3288e0325 100644 --- a/rules/windows/process_creation/win_hack_bloodhound.yml +++ b/rules/windows/process_creation/win_hack_bloodhound.yml @@ -30,7 +30,7 @@ detection: CommandLine|contains|all: - ' DCOnly ' - ' --NoSaveCache ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Other programs that use these command line option and accepts an 'All' parameter level: high diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index 8b29ea34b..3555ed2db 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -23,7 +23,7 @@ detection: Image|endswith: 'PasswordDump.exe' selection3: OriginalFileName|endswith: 'PasswordDump.exe' - condition: 1 of them + condition: 1 of selection* falsepositives: - unlikely level: critical diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index ea76cc39e..a54f7b140 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -19,7 +19,7 @@ detection: Image|contains: '\CreateMiniDump.exe' selection2: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index f1519e1f8..1401ee4b8 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -12,18 +12,18 @@ logsource: category: process_creation product: windows detection: - pipe_com: + select_pipe_com: CommandLine|contains|all: - '\AppData\Local\Temp\' - '\\.\pipe\\' - rundll32_dash1: + select_rundll32_dash1: Image|endswith: '\rundll32.exe' CommandLine|endswith: - '.dat,#1' - '.dat #1' # Sysmon removes comma - perfc_keyword: + select_perfc_keyword: - '\perfc.dat' - condition: 1 of them + condition: 1 of select* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index aac188521..5498fac78 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -44,7 +44,7 @@ detection: - 'catalog' - '-quiet' - CommandLine|contains: '@Please_Read_Me@.txt' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml index fc112e749..1bef8de86 100644 --- a/rules/windows/process_creation/win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/win_netsh_allow_port_rdp.yml @@ -23,7 +23,7 @@ detection: - action=allow - protocol=TCP - localport=3389 - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administration level: high diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml index 4d5072552..f9cdc7643 100644 --- a/rules/windows/process_creation/win_powershell_disable_windef_av.yml +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -22,18 +22,18 @@ detection: CommandLine|contains: - '-DisableBehaviorMonitoring $true' - '-DisableRuntimeMonitoring $true' - tamper_cmd_stop: + selection_tamper_cmd_stop: CommandLine|contains|all: - sc - stop - WinDefend - tamper_cmd_disabled: + selection_tamper_cmd_disabled: CommandLine|contains|all: - sc - config - WinDefend - 'start=disabled' - condition: 1 of them + condition: 1 of selection* falsepositives: - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.' level: high diff --git a/rules/windows/process_creation/win_susp_disable_ie_features.yml b/rules/windows/process_creation/win_susp_disable_ie_features.yml index df82ef723..96cb4a40a 100644 --- a/rules/windows/process_creation/win_susp_disable_ie_features.yml +++ b/rules/windows/process_creation/win_susp_disable_ie_features.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains|all: - ' -name DisableFirstRunCustomize ' - ' -value 2 ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Unknown, maybe some security software installer disables these features temporarily level: high diff --git a/rules/windows/process_creation/win_susp_disable_raccine.yml b/rules/windows/process_creation/win_susp_disable_raccine.yml index 15c00f7fb..2f2336e35 100644 --- a/rules/windows/process_creation/win_susp_disable_raccine.yml +++ b/rules/windows/process_creation/win_susp_disable_raccine.yml @@ -28,7 +28,7 @@ detection: - 'schtasks' - '/DELETE' - 'Raccine Rules Updater' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate deinstallation by administrative staff level: high diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml index 285ccec90..9dc7023c9 100644 --- a/rules/windows/process_creation/win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -38,7 +38,7 @@ detection: - ' tcp ' - ' http ' - ' authtoken ' - condition: 1 of them + condition: 1 of selection* falsepositives: - Another tool that uses the command line switches of Ngrok - ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index c8f937c85..0e98a9e1f 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -50,7 +50,7 @@ detection: CommandLine|contains: - '\AppData\Local' - 'C:\Users\Public' - condition: 1 of them + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 7d3009e74..02b621faf 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -36,7 +36,7 @@ detection: CommandLine|contains|all: - '-filter' - 'trustedDomain' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate use of the utilities by legitimate user for legitimate reason level: medium diff --git a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml index 4d969f09a..25b700088 100644 --- a/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml +++ b/rules/windows/registry_event/registry_event_mstsc_history_cleared.yml @@ -21,7 +21,7 @@ detection: selection2: EventType: DeleteKey TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\' - condition: 1 of them + condition: 1 of selection* falsepositives: - unknown level: high diff --git a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml index 82b14f362..2e07a2d8c 100755 --- a/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/registry_event/sysmon_narrator_feedback_persistance.yml @@ -16,7 +16,7 @@ detection: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' selection2: TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' - condition: 1 of them + condition: 1 of selection* falsepositives: - unknown level: high From f7e670d55eff9f23ba12a4afdaadb4689c141fd5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 Jan 2022 13:40:53 +0100 Subject: [PATCH 04/20] Simple Quote --- rules/linux/builtin/lnx_shell_susp_rev_shells.yml | 4 ++-- .../macos/process_creation/macos_local_account.yml | 2 +- rules/linux/other/lnx_susp_vsftp.yml | 2 +- rules/linux/process_creation/lnx_local_account.yml | 2 +- .../zeek/zeek_dce_rpc_domain_user_enumeration.yml | 4 ++-- ...k_dce_rpc_printnightmare_print_driver_install.yml | 12 ++++++------ rules/proxy/proxy_cobalt_malformed_uas.yml | 6 +++--- rules/proxy/proxy_ursnif_malware_c2_url.yml | 8 ++++---- rules/web/web_exchange_cve_2020_0688_exploit.yml | 6 +++--- .../builtin/security/win_rdp_localhost_login.yml | 4 ++-- .../process_creation_mal_darkside_ransomware.yml | 8 +++----- .../powershell_azurehound_commands.yml | 3 +-- .../powershell_script/powershell_ntfs_ads_access.yml | 7 +++---- .../win_powershell_xor_commandline.yml | 2 +- ...eys_unauthenticated_privileged_console_access.yml | 5 ++--- .../win_susp_crackmapexec_powershell_obfuscation.yml | 8 ++++---- .../win_susp_emotet_rundll32_execution.yml | 2 +- .../win_susp_spoolsv_child_processes.yml | 4 ++-- 18 files changed, 42 insertions(+), 47 deletions(-) diff --git a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml index 89376d456..e8fe87ee7 100644 --- a/rules/linux/builtin/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/builtin/lnx_shell_susp_rev_shells.yml @@ -27,10 +27,10 @@ detection: - '/bin/sh -i <&3 >&3 2>&3' - 'uname -a; w; id; /bin/bash -i' - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' - - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');" + - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');' - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' - - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:" + - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:' - 'rm -f /tmp/p; mknod /tmp/p p &&' - ' | /bin/bash | telnet ' - ',echo=0,raw tcp-listen:' diff --git a/rules/linux/macos/process_creation/macos_local_account.yml b/rules/linux/macos/process_creation/macos_local_account.yml index 799398f8c..5274f9fbc 100644 --- a/rules/linux/macos/process_creation/macos_local_account.yml +++ b/rules/linux/macos/process_creation/macos_local_account.yml @@ -25,7 +25,7 @@ detection: - 'user' selection_3: CommandLine|contains: - - "'x:0:'" + - '''x:0:''' selection_4: Image|endswith: - '/cat' diff --git a/rules/linux/other/lnx_susp_vsftp.yml b/rules/linux/other/lnx_susp_vsftp.yml index 80b9d2c51..9109c095c 100644 --- a/rules/linux/other/lnx_susp_vsftp.yml +++ b/rules/linux/other/lnx_susp_vsftp.yml @@ -22,7 +22,7 @@ detection: - 'bug: pid active in ptrace_sandbox_free' - 'PTRACE_SETOPTIONS failure' - 'weird status:' - - "couldn't handle sandbox event" + - 'couldn''t handle sandbox event' - 'syscall * out of bounds' - 'syscall not permitted:' - 'syscall validate failed:' diff --git a/rules/linux/process_creation/lnx_local_account.yml b/rules/linux/process_creation/lnx_local_account.yml index 881b6c683..a8e4cdaf2 100644 --- a/rules/linux/process_creation/lnx_local_account.yml +++ b/rules/linux/process_creation/lnx_local_account.yml @@ -16,7 +16,7 @@ detection: - '/lastlog' selection_2: CommandLine|contains: - - "'x:0:'" + - '''x:0:''' selection_3: Image|endswith: - '/cat' diff --git a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml index e8b7378fd..316835f92 100644 --- a/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml +++ b/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml @@ -2,8 +2,8 @@ title: Domain User Enumeration Network Recon 01 description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29 id: 66a0bdc6-ee04-441a-9125-99d2eb547942 references: - - "https://github.com/OTRF/detection-hackathon-apt29" - - "https://github.com/OTRF/detection-hackathon-apt29/issues/37" + - https://github.com/OTRF/detection-hackathon-apt29 + - https://github.com/OTRF/detection-hackathon-apt29/issues/37 author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)' date: 2020/05/03 modified: 2021/11/14 diff --git a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml index da006cf6b..c8c0ccfad 100644 --- a/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml +++ b/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml @@ -25,12 +25,12 @@ logsource: detection: printer_operation: operation: - - "RpcAsyncInstallPrinterDriverFromPackage" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e - - "RpcAsyncAddPrintProcessor" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c - - "RpcAddPrintProcessor" # "12345678-1234-abcd-ef00-0123456789ab",0x0e - - "RpcAddPrinterDriverEx" # "12345678-1234-abcd-ef00-0123456789ab",0x59 - - "RpcAddPrinterDriver" # "12345678-1234-abcd-ef00-0123456789ab",0x09 - - "RpcAsyncAddPrinterDriver" # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 + - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e + - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c + - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e + - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59 + - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09 + - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27 condition: printer_operation falsepositives: - Legitimate remote alteration of a printer driver. diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml index c40499fe3..a3b19690c 100644 --- a/rules/proxy/proxy_cobalt_malformed_uas.yml +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -12,9 +12,9 @@ logsource: detection: selection1: c-useragent: - - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" - - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" - - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)' + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )' + - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08' selection2: c-useragent|endswith: '; MANM; MANM)' condition: 1 of selection* diff --git a/rules/proxy/proxy_ursnif_malware_c2_url.yml b/rules/proxy/proxy_ursnif_malware_c2_url.yml index c1e0b5ca1..d9f0aa5df 100644 --- a/rules/proxy/proxy_ursnif_malware_c2_url.yml +++ b/rules/proxy/proxy_ursnif_malware_c2_url.yml @@ -12,12 +12,12 @@ logsource: detection: b64encoding: c-uri|contains: - - "_2f" - - "_2b" + - '_2f' + - '_2b' urlpatterns: c-uri|contains|all: - - ".avi" - - "/images/" + - '.avi' + - '/images/' condition: b64encoding and urlpatterns fields: - c-ip diff --git a/rules/web/web_exchange_cve_2020_0688_exploit.yml b/rules/web/web_exchange_cve_2020_0688_exploit.yml index 7e25ca23a..1c086ad22 100644 --- a/rules/web/web_exchange_cve_2020_0688_exploit.yml +++ b/rules/web/web_exchange_cve_2020_0688_exploit.yml @@ -12,9 +12,9 @@ logsource: detection: selection: c-uri|contains|all: - - "/ecp/default.aspx" - - "__VIEWSTATEGENERATOR=" - - "__VIEWSTATE=" + - '/ecp/default.aspx' + - '__VIEWSTATEGENERATOR=' + - '__VIEWSTATE=' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_rdp_localhost_login.yml b/rules/windows/builtin/security/win_rdp_localhost_login.yml index 1b18f26cc..f6ddb6e44 100644 --- a/rules/windows/builtin/security/win_rdp_localhost_login.yml +++ b/rules/windows/builtin/security/win_rdp_localhost_login.yml @@ -20,8 +20,8 @@ detection: EventID: 4624 LogonType: 10 IpAddress: - - "::1" - - "127.0.0.1" + - '::1' + - '127.0.0.1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml index 52e5887a8..9f8cb2a8f 100644 --- a/rules/windows/malware/process_creation_mal_darkside_ransomware.yml +++ b/rules/windows/malware/process_creation_mal_darkside_ransomware.yml @@ -14,13 +14,11 @@ logsource: detection: selection1: CommandLine|contains: - - "=[char][byte]('0x'+" + - '=[char][byte](''0x''+' - ' -work worker0 -path ' selection2: - ParentCommandLine|contains: - - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - Image|contains: - - '\AppData\Local\Temp\' + ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + Image|contains: '\AppData\Local\Temp\' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml index 491e1d7c5..ba1adbeb0 100644 --- a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml @@ -13,8 +13,7 @@ logsource: definition: Script Block Logging must be enable detection: selection: - ScriptBlockText|contains: - - "Invoke-AzureHound" + ScriptBlockText|contains: Invoke-AzureHound condition: selection tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml index 7ba724b77..fa8335566 100644 --- a/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/powershell_ntfs_ads_access.yml @@ -22,11 +22,10 @@ logsource: detection: selection_content: ScriptBlockText|contains: - - "set-content" - - "add-content" + - set-content + - add-content selection_stream: - ScriptBlockText|contains: - - "-stream" + ScriptBlockText|contains: '-stream' condition: all of selection* falsepositives: - unknown diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index 55ed270f2..c09ec56b0 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -16,7 +16,7 @@ detection: CommandLine|contains: - 'bxor' - '-join ' - - "-join'" + - '-join''' - '-join"' - '-join`' - 'char' diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml index 18cddb9e6..fc9cb34de 100644 --- a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -6,7 +6,7 @@ references: - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf status: experimental date: 2020/02/18 -modified: 2021/06/11 +modified: 2022/01/11 author: Sreeman tags: - attack.t1015 # an old one @@ -17,8 +17,7 @@ logsource: category: process_creation detection: selection: - CommandLine: - - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe" + CommandLine: 'copy /y C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml index 1a3cdca0b..587425522 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_powershell_obfuscation.yml @@ -18,11 +18,11 @@ detection: CommandLine|contains: - 'join*split' # Line 343ff - - "( $ShellId[1]+$ShellId[13]+'x')" + - '( $ShellId[1]+$ShellId[13]+''x'')' - '( $PSHome[*]+$PSHOME[*]+' - - "( $env:Public[13]+$env:Public[5]+'x')" - - "( $env:ComSpec[4,*,25]-Join'')" - - "[1,3]+'x'-Join'')" + - '( $env:Public[13]+$env:Public[5]+''x'')' + - '( $env:ComSpec[4,*,25]-Join'''')' + - '[1,3]+''x''-Join'''')' condition: powershell_execution and snippets fields: - ComputerName diff --git a/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml index f5e70dfcf..104842f68 100644 --- a/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml +++ b/rules/windows/process_creation/win_susp_emotet_rundll32_execution.yml @@ -26,7 +26,7 @@ detection: CommandLine|endswith: - '.dll,Control_RunDLL' - '.dll",Control_RunDLL' - - ".dll',Control_RunDLL" + - '.dll'',Control_RunDLL' filter_ide: ParentImage|endswith: - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe diff --git a/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml b/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml index 09dffbc8d..1029690e0 100644 --- a/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml +++ b/rules/windows/process_creation/win_susp_spoolsv_child_processes.yml @@ -55,8 +55,8 @@ detection: Image|endswith: \netsh.exe suspicious_netsh_filter: CommandLine|contains: - - "add portopening" - - "rule name" + - 'add portopening' + - 'rule name' suspicious_powershell: Image|endswith: \powershell.exe suspicious_powershell_filter: From 0d553a832b0ebd01a564cbd19117d187e55337ba Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 11 Jan 2022 14:59:47 +0000 Subject: [PATCH 05/20] updating condition per @frack113 preference --- .../file_event/file_event_win_cscript_wscript_dropper.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml index b25ae4ba6..388726e49 100644 --- a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml @@ -9,12 +9,12 @@ references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton date: 2022/01/10 -modified: 2022/01/10 +modified: 2022/01/11 logsource: category: file_event product: windows detection: - selection1: + selection: Image|endswith: - '\wscript.exe' - '\cscript.exe' @@ -27,7 +27,7 @@ detection: - '.js' - '.vba' - '.vbs' - condition: 1 of selection* + condition: 1 of selection fields: - Image - TargetFilename From 9b261a5cb708b388abbb1ec4c0e61bbe1db2ed08 Mon Sep 17 00:00:00 2001 From: Ahmet Salih Date: Tue, 11 Jan 2022 18:23:30 +0300 Subject: [PATCH 06/20] Update powershell_suspicious_invocation_specific_in_contextinfo.yml close #2546 --- ...suspicious_invocation_specific_in_contextinfo.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml index 6af74afc1..1859ba45a 100644 --- a/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml +++ b/rules/windows/powershell/powershell_module/powershell_suspicious_invocation_specific_in_contextinfo.yml @@ -17,14 +17,14 @@ logsource: category: ps_module definition: Script block logging must be enabled detection: - convert_b64: + selection_convert_b64: ContextInfo|contains|all: - '-nop' - ' -w ' - 'hidden' - ' -c ' - '[Convert]::FromBase64String' - iex_selection: + selection_iex: ContextInfo|contains|all: - ' -w ' - 'hidden' @@ -33,20 +33,20 @@ detection: - ' -c ' - 'iex' - 'New-Object' - enc_selection: + selection_enc: ContextInfo|contains|all: - ' -w ' - 'hidden' - '-ep' - 'bypass' - '-Enc' - reg_selection: + selection_reg: ContextInfo|contains|all: - 'powershell' - 'reg' - 'add' - 'HKCU\software\microsoft\windows\currentversion\run' - webclient_selection: + selection_webclient: ContextInfo|contains|all: - 'bypass' - '-noprofile' @@ -55,7 +55,7 @@ detection: - 'new-object' - 'system.net.webclient' - '.download' - iex_webclient: + selection_iex_webclient: ContextInfo|contains|all: - 'iex' - 'New-Object' From 7b77be3453819af791ba997d59fa3f48d876bd00 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 Jan 2022 20:51:57 +0100 Subject: [PATCH 07/20] Fix condition --- .../file_event/file_event_win_cscript_wscript_dropper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml index 388726e49..b28196367 100644 --- a/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file_event/file_event_win_cscript_wscript_dropper.yml @@ -27,7 +27,7 @@ detection: - '.js' - '.vba' - '.vbs' - condition: 1 of selection + condition: selection fields: - Image - TargetFilename From 6554556c14ecc7cc745bfa313d211487297486e1 Mon Sep 17 00:00:00 2001 From: Bhabesh Date: Wed, 12 Jan 2022 12:55:07 +0545 Subject: [PATCH 08/20] Added two filters to reduce FP --- .../process_access/sysmon_cred_dump_lsass_access.