diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv new file mode 100644 index 000000000..092277629 --- /dev/null +++ b/.github/workflows/known-FPs.csv @@ -0,0 +1,12 @@ +RuleId;RuleName;MatchString +8e5e38e4-5350-4c0b-895a-e872ce0dd54f;Msiexec Initiated Connection;.* +ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;svchost\.exe +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3 +db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml +4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ +36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR +73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote diff --git a/.github/workflows/matchgrep.sh b/.github/workflows/matchgrep.sh new file mode 100755 index 000000000..49baf8473 --- /dev/null +++ b/.github/workflows/matchgrep.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +infile=$1 +fps=$2 + +if [[ -z ${infile} || -z ${fps} ]]; then + >&2 echo "usage: $0 [json-file] [FPs.csv]" + exit 1 +fi + +if [[ ! -f ${infile} || ! -r ${infile} ]]; then + >&2 echo "${infile} is not a valid, readable file" + exit 2 +fi +if [[ ! -f ${fps} || ! -r ${fps} ]]; then + >&2 echo "${fps} is not a valid, readable file" + exit 2 +fi + +# Exclude all rules with level "low" +findings=$(grep -v '"RuleLevel":"low"' ${infile}) + +{ + read # Skip CSV header + while IFS=\; read -r id name fpstring; do + findings=$(echo "${findings}" | grep -Ev "\"RuleId\":\"${id}\".*${fpstring}") + done +} < ${fps} + +if [[ -z ${findings} ]]; then + echo "No matches found." +else + >&2 echo "Found matches:" + >&2 echo "${findings}" + >&2 echo + >&2 echo "You either need to tune your rule(s) for false positives or add a false positive filter to .github/workflows/known-FPs.csv" + exit 3 +fi diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 88c6d0502..64a6ed7f2 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -39,3 +39,21 @@ jobs: - uses: actions/checkout@v2 - name: yaml-lint uses: ibiqlik/action-yamllint@v3 + check-baseline-win10: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/evtx-sigma-checker + - name: Download and extract Windows 10 baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz + tar xzf win10-client.tgz + - name: Remove deprecated rules + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/rules/windows/dns_query/win_dq_tor_onion.yml b/rules/windows/dns_query/win_dq_tor_onion.yml new file mode 100644 index 000000000..07f86ecb8 --- /dev/null +++ b/rules/windows/dns_query/win_dq_tor_onion.yml @@ -0,0 +1,21 @@ +title: Query Tor Onion Address +id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544 +status: experimental +description: Detects DNS resolution of an .onion address related to Tor routing networks +references: + - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +author: frack113 +date: 2022/02/20 +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|contains: '.onion' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1090.003 diff --git a/rules/windows/etw/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/etw/file_rename/file_rename_win_not_dll_to_dll.yml new file mode 100644 index 000000000..26d71cbc3 --- /dev/null +++ b/rules/windows/etw/file_rename/file_rename_win_not_dll_to_dll.yml @@ -0,0 +1,21 @@ +title: Rename a Commun File to DLL File +id: bbfd974c-248e-4435-8de6-1e938c79c5c1 +status: experimental +description: To bypass detection download a dll hide with commun extension and rename it to dll +references: + - https://twitter.com/ffforward/status/1481672378639912960 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location +author: frack113 +date: 2022/02/19 +logsource: + product: windows + category: file_rename +detection: + to_dll: + TargetFilename|endswith: '.dll' + from_dll: + OriginalFilename|endswith: '.dll' + condition: to_dll and not from_dll +falsepositives: + - Application installation +level: medium diff --git a/rules/windows/process_access/win_susp_proc_access_lsass.yml b/rules/windows/process_access/win_susp_proc_access_lsass.yml index 168f5dad6..9378ce11a 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass.yml @@ -71,16 +71,16 @@ detection: filter3: SourceImage|startswith: 'C:\Program Files\WindowsApps\' SourceImage|endswith: '\GamingServices.exe' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' - '0x1040' # Process Explorer filter4: - SourceImage|endswith: + SourceImage|endswith: - '\PROCEXP64.EXE' - '\PROCEXP.EXE' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' # VMware Tools @@ -89,14 +89,14 @@ detection: SourceImage|endswith: '\vmtoolsd.exe' # Antivirus and EDR agents filter6: - SourceImage|startswith: + SourceImage|startswith: - 'C:\Progra Files\' - 'C:\Progra Files (x86)\' - SourceImage|contains: + SourceImage|contains: - 'Antivirus' filter7: SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' filter8: @@ -117,13 +117,22 @@ detection: - '0x1010' # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.) filter_generic: - SourceImage|startswith: + SourceImage|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - 'C:\WINDOWS\system32\' - GrantedAccess: + GrantedAccess: - '0x1410' - '0x410' + filter_localappdata: + SourceImage|contains|all: + - 'C:\Users\' + - '\AppData\Local\' + SourceImage|endswith: + - '\Microsoft VS Code\Code.exe' + - '\software_reporter_tool.exe' + - '\DropboxUpdate.