security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'oscd' into master

Browse Source
This commit is contained in:
yugoslavskiy
2019-11-14 00:36:34 +03:00
committed by GitHub
parent 3cd1abd0a1 f2caf366cb
commit cd69111522
164 changed files with 3798 additions and 373 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+91
View File
@@ -0,0 +1,91 @@
# Release Notes
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.
## Unreleased
Changes from this section will be contained in the next release.
### Added
* sigma-similarity tool
* LimaCharlie backend
* Default configurations for some backends that are used if no configuration is passed.
* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
* Value modifiers:
* startswith
* endswith
### Changed
* Removal of line breaks in elastalert output
* Searches not bound to fields are restricted to keyword fields in es-qs backend
* Graylog backend now based on es-qs backend
* Type errors are now ignored with -I
## 0.13
### Added
* Index mappings for Sumologic
* Malicious cmdlets in wdatp
* QRadar support for keyword searches
* QRadar mapping improvements
* QRadar field selection
* QRadar type regex modifier support
* Elasticsearch keyword field blacklisting with wildcards
* Added dateField configuration parameter in xpack-watcher backend
* Field mappings in configurations
* Field name mapping for conditional fields
* Value modifiers:
* utf16
* utf16le
* wide
* utf16be
### Changed
* Improved --backend-config help text
### Fixed
* Backend errors in ala
* Slash escaping within es-dsl wildcard queries
* QRadar backend config
* QRadar field name and value escaping and handling
* Elasticsearch wildcard detection pattern
* Aggregation on keyword field in es-dsl backend
## 0.12.1
### Fixed
* Missing build dependency
## 0.12
### Added
* Usage of "Channel" field in ELK Windows configuration
* Fields to mappings
* xpack-watcher actions index and webhook
* Config for Winlogbeat 7.x
* Value modifiers
* Regular expression support
### Changed
* Warning/error messages
* Sumologic value cleaning
* Explicit OR for Elasticsearch query strings
* Listing of available configurations on missing configuration error
### Fixed
* Conditions in es-dsl backend
* Sumologic handling of null values
* Ignore timeframe detection keyword in all/any of conditions
CHANGELOG.md.j2
+38
View File
@@ -0,0 +1,38 @@
## {{ version.minor }}.{{ version.major }}.{{ version.patch }} ({{ date }})
### Added
{% for item in added %}
* {{ item | indent(2) }}
{% endfor %}
### Changed
{% for item in changed %}
* {{ item | indent(2) }}
{% endfor %}
### Deprecated
{% for item in deprecated %}
* {{ item | indent(2) }}
{% endfor %}
### Removed
{% for item in removed %}
* {{ item | indent(2) }}
{% endfor %}
### Fixed
{% for item in fixed %}
* {{ item | indent(2) }}
{% endfor %}
### Security
{% for item in security %}
* {{ item | indent(2) }}
{% endfor %}
Pipfile.lock
Generated
+16 -16
View File
@@ -207,25 +207,25 @@
},
"pymisp": {
"hashes": [
"sha256:1983808d9a834c26d42d52871af1f86dc9739c9f2ee22091cf4a2a62ce6a171d",
"sha256:32675ce303f9d06698eb390c5381cb1de430d355e203612264bce6cd53972b95",
"sha256:9cf1187b5d618bd2b0e631cc877586b7cd5d02b59322a509a4f5ad07496cd171"
"sha256:17b145dbc39a1ba4ebce60e8b75a479d2c8fd3c2a239f32682f2e1a3636469ec",
"sha256:814023f346f9e1dcf6763d93450df44ff0157f2061c612a7eaf2020280f588a3",
"sha256:de67196f6a8916b9c52a84a1c45ea967c53fa9d2b3795b070ad2c1cbc28d79d7"
],
"index": "pypi",
"version": "==2.4.117"
"version": "==2.4.117.2"
},
"pyrsistent": {
"hashes": [
"sha256:34b47fa169d6006b32e99d4b3c4031f155e6e68ebcc107d6454852e8e0ee6533"
"sha256:eb6545dbeb1aa69ab1fb4809bfbf5a8705e44d92ef8fc7c2361682a47c46c778"
],
"version": "==0.15.4"
"version": "==0.15.5"
},
"python-dateutil": {
"hashes": [
"sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb",
"sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e"
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
],
"version": "==2.8.0"
"version": "==2.8.1"
},
"python-utils": {
"hashes": [
@@ -262,19 +262,19 @@
},
"six": {
"hashes": [
"sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c",
"sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73"
"sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd",
"sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66"
],
"version": "==1.12.0"
"version": "==1.13.0"
},
"typing-extensions": {
"hashes": [
"sha256:2ed632b30bb54fc3941c382decfd0ee4148f5c591651c9272473fea2c6397d95",
"sha256:b1edbbf0652660e32ae780ac9433f4231e7339c7f9a8057d0f042fcbcea49b87",
"sha256:d8179012ec2c620d3791ca6fe2bf7979d979acdbef1fca0bc56b37411db682ed"
"sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2",
"sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d",
"sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575"
],
"markers": "python_version < '3.7'",
"version": "==3.7.4"
"version": "==3.7.4.1"
},
"urllib3": {
"hashes": [
rules/generic/generic_brute_force.yml
+26
View File
@@ -0,0 +1,26 @@
title: Brute Force
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
references:
- None
tags:
- attack.t1110
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
status: experimental
logsource:
category: authentication
detection:
selection:
action: failure
timeframe: 600s
condition: selection | count(category) by dst_ip > 30
fields:
- src_ip
- dst_ip
- user
falsepositives:
- Inventarization
- Penetration testing
- Vulnerability scanner
- Legitimate application
level: medium
rules/linux/auditd/lnx_auditd_auditing_config_change.yml
+33
View File
@@ -0,0 +1,33 @@
title: Auditing configuration changes on linux host
description: Detect changes if auditd configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/audit/ -p wa -k etc_modify_auditconfig
# -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig
# -w /etc/audisp/ -p wa -k etc_modify_audispconfig
references:
- https://github.com/Neo23x0/auditd/blob/master/audit.rules
- self experience
tags:
- attack.defense_evasion
- attack.t1054
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
key:
- 'etc_modify_auditconfig'
- 'etc_modify_libauditconfig'
- 'etc_modify_audispconfig'
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high
rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
+23
View File
@@ -0,0 +1,23 @@
title: Modification of ld.so.preload
description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
tags:
- attack.defense_evasion
- attack.t1055
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name: '/etc/ld.so.preload'
condition: selection
falsepositives:
- Unknown
level: medium
rules/linux/auditd/lnx_auditd_logging_config_change.yml
+32
View File
@@ -0,0 +1,32 @@
title: Logging configuration changes on linux host
description: Detect changes of syslog daemons configuration files
# Example config for this one (place it at the top of audit.rules)
# -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig
# -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig
# -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig
references:
- self experience
tags:
- attack.defense_evasion
- attack.t1054
author: Mikhail Larin, oscd.community
status: experimental
date: 2019/10/25
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
key:
- 'etc_modify_syslogconfig'
- 'etc_modify_rsyslogconfig'
- 'etc_modify_syslogngconfig'
condition: selection
fields:
- exe
- comm
- key
falsepositives:
- Legitimate administrative activity
level: high
rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+22
View File
@@ -0,0 +1,22 @@
title: Masquerading as Linux crond process
status: experimental
description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml
logsource:
product: linux
service: auditd
detection:
selection:
type: 'execve'
a0: 'cp'
a1: '-i'