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index b88705799..9b873293a 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/12/10 +modified: 2022/01/12 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -82,6 +82,14 @@ detection: filter9: SourceImage|endswith: '\explorer.exe' GrantedAccess: '0x401' + filter10: + SourceImage: 'C:\Windows\system32\wininit.exe' + GrantedAccess: '0x1000000' + filter11: + SourceImage: 'C:\Windows\system32\MRT.exe' # Windows Malicious Software Removal Tool + GrantedAccess: + - '0x1410' + - '0x1418' filter_generic: SourceImage|startswith: - 'C:\Program Files\' From f77da595c4dbf016ce199f36d78611eb2294a27e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Jan 2022 11:32:34 +0100 Subject: [PATCH 09/20] fix: FPs noticed with Aurora --- rules/windows/image_load/sysmon_wmi_module_load.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 9b2f87abb..971fdb340 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -3,7 +3,7 @@ id: 671bb7e3-a020-4824-a00e-2ee5b55f385e description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 -modified: 2021/11/25 +modified: 2022/01/12 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html @@ -48,6 +48,8 @@ detection: - '\explorer.exe' - '\opera_autoupdate.exe' - '\MsMpEng.exe' + - '\thor64.exe' + - '\thor.exe' filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to Image|startswith: - 'C:\Program Files\' From b6d4e39538d2cd62729062e2e6b978f6de87bdd1 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 12 Jan 2022 12:55:49 +0100 Subject: [PATCH 10/20] feat: check for the existence of a description field it is not mandatory in the sigma standard but mandatory for this repository --- .../file_event/file_event_susp_task_write.yml | 7 ++++--- .../powershell_azurehound_commands.yml | 5 +++-- .../win_purplesharp_indicators.yml | 7 +++---- tests/test_rules.py | 17 +++++++++++++++++ 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/rules/windows/file_event/file_event_susp_task_write.yml b/rules/windows/file_event/file_event_susp_task_write.yml index 1204a2901..c2cee9c49 100644 --- a/rules/windows/file_event/file_event_susp_task_write.yml +++ b/rules/windows/file_event/file_event_susp_task_write.yml @@ -1,11 +1,12 @@ -title: Suspicious Scheduled Task Writ to System32 Tasks +title: Suspicious Scheduled Task Write to System32 Tasks id: 80e1f67a-4596-4351-98f5-a9c3efabac95 status: experimental -description: +description: Detects the creation of tasks from processes executed from suspicious locations references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ + - Internal Research author: Florian Roth date: 2021/11/16 +modified: 2022/01/12 tags: - attack.persistence - attack.execution diff --git a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml index ba1adbeb0..6adae36db 100644 --- a/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/powershell_azurehound_commands.yml @@ -1,16 +1,17 @@ title: AzureHound PowerShell Commands id: 83083ac6-1816-4e76-97d7-59af9a9ae46e status: experimental -description: +description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound references: - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Austin Songer (@austinsonger) date: 2021/10/23 +modified: 2022/01/12 logsource: product: windows category: ps_script - definition: Script Block Logging must be enable + definition: Script Block Logging must be enabled detection: selection: ScriptBlockText|contains: Invoke-AzureHound diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml index 1d0969a5f..987211efa 100644 --- a/rules/windows/process_creation/win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -1,10 +1,10 @@ title: PurpleSharp Indicator id: ff23ffbc-3378-435e-992f-0624dcf93ab4 status: experimental -description: Detect +description: Detects the execution of the PurpleSharp adversary simulation tool author: Florian Roth date: 2021/06/18 -modified: 2021/07/06 +modified: 2022/01/12 references: - https://github.com/mvelazc0/PurpleSharp logsource: @@ -16,8 +16,7 @@ detection: - xyz123456.exe - PurpleSharp selection2: - OriginalFileName: - - 'PurpleSharp.exe' + OriginalFileName: 'PurpleSharp.exe' condition: selection1 or selection2 falsepositives: - Unlikely diff --git a/tests/test_rules.py b/tests/test_rules.py index be340f84d..b83726cee 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -375,6 +375,23 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'date' fields. (create one, e.g. date: 2019/01/14)") + def test_missing_description(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + descriptionfield = self.get_rule_part(file_path=file, part_name="description") + if not descriptionfield: + print(Fore.YELLOW + "Rule {} has no field 'description'.".format(file)) + faulty_rules.append(file) + elif not isinstance(descriptionfield, str): + print(Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) + faulty_rules.append(file) + elif len(descriptionfield) < 16: + print(Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with missing or malformed 'description' field. (create one, e.g. description: Detects the suspicious behaviour of process XY doing YZ)") + def test_optional_date_modified(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 460ed232491a861cc903b7ac88924a6532d5af8a Mon Sep 17 00:00:00 2001 From: nwh2 <81748765+nwh2@users.noreply.github.com> Date: Wed, 12 Jan 2022 14:44:55 +0100 Subject: [PATCH 11/20] Fix incorrectly formatted Winget LOLbin date --- .../process_creation/win_lolbin_execution_via_winget.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml index 6821201cf..7911e9cc3 100644 --- a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml +++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml @@ -5,7 +5,7 @@ status: experimental references: - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install author: Sreeman, Florian Roth, Frack113 -date: 2020/21/04 +date: 2020/04/21 modified: 2022/01/11 tags: - attack.defense_evasion @@ -27,4 +27,4 @@ falsepositives: - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users. fields: - CommandLine -level: medium \ No newline at end of file +level: medium From 22338b762aa6a5e678eefd883cc1f79ac1efdac2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Jan 2022 16:35:24 +0100 Subject: [PATCH 12/20] fix: FPs with Java shell spawn rule --- .../process_creation_shell_spawn_by_java.