Merge branch 'master' into aurora-false-positive-fixing

2022-02-21 18:49:45 +01:00
parent 921d46ca79 f1d962d140
commit cbe7abc16e
12 changed files with 194 additions and 14 deletions
@@ -0,0 +1,12 @@
+RuleId;RuleName;MatchString
+8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.*
+ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe
+db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3
+db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe
+96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient
+96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen
+e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell
+8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml
+4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_
+36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR
+73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+infile=$1
+fps=$2
+
+if [[ -z ${infile} || -z ${fps} ]]; then
+    >&2 echo "usage: $0 [json-file] [FPs.csv]" 
+    exit 1
+fi
+
+if [[ ! -f ${infile}  || ! -r ${infile} ]]; then
+    >&2 echo "${infile} is not a valid, readable file"
+    exit 2
+fi
+if [[ ! -f ${fps}  || ! -r ${fps} ]]; then
+    >&2 echo "${fps} is not a valid, readable file"
+    exit 2
+fi
+
+# Exclude all rules with level "low"
+findings=$(grep -v '"RuleLevel":"low"' ${infile})
+
+{
+    read # Skip CSV header
+    while IFS=\; read -r id name fpstring; do
+        findings=$(echo "${findings}" | grep -Ev "\"RuleId\":\"${id}\".*${fpstring}")
+    done
+} < ${fps}
+
+if [[ -z ${findings} ]]; then
+    echo "No matches found."
+else
+    >&2 echo "Found matches:"
+    >&2 echo "${findings}"
+    >&2 echo
+    >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv"
+    exit 3
+fi
@@ -39,3 +39,21 @@ jobs:
    - uses: actions/checkout@v2
    - name: yaml-lint
      uses: ibiqlik/action-yamllint@v3
+  check-baseline-win10:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker
+    - name: Download and extract Windows 10 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz
+        tar xzf win10-client.tgz
+    - name: Remove deprecated rules
+      run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v'
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
@@ -0,0 +1,21 @@
+title: Query Tor Onion Address
+id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
+status: experimental
+description: Detects DNS resolution of an .onion address related to Tor routing networks
+references:
+    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
+author: frack113
+date: 2022/02/20
+logsource:
+    product: windows
+    category: dns_query
+detection:
+    selection:
+        QueryName|contains: '.onion'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.command_and_control
+    - attack.t1090.003
@@ -0,0 +1,21 @@
+title: Rename a Commun File to DLL File
+id: bbfd974c-248e-4435-8de6-1e938c79c5c1
+status: experimental
+description: To bypass detection download a dll hide with commun extension and rename it to dll
+references:
+    - https://twitter.com/ffforward/status/1481672378639912960
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
+author: frack113
+date: 2022/02/19
+logsource:
+    product: windows
+    category: file_rename
+detection:
+    to_dll:
+        TargetFilename|endswith: '.dll'
+    from_dll:
+        OriginalFilename|endswith: '.dll'
+    condition: to_dll and not from_dll
+falsepositives:
+    - Application installation
+level: medium
@@ -71,16 +71,16 @@ detection:
    filter3:
        SourceImage|startswith: 'C:\Program Files\WindowsApps\'
        SourceImage|endswith: '\GamingServices.exe'
-        GrantedAccess: 
+        GrantedAccess:
            - '0x1410'
            - '0x410'
            - '0x1040'
    # Process Explorer
    filter4:
-        SourceImage|endswith: 
+        SourceImage|endswith:
            - '\PROCEXP64.EXE'
            - '\PROCEXP.EXE'
-        GrantedAccess: 
+        GrantedAccess:
            - '0x1410'
            - '0x410'
    # VMware Tools
@@ -89,14 +89,14 @@ detection:
        SourceImage|endswith: '\vmtoolsd.exe'
    # Antivirus and EDR agents
    filter6:
-        SourceImage|startswith: 
+        SourceImage|startswith:
            - 'C:\Progra Files\'
            - 'C:\Progra Files (x86)\'
-        SourceImage|contains: 
+        SourceImage|contains:
            - 'Antivirus'
    filter7:
        SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
-        GrantedAccess: 
+        GrantedAccess:
            - '0x1410'
            - '0x410'
    filter8:
@@ -117,13 +117,22 @@ detection:
            - '0x1010'
    # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.)