a2: '/bin/sh'
a3: '*/crond'
condition: selection
level: medium
tags:
- attack.defense_evasion
- attack.t1036
rules/linux/auditd/lnx_auditd_user_discovery.yml
+24
View File
@@ -0,0 +1,24 @@
title: System Owner or User Discovery
status: experimental
description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0:
- 'users'
- 'w'
- 'who'
condition: selection
falsepositives:
- Admin activity
level: low
tags:
- attack.discovery
- attack.t1033
rules/linux/auditd/lnx_auditd_web_rce.yml
+28
View File
@@ -0,0 +1,28 @@
title: Webshell Remote Command Execution
status: experimental
description: Detects posible command execution by web application/web shell
# You need to add to the config auditd.conf:
# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
# change 33 to id you webserver user. default: www-data:x:33:33
tags:
- attack.persistence
- attack.t1100
references:
- personal experience
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019/10/12
modified: 2019/11/04
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'execve'
key: 'detect_execve_www'
condition: selection
falsepositives:
- Admin activity
- Crazy web applications
level: critical
rules/linux/auditd/lnx_data_compressed.yml
+30
View File
@@ -0,0 +1,30 @@
title: Data Compressed
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-f'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of them
falsepositives:
- Legitimate use of archiving tools by legitimate user
level: low
tags:
- attack.exfiltration
- attack.t1002
rules/linux/auditd/lnx_network_sniffing.yml
+30
View File
@@ -0,0 +1,30 @@
title: Network Sniffing
status: experimental
description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'tcpdump'
a1: '-c'
a3|contains: '-i'
selection2:
type: 'execve'
a0: 'tshark'
a1: '-c'
a3: '-i'
condition: selection1 or selection2
falsepositives:
- Legitimate administrator or user uses network sniffing tool for legitimate reason
level: low
tags:
- attack.credential_access
- attack.discovery
- attack.t1040
rules/network/net_dns_c2_detection.yml
+3 -2
View File
@@ -7,7 +7,7 @@ references:
author: Patrick Bareiss
date: 2019/04/07
logsource:
product: dns
category: dns
detection:
selection:
parent_domain: '*'
@@ -16,4 +16,5 @@ falsepositives:
- Valid software, which uses dns for transferring data
level: high
tags:
- attack.t1043
- attack.t1048
- attack.exfiltration
rules/network/net_high_dns_bytes_out.yml
+29
View File
@@ -0,0 +1,29 @@
---
action: global
title: High DNS bytes out
description: High DNS queries bytes amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate high DNS bytes out rate to domain name which should be added to whitelist
level: medium
---
logsource:
category: dns
detection:
selection:
query: '*'
timeframe: 1m
condition: selection | sum(question_length) by src_ip > 300000
---
logsource:
category: firewall
detection:
selection:
dst_port: 53
timeframe: 1m
condition: selection | sum(message_size) by src_ip > 300000
rules/network/net_high_dns_requests_rate.yml
+29
View File
@@ -0,0 +1,29 @@
---
action: global
title: High DNS requests rate
description: High DNS requests amount from host per short period of time
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate high DNS requests rate to domain name which should be added to whitelist
level: medium
---
logsource:
category: dns
detection:
selection:
query: '*'
timeframe: 1m
condition: selection | count() by src_ip > 1000
---
logsource:
category: firewall
detection:
selection:
dst_port: 53
timeframe: 1m
condition: selection | count() by src_ip > 1000
rules/network/net_high_null_records_requests_rate.yml
+18
View File
@@ -0,0 +1,18 @@
title: High NULL records requests rate
description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
record_type: "NULL"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS NULL requests rate to domain name which should be added to whitelist
level: medium
rules/network/net_high_txt_records_requests_rate.yml
+18
View File
@@ -0,0 +1,18 @@
title: High TXT records requests rate
description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
record_type: "TXT"
timeframe: 1m
condition: selection | count() by src_ip > 50
falsepositives:
- Legitimate high DNS TXT requests rate to domain name which should be added to whitelist
level: medium
rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml
+18
View File
@@ -0,0 +1,18 @@
title: Suspicious reverse connect via HTTP proxy
status: experimental
description: Detects auth on proxy-server by machine account (aka SYSTEM)
author: Ilyas Ochkov, oscd.community
references:
- https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html
tags:
- attack.command_and_control
- attack.t1043
logsource:
category: proxy
detection:
selection:
username|re: '\S+\$$'
condition: selection
falsepositives:
- Update OS or other softs which start by SYSTEM
- User account with $ in attribute "SamAccountName"
rules/unsupported_logic/net_dns_high_subdomain_rate.yml
+41
View File
@@ -0,0 +1,41 @@
title: High DNS subdomain requests rate per domain
description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
dns_question_name:
query: "*"
default_list_of_well_known_domains:
query_etld_plus_one:
- "akadns.net"
- "akamaiedge.net"
- "amazonaws.com"
- "apple.com"
- "apple-dns.net"
- "cloudfront.net"
- "icloud.com"
- "in-addr.arpa"
- "google.com"
- "yahoo.com"
- "dropbox.com"
- "windowsupdate.com"
- "microsoftonline.com"
- "s-microsoft.com"
- "office365.com"
- "linkedin.com"
timeframe: 15m
condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains
# for each host in timeframe
# for each dns_question_etld_plus_one
# if number of dns_question_name > 200
# dns_question_etld_plus_one is not in default_list_of_well_known_domains
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental
rules/unsupported_logic/net_dns_large_domain_name.yml
+36
View File
@@ -0,0 +1,36 @@
title: Large domain name request
description: Detects large DNS domain names
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: dns
detection:
selection:
query_length: "> 70" # IS MORE THAN 70 bytes
default_list_of_well_known_domains:
query_etld_plus_one:
- "akadns.net"
- "akamaiedge.net"
- "amazonaws.com"
- "apple.com"
- "apple-dns.net"
- "cloudfront.net"
- "icloud.com"
- "in-addr.arpa"
- "google.com"
- "yahoo.com"
- "dropbox.com"
- "windowsupdate.com"
- "microsoftonline.com"
- "s-microsoft.com"
- "office365.com"
- "linkedin.com"
condition: selection and not default_list_of_well_known_domains
falsepositives:
- Legitimate domain name requested, which should be added to whitelist
level: high
status: experimental
rules/unsupported_logic/net_possible_dns_rebinding.yml
+22
View File
@@ -0,0 +1,22 @@
title: Possible DNS Rebinding
status: experimental
description: 'Detects DNS-answer with TTL <10.'
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
tags:
- attack.command_and_control
- attack.t1043
logsource:
product: dns
detection:
selection:
answer: '*'
filter1:
ttl: '>0'
filter2:
ttl: '<10'
timeframe: 30s
condition: selection and filter1 and filter2 | count(answer) by src_ip > 3
level: medium
rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
+5 -4
View File
@@ -2,7 +2,7 @@ title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
status: experimental
date: 2019/04/03
author: Samir Bousseaden
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
@@ -16,9 +16,10 @@ detection:
selection:
EventID: 5136
LDAPDisplayName: 'ntSecurityDescriptor'
Value:
- '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*'
- '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*'
Value|contains:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
condition: selection
falsepositives:
- New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account.