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml index 3adc22b13..98ca56cc3 100644 --- a/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/win_susp_proc_access_lsass_susp_source.yml @@ -48,19 +48,20 @@ detection: - 'FA' - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/master/ATPMiniDump/ATPMiniDump.c - 'FF' - SourceImage|contains: + SourceImage|contains: - '\Temp\' - '\Users\Public\' - '\PerfLogs\' - '\AppData\' - '\Temporary' filter1: - SourceImage|contains|all: + SourceImage|contains|all: - 'C:\Users\' - '\AppData\Local\' SourceImage|endswith: - '\Microsoft VS Code\Code.exe' - '\software_reporter_tool.exe' + - '\DropboxUpdate.exe' GrantedAccess: '0x410' filter_nextron: SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' diff --git a/rules/windows/process_creation/proc_creation_win_tor_browser.yml b/rules/windows/process_creation/proc_creation_win_tor_browser.yml new file mode 100644 index 000000000..9c858b127 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_tor_browser.yml @@ -0,0 +1,23 @@ +title: Tor Client or Tor Browser Use +id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c +status: experimental +description: Detects the use of Tor or Tor-Browser to connect to onion routing networks +references: + - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ +author: frack113 +date: 2022/02/20 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\tor.exe' + - '\Tor Browser\Browser\firefox.exe' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.command_and_control + - attack.t1090.003 diff --git a/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml new file mode 100644 index 000000000..7582d89b3 --- /dev/null +++ b/rules/windows/process_creation/win_pc_lolbin_wlrmdr.yml @@ -0,0 +1,30 @@ +title: Wlrmdr Lolbin Use as Laucher +id: 9cfc00b6-bfb7-49ce-9781-ef78503154bb +status: experimental +description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute +references: + - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ +author: frack113 +date: 2022/02/16 +modified: 2022/02/21 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: wlrmdr.exe + CommandLine|contains|all: + - '-s ' + - '-f ' + - '-t ' + - '-m ' + - '-a ' + - '-u ' + filter: + ParentImage: 'C:\Windows\System32\winlogon.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/win_pc_susp_run_folder.yml b/rules/windows/process_creation/win_pc_susp_run_folder.yml index b316906ea..a9103c537 100644 --- a/rules/windows/process_creation/win_pc_susp_run_folder.yml +++ b/rules/windows/process_creation/win_pc_susp_run_folder.yml @@ -6,6 +6,7 @@ references: - Malware sandbox results author: frack113 date: 2022/02/11 +modified: 2022/02/18 logsource: category: process_creation product: windows @@ -15,7 +16,11 @@ detection: - '\Desktop\' - '\Temp\' - '\Temporary Internet' - condition: image + filter_parent: + ParentImage: + - 'C:\Windows\System32\cleanmgr.exe' + - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' + condition: image and not filter_parent falsepositives: - unknown level: low diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index 1ef9cf359..9f0c5fcbe 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -1,12 +1,12 @@ title: Office Security Settings Changed id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd status: experimental -description: Detects registry changes to Office macro settings +description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) author: Trent Liffick (@tliffick) date: 2020/05/22 modified: 2022/01/10 references: - - Internal Research + - https://twitter.com/inversecos/status/1494174785621819397 - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ tags: diff --git a/rules/windows/registry_event/win_re_ie_persistence.yml b/rules/windows/registry_event/win_re_ie_persistence.yml index a0ca82133..645f47c50 100644 --- a/rules/windows/registry_event/win_re_ie_persistence.yml +++ b/rules/windows/registry_event/win_re_ie_persistence.yml @@ -3,7 +3,7 @@ id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 description: Use IE registry to hide a scripts author: frack113 date: 2022/01/22 -modified: 2022/02/13 +modified: 2022/02/20 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry @@ -21,6 +21,8 @@ detection: - 'Cookie:' - 'Visited:' - '(Empty)' + filter_binary: + Details: 'Binary Data' condition: selection_domains and not 1 of filter_* falsepositives: - Unknown