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml index 9adb6d3c1..13073ec7d 100644 --- a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml +++ b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml @@ -4,7 +4,7 @@ description: Detects shell spawn from Java host process, which could a maintenan status: experimental author: Andreas Hunkeler (@Karneades) date: 2021/12/17 -modified: 2021/12/18 +modified: 2022/01/12 tags: - attack.initial_access - attack.persistence @@ -17,7 +17,10 @@ detection: ParentImage|endswith: '\java.exe' Image|endswith: - '\cmd.exe' - condition: selection + filter: + ParentImage|contains: 'build' # excluding CI build agents + CommandLine|contains: 'build' # excluding CI build agents + condition: selection and not filter falsepositives: - Legitimate calls to system binaries - Company specific internal usage From 592485fac54d3539ee8b99677fd0facb67cbecd0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 12 Jan 2022 20:27:56 +0100 Subject: [PATCH 13/20] Windows Redcannary --- .../posh_ps_create_volume_shadow_copy.yml | 26 +++++++++++++++++++ .../posh_ps_suspicious_gwmi.yml | 25 ++++++++++++++++++ .../win_pc_uninstall_sysmon.yml | 24 +++++++++++++++++ .../sysmon/sysmon_config_modification.yml | 20 ++++++++++++++ 4 files changed, 95 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml create mode 100644 rules/windows/process_creation/win_pc_uninstall_sysmon.yml create mode 100644 rules/windows/sysmon/sysmon_config_modification.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml new file mode 100644 index 000000000..6c098c110 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -0,0 +1,26 @@ +title: Create Volume Shadow Copy with Powershell +id: afd12fed-b0ec-45c9-a13d-aa86625dac81 +status: experimental +description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - win32_shadowcopy + - ').Create(' + - ClientAccessible + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: high +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml new file mode 100644 index 000000000..de0c276a4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml @@ -0,0 +1,25 @@ +title: Suspicious Get-WmiObject +id: 0332a266-b584-47b4-933d-a00b103e1b37 +status: experimental +description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - Get-WmiObject + - gwmi + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.persistence + - attack.t1546 diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml new file mode 100644 index 000000000..11a90070f --- /dev/null +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -0,0 +1,24 @@ +title: Uninstall Sysinternals Sysmon +id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 +status: experimental +description: Uninstall Sysinternals Sysmon for Defense Evasion +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon +author: frack113 +date: 2022/01/12 +logsource: + category: process_creation + product: windows +detection: + sysmon: + Image|endswith: + - \Sysmon64.exe + - \Sysmon.exe + CommandLine|contains: '-u' + condition: sysmon +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml new file mode 100644 index 000000000..87b371606 --- /dev/null +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -0,0 +1,20 @@ +title: Sysmon Configuration Change +id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 +description: Someone can try to hide from Sysmon +status: experimental +author: frack113 +date: 2022/01/12 +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 16 + condition: selection +falsepositives: + - legitimate administrative action +level: medium +tags: + - attack.defense_evasion From 41f0ccbca57d663a03823e10e8cb853b648d45c4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 12 Jan 2022 22:28:21 +0100 Subject: [PATCH 14/20] fix: filter in rule --- .../process_creation/win_susp_squirrel_lolbin.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index c8b351ed9..ea3b72cae 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2021/12/07 +modified: 2022/01/12 logsource: category: process_creation product: windows @@ -24,10 +24,11 @@ detection: - '--createShortcut' CommandLine|contains|all: - '.exe' - filter: + filter1: CommandLine|contains|all: - - 'C:\\Users\\' - - '\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe' + - 'C:\Users\' + - '\AppData\Local\Discord\Update.exe' + - ' --processStart Discord.exe' condition: selection and not 1 of filter* falsepositives: - 1Clipboard From baaef207cb0378f6d915197e7e819a16226d6ced Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 13 Jan 2022 06:38:43 +0100 Subject: [PATCH 15/20] Add filter help --- rules/windows/sysmon/sysmon_config_modification.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 87b371606..dc24421ae 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -12,6 +12,10 @@ logsource: detection: selection: EventID: 16 + # To avoid FP just add + # filter: + # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' + # condition: selection and not filter condition: selection falsepositives: - legitimate administrative action From 56097703f1b49fa9166f1f02d21e875d1c4bcb99 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 09:17:42 +0100 Subject: [PATCH 16/20] fix: FP detected with Aurora --- rules/windows/process_access/win_susp_proc_access_lsass.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index e7724a1fa..11bc6e347 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags author: Florian Roth date: 2021/11/22 -modified: 2022/01/08 +modified: 2022/01/13 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -62,6 +62,7 @@ detection: - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\System32\lsass.