rules/windows/builtin/win_ad_object_writedac_access.yml
+22
View File
@@ -0,0 +1,22 @@
title: T1000 AD Object WriteDAC Access
description: Detects WRITE_DAC access to a domain object
status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md
logsource:
product: windows
service: security
detection:
selection_one:
EventID: 4662
ObjectServer: 'DS'
AccessMask: 0x40000
ObjectType:
- '19195a5b-6da0-11d0-afd3-00c04fd930c9'
- 'domainDNS'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_ad_replication_non_machine_account.yml
+28
View File
@@ -0,0 +1,28 @@
title: T1003 Active Directory Replication from Non Machine Account
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
status: experimental
date: 2019/07/26
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_alert_active_directory_user_control.yml
+2 -1
View File
@@ -14,7 +14,8 @@ detection:
selection:
EventID: 4704
keywords:
- 'SeEnableDelegationPrivilege'
Message:
- '*SeEnableDelegationPrivilege*'
condition: all of them
falsepositives:
- Unknown
rules/windows/builtin/win_alert_enable_weak_encryption.yml
+6 -4
View File
@@ -15,11 +15,13 @@ detection:
selection:
EventID: 4738
keywords:
- 'DES'
- 'Preauth'
- 'Encrypted'
Message:
- '*DES*'
- '*Preauth*'
- '*Encrypted*'
filters:
- 'Enabled'
Message:
- '*Enabled*'
condition: selection and keywords and filters
falsepositives:
- Unknown
rules/windows/builtin/win_alert_mimikatz_keywords.yml
+1
View File
@@ -14,6 +14,7 @@ logsource:
product: windows
detection:
keywords:
Message:
- "* mimikatz *"
- "* mimilib *"
- "* <3 eo.oe *"
rules/windows/builtin/win_av_relevant_match.yml
+24 -22
View File
@@ -6,29 +6,31 @@ logsource:
service: application
detection:
keywords:
- HTool
- Hacktool
- ASP/Backdoor
- JSP/Backdoor
- PHP/Backdoor
- Backdoor.ASP
- Backdoor.JSP
- Backdoor.PHP
- Webshell
- Portscan
- Mimikatz
- WinCred
- PlugX
- Korplug
- Pwdump
- Chopper
- WmiExec
- Xscan
- Clearlog
- ASPXSpy
Message:
- "*HTool*"
- "*Hacktool*"
- "*ASP/Backdoor*"
- "*JSP/Backdoor*"
- "*PHP/Backdoor*"
- "*Backdoor.ASP*"
- "*Backdoor.JSP*"
- "*Backdoor.PHP*"
- "*Webshell*"
- "*Portscan*"
- "*Mimikatz*"
- "*WinCred*"
- "*PlugX*"
- "*Korplug*"
- "*Pwdump*"
- "*Chopper*"
- "*WmiExec*"
- "*Xscan*"
- "*Clearlog*"
- "*ASPXSpy*"
filters:
- Keygen
- Crack
Message:
- "*Keygen*"
- "*Crack*"
condition: keywords and not 1 of filters
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml
+23
View File
@@ -0,0 +1,23 @@
title: T1003 DPAPI Domain Backup Key Extraction
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
status: experimental
date: 2019/06/20
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
ObjectType: 'SecretObject'
AccessMask: '0x2'
ObjectName: 'BCKUPKEY'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml
+20
View File
@@ -0,0 +1,20 @@
title: T1003 DPAPI Domain Master Key Backup Attempt
description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
status: experimental
date: 2019/08/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4692
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_lsass_access_non_system_account.yml
+27
View File
@@ -0,0 +1,27 @@
title: T1003 LSASS Access from Non System Account
description: Detects potential mimikatz-like tools accessing LSASS from non system account
status: experimental
date: 2019/06/20
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4663
- 4656
ObjectType: 'Process'
ObjectName|endswith: '\lsass.exe'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_mal_creddumper.yml
+4 -3
View File
@@ -15,9 +15,10 @@ detection:
EventID:
- 7045
keywords:
- 'WCE SERVICE'
- 'WCESERVICE'
- 'DumpSvc'
Message:
- '*WCE SERVICE*'
- '*WCESERVICE*'
- '*DumpSvc*'
quarkspwdump:
EventID: 16
HiveName: '*\AppData\Local\Temp\SAM*.dmp'
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+62
View File
@@ -0,0 +1,62 @@
---
action: global
title: Meterpreter or Cobalt Strike getsystem service installation
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
author: Teymur Kheirkhabarov
date: 2019/10/26
modified: 2019/11/11
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
tags:
- attack.privilege_escalation
- attack.t1134
detection:
selection:
- ServiceFileName|contains:
- 'cmd'
- 'comspec'
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- '%COMSPEC%'
- '/c'
- 'echo'
- '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection
fields:
- ServiceFileName
falsepositives:
- Highly unlikely
level: critical
---
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml
+26
View File
@@ -0,0 +1,26 @@
title: New (or renamed) user account with '$' in attribute 'SamAccountName'.
status: experimental
description: Detects possible bypass EDR and SIEM via abnormal user account name.
tags:
- attack.defense_evasion
- attack.t1036
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
modified: 2019/11/13
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4720 # create user
- 4781 # rename user
UserName|contains: '$' #SamAccountName
condition: selection
fields:
- EventID
- UserName
- SubjectAccountName
falsepositives:
- Unkown
level: medium
rules/windows/builtin/win_possible_dc_sync.yml
+24
View File
@@ -0,0 +1,24 @@
title: Possible DC Sync
description: Detects DC sync via create new SPN
status: experimental
author: Ilyas Ochkov, oscd.community
date: 2019/10/25
references:
- https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://jsecurity101.com/2019/Syncing-into-the-Shadows/
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4742
ServicePrincipalNames: '*GC/*'
condition: selection
falsepositives:
- Unkown
level: high
rules/windows/builtin/win_protected_storage_service_access.yml
+23
View File
@@ -0,0 +1,23 @@
title: T1003 Protected Storage Service Access
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
status: experimental
date: 2019/08/10
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md
tags:
- attack.lateral_movement
- attack.t1021
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'IPC'
RelativeTargetName: "protected_storage"
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml
+23
View File
@@ -0,0 +1,23 @@
title: Register new logon process by Rubeus
description: Detects potential use of Rubeus via registered new trusted logon process
status: experimental
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:
product: windows
service: security
definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end
detection:
selection:
- EventID: 4611
LogonProcessName: 'User32LogonProcesss'
condition: selection
falsepositives:
- Unkown
level: high
rules/windows/builtin/win_remote_powershell_session.yml
+21
View File
@@ -0,0 +1,21 @@
title: T1086 Remote PowerShell Sessions
description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986
status: experimental
date: 2019/09/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort:
- 5985
- 5986
LayerRTID: 44
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_sam_registry_hive_handle_request.yml
+23
View File
@@ -0,0 +1,23 @@
title: T1012 SAM Registry Hive Handle Request
description: Detects handles requested to SAM registry hive
status: experimental
date: 2019/08/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'Key'
ObjectName|endswith: '\SAM'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_scm_database_handle_failure.yml
+21
View File
@@ -0,0 +1,21 @@
title: T1000 SCM Database Handle Failure
description: Detects non-system users failing to get a handle of the SCM database.