    filter_generic:
-        SourceImage|startswith: 
+        SourceImage|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
            - 'C:\WINDOWS\system32\'
-        GrantedAccess: 
+        GrantedAccess:
            - '0x1410'
            - '0x410'
+    filter_localappdata:
+        SourceImage|contains|all:
+            - 'C:\Users\'
+            - '\AppData\Local\'
+        SourceImage|endswith:
+            - '\Microsoft VS Code\Code.exe'
+            - '\software_reporter_tool.exe'
+            - '\DropboxUpdate.exe'
+        GrantedAccess: '0x410'
    condition: selection and not 1 of filter*
 fields:
    - User
@@ -48,19 +48,20 @@ detection:
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/master/ATPMiniDump/ATPMiniDump.c
            - 'FF'
-        SourceImage|contains: 
+        SourceImage|contains:
            - '\Temp\'
            - '\Users\Public\'
            - '\PerfLogs\'
            - '\AppData\'
            - '\Temporary'
    filter1:
-        SourceImage|contains|all: 
+        SourceImage|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\'
        SourceImage|endswith:
            - '\Microsoft VS Code\Code.exe'
            - '\software_reporter_tool.exe'
+            - '\DropboxUpdate.exe'
        GrantedAccess: '0x410'
    filter_nextron:
        SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
@@ -0,0 +1,23 @@
+title: Tor Client or Tor Browser Use
+id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
+status: experimental
+description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
+references:
+    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
+author: frack113
+date: 2022/02/20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: 
+            - '\tor.exe'
+            - '\Tor Browser\Browser\firefox.exe'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.command_and_control
+    - attack.t1090.003
@@ -0,0 +1,30 @@
+title: Wlrmdr Lolbin Use as Laucher
+id: 9cfc00b6-bfb7-49ce-9781-ef78503154bb
+status: experimental
+description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute
+references:
+    - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ
+author: frack113
+date: 2022/02/16
+modified: 2022/02/21
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: wlrmdr.exe
+        CommandLine|contains|all:
+            - '-s '
+            - '-f '
+            - '-t '
+            - '-m '
+            - '-a '
+            - '-u '
+    filter:
+        ParentImage: 'C:\Windows\System32\winlogon.exe'
+    condition: selection and not filter
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.defense_evasion
@@ -6,6 +6,7 @@ references:
    - Malware sandbox results
 author: frack113
 date: 2022/02/11
+modified: 2022/02/18
 logsource:
    category: process_creation
    product: windows
@@ -15,7 +16,11 @@ detection:
            - '\Desktop\'
            - '\Temp\'
            - '\Temporary Internet'
-    condition: image
+    filter_parent:
+        ParentImage: 
+            - 'C:\Windows\System32\cleanmgr.exe'
+            - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe'
+    condition: image and not filter_parent
 falsepositives:
    - unknown
 level: low
@@ -1,12 +1,12 @@
 title: Office Security Settings Changed
 id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
 status: experimental
-description: Detects registry changes to Office macro settings
+description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
 author: Trent Liffick (@tliffick)
 date: 2020/05/22
 modified: 2022/01/10
 references:
-    - Internal Research
+    - https://twitter.com/inversecos/status/1494174785621819397
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
 tags:
@@ -3,7 +3,7 @@ id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
 description: Use IE registry to hide a scripts
 author: frack113
 date: 2022/01/22
-modified: 2022/02/13
+modified: 2022/02/20
 status: experimental
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
@@ -21,6 +21,8 @@ detection:
            - 'Cookie:'
            - 'Visited:'
            - '(Empty)'
+    filter_binary:
+        Details: 'Binary Data'
    condition: selection_domains and not 1 of filter_*
 falsepositives:
    - Unknown