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' From 943a89c265074d66fab1d55305c12ca960117d2f Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 13 Jan 2022 16:28:29 +0100 Subject: [PATCH 17/20] Add setvalue for Details --- ...sing_windows_telemetry_for_persistence.yml | 3 ++- .../registry_event_defender_disabled.yml | 3 ++- .../registry_event_mal_adwind.yml | 3 ++- .../registry_event_uac_bypass_winsat.yml | 2 ++ .../registry_event_uac_bypass_wmp.yml | 2 ++ ...mon_asep_reg_keys_modification_classes.yml | 3 ++- ...smon_asep_reg_keys_modification_commun.yml | 3 ++- ...eg_keys_modification_currentcontrolset.yml | 3 ++- ...p_reg_keys_modification_currentversion.yml | 3 ++- ...eg_keys_modification_currentversion_nt.yml | 3 ++- ...eg_keys_modification_internet_explorer.yml | 3 ++- ...smon_asep_reg_keys_modification_office.yml | 3 ++- ..._reg_keys_modification_session_manager.yml | 3 ++- ...p_reg_keys_modification_system_scripts.yml | 3 ++- ...on_asep_reg_keys_modification_winsock2.yml | 3 ++- ...asep_reg_keys_modification_wow6432node.yml | 3 ++- ..._keys_modification_wow6432node_classes.yml | 3 ++- ...odification_wow6432node_currentversion.yml | 3 ++- .../registry_event/sysmon_cve_2020_1048.yml | 3 ++- .../sysmon_dns_over_https_enabled.yml | 19 +++++++++++-------- .../registry_event/sysmon_etw_disabled.yml | 3 ++- ...n_hybridconnectionmgr_svc_installation.yml | 2 ++ .../sysmon_powershell_as_service.yml | 3 ++- .../sysmon_rdp_registry_modification.yml | 3 ++- .../sysmon_reg_silentprocessexit.yml | 4 +++- .../sysmon_reg_vbs_payload_stored.yml | 2 ++ ...smon_registry_persistence_search_order.yml | 3 ++- .../sysmon_registry_susp_printer_driver.yml | 3 ++- .../sysmon_susp_reg_persist_explorer_run.yml | 3 ++- .../sysmon_susp_run_key_img_folder.yml | 3 ++- .../sysmon_susp_service_installed.yml | 3 ++- ...sysmon_suspicious_keyboard_layout_load.yml | 3 ++- .../sysmon_uac_bypass_sdclt.yml | 3 ++- .../sysmon_wab_dllpath_reg_change.yml | 3 ++- .../sysmon_win_reg_telemetry_persistence.yml | 3 ++- .../win_outlook_c2_registry_key.yml | 3 ++- .../win_outlook_registry_todaypage.yml | 2 ++ ..._registry_shell_open_keys_manipulation.yml | 4 +++- 38 files changed, 87 insertions(+), 40 deletions(-) diff --git a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml index ecf8aba9b..bfdd0738b 100644 --- a/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/registry_event/registry_event_abusing_windows_telemetry_for_persistence.yml @@ -11,7 +11,7 @@ tags: - attack.t1053 author: Sreeman date: 2020/09/29 -modified: 2021/09/24 +modified: 2022/01/13 fields: - EventID - CommandLine @@ -22,6 +22,7 @@ logsource: category: registry_event detection: selection: + EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' Details|endswith: - .sh diff --git a/rules/windows/registry_event/registry_event_defender_disabled.yml b/rules/windows/registry_event/registry_event_defender_disabled.yml index 0d3faa4e0..5c95188e2 100644 --- a/rules/windows/registry_event/registry_event_defender_disabled.yml +++ b/rules/windows/registry_event/registry_event_defender_disabled.yml @@ -5,7 +5,7 @@ related: type: derived description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/10/18 +modified: 2022/01/13 author: Ján Trenčanský, frack113, AlertIQ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -27,6 +27,7 @@ detection: - 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus' Details: 'DWORD (0x00000001)' selection2: + EventType: SetValue TargetObject: - 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend' - 'HKLM\SOFTWARE\Microsoft\Windows Defender' diff --git a/rules/windows/registry_event/registry_event_mal_adwind.yml b/rules/windows/registry_event/registry_event_mal_adwind.yml index 3bdba761b..1cc8bfc66 100644 --- a/rules/windows/registry_event/registry_event_mal_adwind.yml +++ b/rules/windows/registry_event/registry_event_mal_adwind.yml @@ -10,7 +10,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2021/09/19 +modified: 2022/01/13 tags: - attack.execution - attack.t1059.005 @@ -21,6 +21,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection diff --git a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml index 43efa10c9..5280038f2 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_winsat.yml @@ -3,6 +3,7 @@ id: 6597be7b-ac61-4ac8-bef4-d3ec88174853 description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) author: Christian Burkard date: 2021/08/30 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|' TargetObject|endswith: '\LowerCaseLongPath' Details|startswith: 'c:\users\' diff --git a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml index 22f04a705..ea145d3c0 100644 --- a/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml +++ b/rules/windows/registry_event/registry_event_uac_bypass_wmp.yml @@ -3,6 +3,7 @@ id: 5f9db380-ea57-4d1e-beab-8a2d33397e93 description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) author: Christian Burkard date: 2021/08/23 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -15,6 +16,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe' Details: 'Binary Data' condition: selection diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml index 2cb80ab88..44b01ed98 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: classes_base: + EventType: SetValue TargetObject|contains: '\Software\Classes' classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml index e9d0e9331..f797c50fe 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_commun.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: main_selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml index 1b1bd16f6..8e3ffd89c 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: system_control_base: + EventType: SetValue TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' system_control: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 9c4e8b390..46bffafb9 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml index b6bdedcbc..095e0837e 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' nt_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml index 13a3112d1..b78b65a14 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_internet_explorer.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: ie: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Internet Explorer' - '\Software\Microsoft\Internet Explorer' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml index 46a4479e5..235706a41 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_office.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: office: + EventType: SetValue TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Office' - '\Software\Microsoft\Office' diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml index 08830dc05..7ccafcdcc 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_session_manager.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: session_manager_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager' session_manager: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml index 0b721eb8b..41cbd4739 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_system_scripts.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: scripts_base: + EventType: SetValue TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts' scripts: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml index b283e6a61..318b9db59 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_winsock2.