status: experimental
date: 2019/08/12
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
Keywords: "Audit Failure"
SubjectLogonId: "0x3e4"
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_scm_database_privileged_operation.yml
+21
View File
@@ -0,0 +1,21 @@
title: T1000 SCM Database Privileged Operation
description: Detects non-system users performing privileged operation os the SCM database
status: experimental
date: 2019/08/15
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md
logsource:
product: windows
service: security
detection:
selection:
EventID: 4674
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
PrivilegeList: 'SeTakeOwnershipPrivilege'
SubjectLogonId: "0x3e4"
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_susp_add_sid_history.yml
+1 -1
View File
@@ -25,4 +25,4 @@ detection:
condition: selection1 or (selection2 and not selection3)
falsepositives:
- Migration of an account into a new domain
level: medium
level: low
rules/windows/builtin/win_susp_msmpeng_crash.yml
+3 -2
View File
@@ -21,8 +21,9 @@ detection:
Source: 'Windows Error Reporting'
EventID: 1001
keywords:
- 'MsMpEng.exe'
- 'mpengine.dll'
Message:
- '*MsMpEng.exe*'
- '*mpengine.dll*'
condition: 1 of selection* and all of keywords
falsepositives:
- MsMpEng.exe can crash when C:\ is full
rules/windows/builtin/win_susp_sam_dump.yml
+2 -1
View File
@@ -13,7 +13,8 @@ detection:
selection:
EventID: 16
keywords:
- '*\AppData\Local\Temp\SAM-*.dmp *'
Message:
- '*\AppData\Local\Temp\SAM-*.dmp *'
condition: all of them
falsepositives:
- Penetration testing
rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml
+28
View File
@@ -0,0 +1,28 @@
title: Suspicious outbound Kerberos connection
status: experimental
description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus8
author: Ilyas Ochkov, oscd.community
date: 2019/10/24
modified: 2019/11/13
tags:
- attack.lateral_movement
- attack.t1208
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestinationPort: 88
filter:
Image|endswith:
- '\lsass.exe'
- '\opera.exe'
- '\chrome.exe'
- '\firefox.exe'
condition: selection and not filter
falsepositives:
- Other browsers
level: high
rules/windows/builtin/win_syskey_registry_access.yml
+29
View File
@@ -0,0 +1,29 @@
title: T1012 SysKey Registry Keys Access
description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
status: experimental
date: 2019/08/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'key'
ObjectName|endswith:
- 'lsa\JD'
- 'lsa\GBG'
- 'lsa\Skew1'
- 'lsa\Data'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/builtin/win_tap_driver_installation.yml
+38
View File
@@ -0,0 +1,38 @@
---
action: global
title: Tap driver installation
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
detection:
selection:
ImagePath|contains: 'tap0901'
condition: selection
---
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml
+23
View File
@@ -0,0 +1,23 @@
title: User couldn't call a privileged service 'LsaRegisterLogonProcess'
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
status: experimental
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1208
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019/10/24
logsource:
product: windows
service: security
detection:
selection:
- EventID: 4673
Service: 'LsaRegisterLogonProcess()'
Keywords: '0x8010000000000000' #failure
condition: selection
falsepositives:
- Unkown
level: high
rules/windows/other/win_wmi_persistence.yml
+5 -4
View File
@@ -16,14 +16,15 @@ detection:
selection:
EventID: 5861
keywords:
- 'ActiveScriptEventConsumer'
- 'CommandLineEventConsumer'
- 'CommandLineTemplate'
Message:
- '*ActiveScriptEventConsumer*'
- '*CommandLineEventConsumer*'
- '*CommandLineTemplate*'
# - 'Binding EventFilter' # too many false positive with HP Health Driver
selection2:
EventID: 5859
condition: selection and 1 of keywords or selection2
falsepositives:
- Unknown (data set is too small; further testing needed)
level: high
level: medium
rules/windows/powershell/powershell_alternate_powershell_hosts.yml
+21
View File
@@ -0,0 +1,21 @@
title: T1086 Alternate PowerShell Hosts
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status: experimental
date: 2019/08/11
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md
logsource:
product: windows
service: powershell
detection:
selection:
EventID:
- 4103
- 400
filter:
HostApplication: 'powershell.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
rules/windows/powershell/powershell_clear_powershell_history.yml
+23
View File
@@ -0,0 +1,23 @@
title: Clear PowerShell History
status: experimental
description: Detects keywords that could indicate clearing PowerShell history
date: 2019/10/25
author: Ilyas Ochkov, oscd.community
references:
- https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
tags:
- attack.defense_evasion
- attack.t1146
logsource:
product: windows
service: powershell
detection:
keywords:
- 'del (Get-PSReadlineOption).HistorySavePath'
- 'Set-PSReadlineOption HistorySaveStyle SaveNothing'
- 'Remove-Item (Get-PSReadlineOption).HistorySavePath'
- 'rm (Get-PSReadlineOption).HistorySavePath'
condition: keywords
falsepositives:
- some PS-scripts
level: medium
rules/windows/powershell/powershell_data_compressed.yml
+28
View File
@@ -0,0 +1,28 @@
title: Data Compressed
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
logsource:
product: windows
service: powershell
description: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
keyword_1:
- '*-Recurse*'
keyword_2:
- '*|*'
keyword_3:
- '*Compress-Archive*'
condition: selection and all of keyword_*
falsepositives:
- highly likely if archive ops are done via PS
level: low
tags:
- attack.exfiltration
- attack.t1002
rules/windows/powershell/powershell_dnscat_execution.yml
+19
View File
@@ -0,0 +1,19 @@
title: Dnscat execution
description: Dnscat exfiltration tool execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: powershell
detection:
selection:
EventID: 4104
ScriptBlockText|contains: "Start-Dnscat2"
condition: selection
falsepositives:
- Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)
level: medium
rules/windows/powershell/powershell_malicious_commandlets.yml
+95 -94
View File
@@ -14,100 +14,101 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Invoke-DllInjection
- Invoke-Shellcode
- Invoke-WmiCommand
- Get-GPPPassword
- Get-Keystrokes
- Get-TimedScreenshot
- Get-VaultCredential
- Invoke-CredentialInjection
- Invoke-Mimikatz
- Invoke-NinjaCopy
- Invoke-TokenManipulation
- Out-Minidump
- VolumeShadowCopyTools
- Invoke-ReflectivePEInjection
- Invoke-UserHunter
- Find-GPOLocation
- Invoke-ACLScanner
- Invoke-DowngradeAccount
- Get-ServiceUnquoted
- Get-ServiceFilePermission
- Get-ServicePermission
- Invoke-ServiceAbuse
- Install-ServiceBinary
- Get-RegAutoLogon
- Get-VulnAutoRun
- Get-VulnSchTask
- Get-UnattendedInstallFile
- Get-ApplicationHost
- Get-RegAlwaysInstallElevated
- Get-Unconstrained
- Add-RegBackdoor
- Add-ScrnSaveBackdoor
- Gupt-Backdoor
- Invoke-ADSBackdoor
- Enabled-DuplicateToken
- Invoke-PsUaCme
- Remove-Update
- Check-VM
- Get-LSASecret
- Get-PassHashes
- Show-TargetScreen
- Port-Scan
- Invoke-PoshRatHttp
- Invoke-PowerShellTCP
- Invoke-PowerShellWMI
- Add-Exfiltration
- Add-Persistence
- Do-Exfiltration
- Start-CaptureServer
- Get-ChromeDump
- Get-ClipboardContents
- Get-FoxDump
- Get-IndexedItem
- Get-Screenshot
- Invoke-Inveigh
- Invoke-NetRipper
- Invoke-EgressCheck
- Invoke-PostExfil
- Invoke-PSInject
- Invoke-RunAs
- MailRaider
- New-HoneyHash
- Set-MacAttribute
- Invoke-DCSync
- Invoke-PowerDump
- Exploit-Jboss
- Invoke-ThunderStruck
- Invoke-VoiceTroll
- Set-Wallpaper
- Invoke-InveighRelay
- Invoke-PsExec
- Invoke-SSHCommand
- Get-SecurityPackages
- Install-SSP
- Invoke-BackdoorLNK
- PowerBreach
- Get-SiteListPassword
- Get-System
- Invoke-BypassUAC
- Invoke-Tater
- Invoke-WScriptBypassUAC
- PowerUp
- PowerView
- Get-RickAstley
- Find-Fruit
- HTTP-Login
- Find-TrustedDocuments
- Invoke-Paranoia
- Invoke-WinEnum
- Invoke-ARPScan
- Invoke-PortScan
- Invoke-ReverseDNSLookup
- Invoke-SMBScanner
- Invoke-Mimikittenz
Message:
- "*Invoke-DllInjection*"
- "*Invoke-Shellcode*"
- "*Invoke-WmiCommand*"
- "*Get-GPPPassword*"
- "*Get-Keystrokes*"
- "*Get-TimedScreenshot*"
- "*Get-VaultCredential*"
- "*Invoke-CredentialInjection*"
- "*Invoke-Mimikatz*"
- "*Invoke-NinjaCopy*"
- "*Invoke-TokenManipulation*"
- "*Out-Minidump*"
- "*VolumeShadowCopyTools*"
- "*Invoke-ReflectivePEInjection*"
- "*Invoke-UserHunter*"
- "*Find-GPOLocation*"
- "*Invoke-ACLScanner*"
- "*Invoke-DowngradeAccount*"
- "*Get-ServiceUnquoted*"
- "*Get-ServiceFilePermission*"
- "*Get-ServicePermission*"
- "*Invoke-ServiceAbuse*"
- "*Install-ServiceBinary*"
- "*Get-RegAutoLogon*"
- "*Get-VulnAutoRun*"
- "*Get-VulnSchTask*"
- "*Get-UnattendedInstallFile*"
- "*Get-ApplicationHost*"
- "*Get-RegAlwaysInstallElevated*"
- "*Get-Unconstrained*"
- "*Add-RegBackdoor*"
- "*Add-ScrnSaveBackdoor*"
- "*Gupt-Backdoor*"
- "*Invoke-ADSBackdoor*"
- "*Enabled-DuplicateToken*"
- "*Invoke-PsUaCme*"
- "*Remove-Update*"
- "*Check-VM*"
- "*Get-LSASecret*"
- "*Get-PassHashes*"
- "*Show-TargetScreen*"
- "*Port-Scan*"
- "*Invoke-PoshRatHttp*"
- "*Invoke-PowerShellTCP*"
- "*Invoke-PowerShellWMI*"
- "*Add-Exfiltration*"
- "*Add-Persistence*"
- "*Do-Exfiltration*"
- "*Start-CaptureServer*"
- "*Get-ChromeDump*"
- "*Get-ClipboardContents*"
- "*Get-FoxDump*"
- "*Get-IndexedItem*"
- "*Get-Screenshot*"
- "*Invoke-Inveigh*"
- "*Invoke-NetRipper*"
- "*Invoke-EgressCheck*"
- "*Invoke-PostExfil*"
- "*Invoke-PSInject*"
- "*Invoke-RunAs*"
- "*MailRaider*"
- "*New-HoneyHash*"
- "*Set-MacAttribute*"
- "*Invoke-DCSync*"
- "*Invoke-PowerDump*"
- "*Exploit-Jboss*"
- "*Invoke-ThunderStruck*"
- "*Invoke-VoiceTroll*"
- "*Set-Wallpaper*"
- "*Invoke-InveighRelay*"
- "*Invoke-PsExec*"
- "*Invoke-SSHCommand*"
- "*Get-SecurityPackages*"
- "*Install-SSP*"
- "*Invoke-BackdoorLNK*"
- "*PowerBreach*"
- "*Get-SiteListPassword*"
- "*Get-System*"
- "*Invoke-BypassUAC*"
- "*Invoke-Tater*"
- "*Invoke-WScriptBypassUAC*"
- "*PowerUp*"
- "*PowerView*"
- "*Get-RickAstley*"
- "*Find-Fruit*"
- "*HTTP-Login*"
- "*Find-TrustedDocuments*"
- "*Invoke-Paranoia*"
- "*Invoke-WinEnum*"
- "*Invoke-ARPScan*"
- "*Invoke-PortScan*"
- "*Invoke-ReverseDNSLookup*"
- "*Invoke-SMBScanner*"
- "*Invoke-Mimikittenz*"
false_positives:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
condition: keywords and not false_positives
rules/windows/powershell/powershell_malicious_keywords.yml
+21 -20
View File
@@ -14,26 +14,27 @@ logsource:
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- AdjustTokenPrivileges
- IMAGE_NT_OPTIONAL_HDR64_MAGIC
- Microsoft.Win32.UnsafeNativeMethods
- ReadProcessMemory.Invoke
- SE_PRIVILEGE_ENABLED
- LSA_UNICODE_STRING
- MiniDumpWriteDump
- PAGE_EXECUTE_READ
- SECURITY_DELEGATION
- TOKEN_ADJUST_PRIVILEGES
- TOKEN_ALL_ACCESS
- TOKEN_ASSIGN_PRIMARY
- TOKEN_DUPLICATE
- TOKEN_ELEVATION
- TOKEN_IMPERSONATE
- TOKEN_INFORMATION_CLASS
- TOKEN_PRIVILEGES
- TOKEN_QUERY
- Metasploit
- Mimikatz
Message:
- "*AdjustTokenPrivileges*"
- "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*"
- "*Microsoft.Win32.UnsafeNativeMethods*"
- "*ReadProcessMemory.Invoke*"
- "*SE_PRIVILEGE_ENABLED*"
- "*LSA_UNICODE_STRING*"
- "*MiniDumpWriteDump*"
- "*PAGE_EXECUTE_READ*"
- "*SECURITY_DELEGATION*"
- "*TOKEN_ADJUST_PRIVILEGES*"
- "*TOKEN_ALL_ACCESS*"
- "*TOKEN_ASSIGN_PRIMARY*"
- "*TOKEN_DUPLICATE*"
- "*TOKEN_ELEVATION*"
- "*TOKEN_IMPERSONATE*"
- "*TOKEN_INFORMATION_CLASS*"
- "*TOKEN_PRIVILEGES*"
- "*TOKEN_QUERY*"
- "*Metasploit*"
- "*Mimikatz*"
condition: keywords
falsepositives:
- Penetration tests
rules/windows/powershell/powershell_prompt_credentials.yml
+2 -1
View File
@@ -17,7 +17,8 @@ detection:
selection:
EventID: 4104
keyword:
- 'PromptForCredential'
Message:
- '*PromptForCredential*'
condition: all of them
falsepositives:
- Unknown
rules/windows/powershell/powershell_remote_powershell_session.yml
+22
View File
@@ -0,0 +1,22 @@
title: T1086 Remote PowerShell Session
description: Detects remote PowerShell sessions
status: experimental
date: 2019/08/10
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
logsource:
product: windows
service: powershell
detection:
selection:
EventID:
- 4103
- 400
HostName: 'ServerRemoteHost'
HostApplication|contains: 'wsmprovhost.exe'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/powershell/powershell_suspicious_download.yml
+3 -2
View File
@@ -10,8 +10,9 @@ logsource:
service: powershell
detection:
keywords:
- 'System.Net.WebClient).DownloadString('
- 'system.net.webclient).downloadfile('
Message:
- '*System.Net.WebClient).DownloadString(*'
- '*system.net.webclient).downloadfile(*'
condition: keywords
falsepositives:
- PowerShell scripts that download content from the Internet
rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+7 -6
View File
@@ -10,12 +10,13 @@ logsource:
service: powershell
detection:
keywords:
- ' -nop -w hidden -c * [Convert]::FromBase64String'
- ' -w hidden -noni -nop -c "iex(New-Object'
- ' -w hidden -ep bypass -Enc'
- 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'
- 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'
- 'iex(New-Object Net.WebClient).Download'
Message:
- '* -nop -w hidden -c * [Convert]::FromBase64String*'
- '* -w hidden -noni -nop -c "iex(New-Object*'
- '* -w hidden -ep bypass -Enc*'
- '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*'
- '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'
- '*iex(New-Object Net.WebClient).Download*'
condition: keywords
falsepositives:
- Penetration tests
rules/windows/powershell/powershell_suspicious_keywords.yml
+2 -1
View File
@@ -15,8 +15,9 @@ logsource:
service: powershell
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104'
detection:
keywords:
Message:
- "System.Reflection.Assembly.Load"
- "[System.Reflection.Assembly]::Load"
- "[Reflection.Assembly]::Load"
- "System.Reflection.AssemblyName"
- "Reflection.Emit.AssemblyBuilderAccess"
rules/windows/powershell/powershell_winlogon_helper_dll.yml
+27
View File
@@ -0,0 +1,27 @@
title: Winlogon Helper DLL
status: experimental
description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml
logsource:
product: windows
service: powershell
description: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
keyword1:
- '*Set-ItemProperty*'
- '*New-Item*'
keyword2:
- '*CurrentVersion\Winlogon*'
condition: selection and ( keyword1 and keyword2 )
falsepositives:
- Unknown
level: medium
tags:
- attack.persistence
- attack.t1004
rules/windows/process_creation/silenttrinity_stage_use.yml
+30
View File
@@ -0,0 +1,30 @@
---
action: global
title: SILENTTRINITY stager execution
status: experimental
description: Detects SILENTTRINITY stager use
references:
- https://github.com/byt3bl33d3r/SILENTTRINITY
author: Aleksey Potapov, oscd.community
date: 2019/10/22
modified: 2019/11/04
tags:
- attack.execution
detection:
selection:
Description|contains: 'st2stager'
condition: selection
falsepositives:
- unknown
level: high
---
logsource:
category: process_creation
product: windows
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
rules/windows/process_creation/win_apt_mustangpanda.yml
+30
View File
@@ -0,0 +1,30 @@
title: Mustang Panda Dropper
status: experimental
description: Detects specific process parameters as used by Mustang Panda droppers