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/01/08 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: winsock_parameters_base: + EventType: SetValue TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml index e7d956008..6a49c0f88 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/19 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' wow_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml index c91ab45d0..41cc28651 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_classes.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_classes_base: + EventType: SetValue TargetObject|contains: '\Software\Wow6432Node\Classes' wow_classes: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml index 2f07e05a1..a0b9eba10 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -11,12 +11,13 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: wow_nt_current_version_base: + EventType: SetValue TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' wow_nt_current_version: TargetObject|contains: diff --git a/rules/windows/registry_event/sysmon_cve_2020_1048.yml b/rules/windows/registry_event/sysmon_cve_2020_1048.yml index f87f36d85..c5e24e178 100644 --- a/rules/windows/registry_event/sysmon_cve_2020_1048.yml +++ b/rules/windows/registry_event/sysmon_cve_2020_1048.yml @@ -6,12 +6,13 @@ author: EagleEye Team, Florian Roth, NVISO references: - https://windows-internals.com/printdemon-cve-2020-1048/ date: 2020/05/13 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' Details|contains: - '.dll' diff --git a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml index c5138d2bf..55b34be14 100644 --- a/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml +++ b/rules/windows/registry_event/sysmon_dns_over_https_enabled.yml @@ -1,33 +1,36 @@ title: DNS-over-HTTPS Enabled by Registry id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5 -date: 2021/07/22 -modified: 2021/09/08 +status: experimental description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. author: Austin Songer -status: experimental references: - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html - https://github.com/elastic/detection-rules/issues/1371 - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS -tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1112 +date: 2021/07/22 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection_edge: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled' Details: 'DWORD (1)' selection_chrome: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode' Details: 'DWORD (secure)' selection_firefox: + EventType: SetValue TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled' Details: 'DWORD (1)' - condition: selection_edge or selection_chrome or selection_firefox + condition: 1 of selection_* falsepositives: - Unlikely level: medium +tags: + - attack.defense_evasion + - attack.t1140 + - attack.t1112 \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_etw_disabled.yml b/rules/windows/registry_event/sysmon_etw_disabled.yml index 0694d6440..5253af2c4 100644 --- a/rules/windows/registry_event/sysmon_etw_disabled.yml +++ b/rules/windows/registry_event/sysmon_etw_disabled.yml @@ -14,12 +14,13 @@ references: - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code date: 2020/06/05 -modified: 2021/11/27 +modified: 2022/01/13 logsource: product: windows category: registry_event detection: selection: + EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml index f9e53a3dc..3dbb8e686 100644 --- a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -3,6 +3,7 @@ id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. status: experimental date: 2021/04/12 +modified: 2022/01/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.resource_development @@ -16,6 +17,7 @@ detection: selection1: TargetObject|contains: '\Services\HybridConnectionManager' selection2: + EventType: SetValue Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe' condition: selection1 or selection2 falsepositives: diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml index a297c6680..2da308f2c 100644 --- a/rules/windows/registry_event/sysmon_powershell_as_service.yml +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -4,7 +4,7 @@ description: Detects that a powershell code is written to the registry as a serv status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/05/21 +modified: 2022/01/13 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -15,6 +15,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: '\Services\' TargetObject|endswith: '\ImagePath' Details|contains: diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 65ffce511..b95d8e580 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -6,12 +6,13 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html date: 2019/09/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml index 190f33f2c..08f1c07fb 100644 --- a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -7,6 +7,7 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ date: 2021/02/26 +modified: 2022/01/13 tags: - attack.persistence - attack.t1546.012 @@ -14,7 +15,8 @@ logsource: category: registry_event product: windows detection: - selection: + selection: + EventType: SetValue TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' condition: selection diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml index 058178fcf..abdb2b3c4 100644 --- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -3,6 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 +modified: 2022/01/13 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -11,6 +12,7 @@ logsource: product: windows detection: selection: + EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' Details|contains: - 'vbscript' diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 7b830997d..0dcdc843b 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/01/08 +modified: 2022/01/13 tags: - attack.persistence - attack.t1546.015 @@ -16,6 +16,7 @@ logsource: product: windows detection: selection: # Detect new COM servers in the user hive + EventType: SetValue TargetObject|startswith: - 'HKCR\CLSID\' - 'HKCU\Software\Classes\CLSID\' diff --git a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml index 42cbead5a..90ee32fba 100644 --- a/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml +++ b/rules/windows/registry_event/sysmon_registry_susp_printer_driver.yml @@ -6,12 +6,13 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 598a7756b..11e4cb99d 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -6,12 +6,13 @@ author: Florian Roth, oscd.community references: - https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ date: 2018/07/18 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' selection2: - Details|startswith: diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 1bbe17aec..6e6f8b0c8 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -10,12 +10,13 @@ tags: - attack.t1060 # an old one - attack.t1547.001 date: 2018/08/25 -modified: 2021/10/30 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 4fa03b7ea..9ede1214d 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -6,12 +6,13 @@ author: xknow (@xknow_infosec), xorxes (@xor_xes) references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ date: 2019/04/08 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_1: + EventType: SetValue TargetObject: - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index c6a0fd1fb..c02cf18c9 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -7,13 +7,14 @@ references: - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files date: 2019/10/12 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: + EventType: SetValue TargetObject|contains: - '\Keyboard Layout\Preload\' - '\Keyboard Layout\Substitutes\' diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 01c566580..378e7f623 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -7,7 +7,7 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2021/09/17 +modified: 2022/01/13 logsource: category: registry_event product: windows @@ -15,6 +15,7 @@ detection: selection1: TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: + EventType: SetValue TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml index 351020fc0..195ddd91b 100644 --- a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -10,13 +10,14 @@ tags: - attack.defense_evasion - attack.t1218 date: 2020/10/13 -modified: 2021/05/21 +modified: 2022/01/13 author: oscd.community, Natalia Shornikova logsource: category: registry_event product: windows detection: selection: + EventType: SetValue TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath' filter: Details: '%CommonProgramFiles%\System\wab32.dll' diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml index 62dbf900b..8f438c6a1 100644 --- a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -6,13 +6,14 @@ author: Lednyov Alexey, oscd.community references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ date: 2020/10/16 -modified: 2021/11/27 +modified: 2022/01/13 logsource: category: registry_event product: windows definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' detection: selection: + EventType: SetValue TargetObject|contains|all: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - '\Command' diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml index 148886a9a..a6b8a353b 100644 --- a/rules/windows/registry_event/win_outlook_c2_registry_key.yml +++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml @@ -12,12 +12,13 @@ tags: - attack.t1008 - attack.t1546 date: 2021/04/05 -modified: 2021/09/13 +modified: 2022/01/13 logsource: category: registry_event product: windows detection: selection_registry: + EventType: SetValue TargetObject: 'HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level' Details|contains: '0x00000001' condition: selection_registry diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml index 336b5dc84..089a8cc53 100644 --- a/rules/windows/registry_event/win_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -6,6 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 +modified: 2022/01/13 tags: - attack.persistence - attack.t1112 @@ -18,6 +19,7 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: + EventType: SetValue TargetObject|endswith: Stamp Details: DWORD (0x00000001) selectionUserDefined: diff --git a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml index 8c30a7931..cb73fa4c4 100644 --- a/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml +++ b/rules/windows/registry_event/win_registry_shell_open_keys_manipulation.yml @@ -3,7 +3,7 @@ id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 -modified: 2021/11/19 +modified: 2022/01/13 status: experimental references: - https://github.com/hfiref0x/UACME @@ -20,11 +20,13 @@ logsource: product: windows detection: selection1: + EventType: SetValue TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: + EventType: SetValue TargetObject|endswith: - 'Classes\ms-settings\shell\open\command\(Default)' - 'Classes\exefile\shell\open\command\(Default)' From 82f88f194f1b29502a8698eb8833c4edd656a112 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 18:20:24 +0100 Subject: [PATCH 18/20] fix: FPs noticed with Aurora --- .../process_creation_susp_non_exe_image.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml index 5eb1994eb..2af556082 100644 --- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml +++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2021/12/24 +modified: 2022/01/13 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -17,6 +17,8 @@ detection: Image|endswith: '.exe' filter_null: Image: null + filter_registry: + Image: 'Registry' filter_starts: Image|startswith: 'C:\Windows\Installer\MSI' filter_pstarts: @@ -29,6 +31,9 @@ detection: filter_nvidia: Image|contains: 'NVIDIA\NvBackend\' Image|endswith: '.dat' + filter_com: + Image|startswith: 'C:\Windows\System32\' + Image|endswith: '.com' condition: not image_exe and not 1 of filter* falsepositives: - unknown From c0bd1ef9bc036f14bfe2a28bacf213cc1779f759 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 21:07:11 +0100 Subject: [PATCH 19/20] Update sysmon_config_modification.yml --- rules/windows/sysmon/sysmon_config_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index dc24421ae..698bd1fb3 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -1,6 +1,6 @@ title: Sysmon Configuration Change id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 -description: Someone can try to hide from Sysmon +description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration status: experimental author: frack113 date: 2022/01/12 From 21b3e5c6fd89212e5ca04e9245bca85d9acba591 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 21:07:59 +0100 Subject: [PATCH 20/20] Update win_pc_uninstall_sysmon.yml --- rules/windows/process_creation/win_pc_uninstall_sysmon.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml index 11a90070f..e9a92cdbb 100644 --- a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -1,7 +1,7 @@ title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 status: experimental -description: Uninstall Sysinternals Sysmon for Defense Evasion +description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001