author: Florian Roth
date: 2019/10/30
references:
- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine:
- '*Temp\wtask.exe /create*'
- '*%windir:~-3,1%%PUBLIC:~-9,1%*'
- '*/E:vbscript * C:\Users\*.txt" /F'
- '*/tn "Security Script *'
- '*%windir:~-1,1%*'
selection2:
Image:
- '*Temp\winwsh.exe'
condition: 1 of them
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unlikely
level: high
rules/windows/process_creation/win_bootconf_mod.yml
+30
View File
@@ -0,0 +1,30 @@
title: Modification of Boot Configuration
description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
tags:
- attack.impact
- attack.t1490
detection:
selection1:
Image|endswith: '\bcdedit.exe'
CommandLine: 'set'
selection2:
- CommandLine|contains|all:
- 'bootstatuspolicy'
- 'ignoreallfailures'
- CommandLine|contains|all:
- 'recoveryenabled'
- 'no'
condition: selection1 and selection2
falsepositives:
- Unlikely
level: high
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_change_default_file_association.yml
+32
View File
@@ -0,0 +1,32 @@
title: Change Default File Association
status: experimental
description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'cmd'
- '/c'
- 'assoc'
condition: selection
falsepositives:
- Admin activity
fields:
- Image
- CommandLine
- User
- LogonGuid
- Hashes
- ParentProcessGuid
- ParentCommandLine
level: low
tags:
- attack.persistence
- attack.t1042
rules/windows/process_creation/win_data_compressed_with_rar.yml
+31
View File
@@ -0,0 +1,31 @@
title: Data Compressed
status: experimental
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rar.exe'
CommandLine|contains: ' a '
condition: selection
fields:
- Image
- CommandLine
- User
- LogonGuid
- Hashes
- ParentProcessGuid
- ParentCommandLine
falsepositives:
- highly likely if rar is default archiver in the monitored environment
level: low
tags:
- attack.exfiltration
- attack.t1002
rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml
+19
View File
@@ -0,0 +1,19 @@
title: DNS exfiltration tools execution
description: Well-known DNS Exfiltration tools execution
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '*\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
- Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)
level: medium
rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml
+22
View File
@@ -0,0 +1,22 @@
title: Exfiltration and tunneling tools execution
description: Execution of well known tools for data exfiltration and tunneling
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1020
logsource:
category: process_creation
product: windows
detection:
selection:
NewProcessName|endswith:
- '\plink.exe'
- '\socat.exe'
- '\stunnel.exe'
- '\httptunnel.exe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for exfiltration for other needs
level: medium
rules/windows/process_creation/win_hh_chm.yml
+24
View File
@@ -0,0 +1,24 @@
title: HH.exe execution
description: Identifies usage of hh.exe executing recently modified .chm files.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html
date: 2019/10/24
modified: 2019/11/11
tags:
- attack.defense_evasion
- attack.execution
- attack.t1223
detection:
selection:
Image|endswith: '\hh.exe'
CommandLine|contains: '.chm'
condition: selection
falsepositives:
- unlike
level: high
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_indirect_cmd.yml
+25
View File
@@ -0,0 +1,25 @@
title: Indirect Command Execution
description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
date: 2019/10/24
modified: 2019/11/11
tags:
- attack.defense_evasion
- attack.t1202
detection:
selection:
ParentImage|endswith:
- '\pcalua.exe'
- '\forfiles.exe'
condition: selection
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
- Legit usage of scripts
level: high
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_interactive_at.yml
+23
View File
@@ -0,0 +1,23 @@
title: Interactive AT Job
description: Detect an interactive AT job, which may be used as a form of privilege escalation
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
date: 2019/10/24
modified: 2019/11/11
tags:
- attack.privilege_escalation
- attack.t1053
detection:
selection:
Image|endswith: '\at.exe'
CommandLine|contains: 'interactive'
condition: selection
falsepositives:
- Unlikely (at.exe deprecated as of Windows 8)
level: high
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_local_system_owner_account_discovery.yml
+60
View File
@@ -0,0 +1,60 @@
title: Local accounts discovery
status: experimental
description: Local accounts, System Owner/User discovery using operating systems utilities
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
logsource:
category: process_creation
product: windows
detection:
selection_1:
- Image|endswith: '\whoami.exe'
- Image|endswith: '\wmic.exe'
CommandLine|contains|all:
- 'useraccount'
- 'get'
- Image|endswith:
- '\quser.exe'
- '\qwinsta.exe'
- Image|endswith: '\cmdkey.exe'
CommandLine|contains: '/list'
- Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/c'
- 'dir'
- '\Users\'
selection_2:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'user'
filter:
CommandLine|contains:
- '/domain' # local account discovery only
- '/add' # discovery only
- '/delete' # discovery only
- '/active' # discovery only
- '/expires' # discovery only
- '/passwordreq' # discovery only
- '/scriptpath' # discovery only
- '/times' # discovery only
- '/workstations' # discovery only
condition: selection_1 or ( selection_2 and not filter )
fields:
- Image
- CommandLine
- User
- LogonGuid
- Hashes
- ParentProcessGuid
- ParentCommandLine
falsepositives:
- Legitimate administrator or user enumerates local users for legitimate reason
level: low
tags:
- attack.discovery
- attack.t1033
- attack.t1087
rules/windows/process_creation/win_lsass_dump.yml
+31
View File
@@ -0,0 +1,31 @@
title: LSASS Memory Dumping
description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html
- https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml
tags:
- attack.credential_access
- attack.t1003
detection:
selection1:
CommandLine|contains|all:
- 'lsass'
- '.dmp'
selection2:
Image|endswith: '\werfault.exe'
selection3:
Image|contains: '\procdump'
Image|endswith: '.exe'
CommandLine|contains: 'lsass'
condition: selection1 and not selection2 or selection3
falsepositives:
- Unlikely
level: high
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_malware_dtrack.yml
+22
View File
@@ -0,0 +1,22 @@
title: DTRACK Process Creation
status: experimental
description: Detects specific process parameters as seen in DTRACK infections
author: Florian Roth
date: 2019/10/30
references:
- https://securelist.com/my-name-is-dtrack/93338/
- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '* echo EEEE > *'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Unlikely
level: critical
rules/windows/process_creation/win_malware_formbook.yml
+8 -3
View File
@@ -3,10 +3,12 @@ status: experimental
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
author: Florian Roth
date: 2019/09/30
modified: 2019/10/31
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
logsource:
category: process_creation
product: windows
@@ -15,10 +17,13 @@ detection:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
ParentCommandLine: 'C:\Windows\System32\\*.exe'
ParentCommandLine:
- 'C:\Windows\System32\\*.exe'
- 'C:\Windows\SysWOW64\\*.exe'
CommandLine:
- '*\cmd.exe /c del "C:\Users\\*\AppData\Local\Temp\\*.exe'
- '*\cmd.exe /c del "C:\Users\\*\Desktop\\*.exe'
- '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe'
- '* /c del "C:\Users\\*\Desktop\\*.exe'
- '* /C type nul > "C:\Users\\*\Desktop\\*.exe'
condition: selection
fields:
- CommandLine
rules/windows/process_creation/win_mavinject_proc_inj.yml
-2
View File
@@ -8,9 +8,7 @@ references:
author: Florian Roth
date: 2018/12/12
tags:
- attack.process_injection
- attack.t1055
- attack.signed_binary_proxy_execution
- attack.t1218
logsource:
category: process_creation
rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml
+42
View File
@@ -0,0 +1,42 @@
title: Meterpreter or Cobalt Strike getsystem service start
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
author: Teymur Kheirkhabarov
date: 2019/10/26
modified: 2019/11/11
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
tags:
- attack.privilege_escalation
- attack.t1134
logsource:
category: process_creation
product: windows
detection:
selection_1:
ParentImage|endswith: '\services.exe'
selection_2:
- CommandLine|contains:
- 'cmd'
- 'comspec'
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- CommandLine|contains|all:
- 'cmd'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- CommandLine|contains|all:
- '%COMSPEC%'
- '/c'
- 'echo'
- '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- CommandLine|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection_1 and selection_2
falsepositives:
- Highly unlikely
level: critical
rules/windows/process_creation/win_mshta_javascript.yml
+25
View File
@@ -0,0 +1,25 @@
title: Mshta Network Connections
description: Identifies suspicious mshta.exe commands
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml
tags:
- attack.execution
- attack.defense_evasion
- attack.t1170
detection:
selection:
Image|endswith: '\mshta.exe'
CommandLine|contains: 'javascript'
condition: selection
falsepositives:
- unknown
level: high
logsource:
category: process_creation
product: windows
## todo — add sysmon eid 3 for this rule
rules/windows/process_creation/win_net_enum.yml
+27
View File
@@ -0,0 +1,27 @@
title: Windows Network Enumeration
status: stable
description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018/10/30
modified: 2019/11/11
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'view'
filter:
CommandLine|contains: '\\'
condition: selection and not filter
falsepositives:
- Legitimate use of net.exe utility by legitimate user
level: low
rules/windows/process_creation/win_net_user_add.yml
+29
View File
@@ -0,0 +1,29 @@
title: Net.exe User Account Creation
status: experimental
description: Identifies creation of local users via the net.exe command
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml
author: Endgame, JHasenbusch (adapted to sigma for oscd.community)
date: 2018/10/30
modified: 2019/11/11
tags:
- attack.persistance
- attack.credential_access
- attack.t1136
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains|all:
- 'user'
- 'add'
condition: selection
falsepositives:
- Legit user creation
- Better use event ids for user creation rather than command line rules
level: low
rules/windows/process_creation/win_netsh_packet_capture.yml
+23
View File
@@ -0,0 +1,23 @@
title: Capture a Network Trace with netsh.exe
status: experimental
description: Detects capture a network trace via netsh.exe trace functionality
references:
- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
author: Kutepov Anton, oscd.community
date: 2019/10/24
tags:
- attack.discovery
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- netsh
- trace
- start
condition: selection
falsepositives:
- Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason
level: medium
rules/windows/process_creation/win_network_sniffing.yml
+32
View File
@@ -0,0 +1,32 @@
title: Network Sniffing
status: experimental
description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\tshark.exe'
CommandLine|contains: '-i'
- Image|endswith: '\windump.exe'
condition: selection
falsepositives:
- Admin activity
fields:
- Image
- CommandLine
- User
- LogonGuid
- Hashes
- ParentProcessGuid
- ParentCommandLine
level: low
tags:
- attack.credential_access
- attack.discovery
- attack.t1040
rules/windows/process_creation/win_non_interactive_powershell.yml
+20
View File
@@ -0,0 +1,20 @@
title: T1086 Non Interactive PowerShell
description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
filter:
ParentImage|endswith: '\explorer.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
rules/windows/process_creation/win_possible_applocker_bypass.yml
+10 -9
View File
@@ -16,15 +16,16 @@ logsource:
product: windows
detection:
selection:
CommandLine:
- '*\msdt.exe*'
- '*\installutil.exe*'
- '*\regsvcs.exe*'
- '*\regasm.exe*'
# - '*\regsvr32.exe*' # too many FPs, very noisy
- '*\msbuild.exe*'
- '*\ieexec.exe*'
- '*\mshta.exe*'
CommandLine|contains:
- '\msdt.exe'
- '\installutil.exe'
- '\regsvcs.exe'
- '\regasm.exe'
# - '\regsvr32.exe' # too many FPs, very noisy
- '\msbuild.exe'
- '\ieexec.exe'
#- '\mshta.exe'
#- '\csc.exe'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml
+31
View File
@@ -0,0 +1,31 @@
title: Possible Rotten Potato detection - privilege escalation fro Service accounts to SYSTEM
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
tags:
- attack.privilege_escalation
- attack.t1134
status: experimental
author: Teymur Kheirkhabarov
date: 2019/10/26
modified: 2019/11/11
logsource:
category: process_creation
product: windows
detection:
selection:
ParentUser:
- 'NT AUTHORITY\NETWORK SERVICE'
- 'NT AUTHORITY\LOCAL SERVICE'
User: 'NT AUTHORITY\SYSTEM'
rundllexception:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'DavSetCookie'
condition: selection and not rundllexception
falsepositives:
- Unknown
level: high
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
rules/windows/process_creation/win_powershell_audio_capture.yml
+22
View File
@@ -0,0 +1,22 @@
title: Audio Capture via PowerShell
description: Detects audio capture via PowerShell Cmdlet
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
tags:
- attack.collection
- attack.t1123
detection:
selection:
CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
level: medium
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_powershell_bitsjob.yml
+24
View File
@@ -0,0 +1,24 @@
title: Suspicious Bitsadmin Job via PowerShell
status: experimental
description: Detect download by BITS jobs via PowerShell
references:
- https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md
author: Endgame, JHasenbusch (ported to sigma for oscd.community)
date: 2018/10/30
modified: 2019/11/11
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1197
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: 'Start-BitsTransfer'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/win_proc_wrong_parent.yml
+3
View File
@@ -8,6 +8,7 @@ references:
- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
- https://attack.mitre.org/techniques/T1036/
date: 2019/02/23
modified: 2019/08/20
tags:
- attack.defense_evasion
- attack.t1036
@@ -30,6 +31,8 @@ detection:
ParentImage:
- '*\System32\\*'
- '*\SysWOW64\\*'
- '*\SavService.exe'
- '*\Windows Defender\\*\MsMpEng.exe'
filter_null:
ParentImage: null
condition: selection and not filter and not filter_null
rules/windows/process_creation/win_query_registry.yml
+44
View File
@@ -0,0 +1,44 @@
title: Query Registry
status: experimental
description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'query'
- 'save'
- 'export'
selection_2:
CommandLine|contains:
- 'currentVersion\windows'
- 'currentVersion\runServicesOnce'
- 'currentVersion\runServices'
- 'winlogon\'
- 'currentVersion\shellServiceObjectDelayLoad'
- 'currentVersion\runOnce'
- 'currentVersion\runOnceEx'
- 'currentVersion\run'
- 'currentVersion\policies\explorer\run'
- 'currentcontrolset\services'
condition: selection_1 and selection_2
fields:
- Image
- CommandLine
- User
- LogonGuid
- Hashes
- ParentProcessGuid
- ParentCommandLine
level: low
tags:
- attack.discovery
- attack.t1012
- attack.t1007
rules/windows/process_creation/win_remote_powershell_session_process.yml
+19
View File
@@ -0,0 +1,19 @@
title: T1086 Remote PowerShell Session
description: Detects remote PowerShell seccions by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote sessionn)
status: experimental
date: 2019/09/12
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\wsmprovhost.exe'
- ParentImage|endswith: '\wsmprovhost.exe'
condition: selection
falsepositives:
- Unknown
level: critical
rules/windows/process_creation/win_remote_time_discovery.yml
+29
View File
@@ -0,0 +1,29 @@
title: Discovery of a system time
description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md
tags:
- attack.discovery
- attack.t1124
detection:
selection:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'time'
- Image|endswith: '\w32tm.exe'
CommandLine|contains: 'tz'
- Image|endswith: '\powershell.exe'
CommandLine|contains: 'Get-Date'
condition: selection
falsepositives:
- Legitimate use of the system utilities to discover system time for legitimate reason
level: high
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_renamed_binary.yml
+41 -34
View File
@@ -1,8 +1,9 @@
title: Renamed Binary
status: experimental
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
author: Matthew Green - @mgreen27
author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements)
date: 2019/06/15
modified: 2019/11/11
references:
- https://attack.mitre.org/techniques/T1036/
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
@@ -16,40 +17,46 @@ logsource:
detection:
selection:
OriginalFileName:
- "cmd.exe"
- "powershell.exe"
- "powershell_ise.exe"
- "psexec.exe"
- "psexec.c" # old versions of psexec (2016 seen)
- "cscript.exe"
- "wscript.exe"
- "mshta.exe"
- "regsvr32.exe"
- "wmic.exe"
- "certutil.exe"
- "rundll32.exe"
- "cmstp.exe"
- "msiexec.exe"
- "7z.exe"
- "winrar.exe"
- 'cmd.exe'
- 'powershell.exe'
- 'powershell_ise.exe'
- 'psexec.exe'
- 'psexec.c' # old versions of psexec (2016 seen)
- 'cscript.exe'
- 'wscript.exe'
- 'mshta.exe'
- 'regsvr32.exe'
- 'wmic.exe'
- 'certutil.exe'
- 'rundll32.exe'
- 'cmstp.exe'
- 'msiexec.exe'
- '7z.exe'
- 'winrar.exe'
- 'wevtutil.exe'
- 'net.exe'
- 'net1.exe'
filter:
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\powershell_ise.exe'
- '*\psexec.exe'
- '*\psexec64.exe'
- '*\cscript.exe'
- '*\wscript.exe'
- '*\mshta.exe'
- '*\regsvr32.exe'
- '*\wmic.exe'
- '*\certutil.exe'
- '*\rundll32.exe'
- '*\cmstp.exe'
- '*\msiexec.exe'
- '*\7z.exe'
- '*\winrar.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\psexec.exe'
- '\psexec64.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\wmic.exe'
- '\certutil.exe'
- '\rundll32.exe'
- '\cmstp.exe'
- '\msiexec.exe'
- '\7z.exe'
- '\winrar.exe'
- '\wevtutil.exe'
- '\net.exe'
- '\net1.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
rules/windows/process_creation/win_service_execution.yml
+24
View File
@@ -0,0 +1,24 @@
title: Service Execution
status: experimental
description: Detects manual service execution (start) via system utilities
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019/10/21
modified: 2019/11/04
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|re: '.*start.*[a-zA-Z0-9]' # search for a service name after 'net start', avoiding intersection with "service discovery" technique detection rules
condition: selection
falsepositives:
- Legitimate administrator or user executes a service for legitimate reason
level: low
tags:
- attack.execution
- attack.t1035
rules/windows/process_creation/win_shell_spawn_susp_program.yml
+1 -1
View File
@@ -18,7 +18,7 @@ detection:
ParentImage:
- '*\mshta.exe'
- '*\powershell.exe'
- '*\cmd.exe'
# - '*\cmd.exe' # too many false positives
- '*\rundll32.exe'
- '*\cscript.exe'
- '*\wscript.exe'
rules/windows/process_creation/win_soundrec_audio_capture.yml
+23
View File
@@ -0,0 +1,23 @@
title: Audio Capture via SoundRecorder
description: Detect attacker collecting audio via SoundRecorder application
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml
- https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
tags:
- attack.collection
- attack.t1123
detection:
selection:
Image|endswith: '\SoundRecorder.exe'
CommandLine|contains: '/FILE'
condition: selection
falsepositives:
- Legitimate audio capture by legitimate user
level: medium
logsource:
category: process_creation
product: windows
rules/windows/process_creation/win_susp_bginfo.yml
+26
View File
@@ -0,0 +1,26 @@
title: Application whitelisting bypass via bginfo
status: experimental
description: Execute VBscript code that is referenced within the *.bgi file.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218
level: medium
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\bginfo.exe'
CommandLine|contains|all:
- '/popup'
- '/nolicprompt'
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/win_susp_cdb.yml
+24
View File
@@ -0,0 +1,24 @@
title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner
status: experimental
description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml
- http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218
level: medium
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cdb.exe'
CommandLine|contains: '-cf'
condition: selection
falsepositives:
- Legitimate use of debugging tools
rules/windows/process_creation/win_susp_devtoolslauncher.yml
+24
View File
@@ -0,0 +1,24 @@
title: Devtoolslauncher.exe executes specified binary
status: experimental
description: The Devtoolslauncher.exe executes other binary
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml
- https://twitter.com/_felamos/status/1179811992841797632
author: Beyu Denis, oscd.community (rule), @_felamos (idea)
date: 2019/10/12
modified: 2019/11/04
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218
level: critical
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\devtoolslauncher.exe'
CommandLine|contains: 'LaunchForDeploy'
condition: selection
falsepositives:
- Legitimate use of devtoolslauncher.exe by legitimate user
rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml
+38
View File
@@ -0,0 +1,38 @@
title: Direct autorun keys modification
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml
tags:
- attack.persistence
- attack.t1060
date: 2019/10/25
modified: 2019/11/10
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|endswith: '*\reg.exe'
CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
selection_2:
CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
- '\software\Microsoft\Windows\CurrentVersion\Run'
- '\software\Microsoft\Windows\CurrentVersion\RunOnce'
- '\software\Microsoft\Windows\CurrentVersion\RunOnceEx'
- '\software\Microsoft\Windows\CurrentVersion\RunServices'
- '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- '\software\Microsoft\Windows NT\CurrentVersion\Windows'
- '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
- '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
condition: selection_1 and selection_2
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: high
rules/windows/process_creation/win_susp_dnx.yml
+23
View File
@@ -0,0 +1,23 @@
title: Application Whitelisting bypass via dnx.exe
status: experimental
description: Execute C# code located in the consoleapp folder
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218
level: medium
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dnx.exe'
condition: selection
falsepositives:
- Legitimate use of dnx.exe by legitimate user

Some files were not shown because too many files have changed in this diff Show More