diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..c37e37752 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,91 @@ +# Release Notes + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) +from version 0.14.0. + +## Unreleased + +Changes from this section will be contained in the next release. + +### Added + +* sigma-similarity tool +* LimaCharlie backend +* Default configurations for some backends that are used if no configuration is passed. +* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl) +* Value modifiers: + * startswith + * endswith + +### Changed + +* Removal of line breaks in elastalert output +* Searches not bound to fields are restricted to keyword fields in es-qs backend +* Graylog backend now based on es-qs backend +* Type errors are now ignored with -I + +## 0.13 + +### Added + +* Index mappings for Sumologic +* Malicious cmdlets in wdatp +* QRadar support for keyword searches +* QRadar mapping improvements +* QRadar field selection +* QRadar type regex modifier support +* Elasticsearch keyword field blacklisting with wildcards +* Added dateField configuration parameter in xpack-watcher backend +* Field mappings in configurations +* Field name mapping for conditional fields +* Value modifiers: + * utf16 + * utf16le + * wide + * utf16be + +### Changed + +* Improved --backend-config help text + +### Fixed + +* Backend errors in ala +* Slash escaping within es-dsl wildcard queries +* QRadar backend config +* QRadar field name and value escaping and handling +* Elasticsearch wildcard detection pattern +* Aggregation on keyword field in es-dsl backend + +## 0.12.1 + +### Fixed + +* Missing build dependency + +## 0.12 + +### Added + +* Usage of "Channel" field in ELK Windows configuration +* Fields to mappings +* xpack-watcher actions index and webhook +* Config for Winlogbeat 7.x +* Value modifiers +* Regular expression support + +### Changed + +* Warning/error messages +* Sumologic value cleaning +* Explicit OR for Elasticsearch query strings +* Listing of available configurations on missing configuration error + +### Fixed + +* Conditions in es-dsl backend +* Sumologic handling of null values +* Ignore timeframe detection keyword in all/any of conditions \ No newline at end of file diff --git a/CHANGELOG.md.j2 b/CHANGELOG.md.j2 new file mode 100644 index 000000000..8dd07eee2 --- /dev/null +++ b/CHANGELOG.md.j2 @@ -0,0 +1,38 @@ +## {{ version.minor }}.{{ version.major }}.{{ version.patch }} ({{ date }}) + +### Added + +{% for item in added %} +* {{ item | indent(2) }} +{% endfor %} + +### Changed + +{% for item in changed %} +* {{ item | indent(2) }} +{% endfor %} + +### Deprecated + +{% for item in deprecated %} +* {{ item | indent(2) }} +{% endfor %} + +### Removed + +{% for item in removed %} +* {{ item | indent(2) }} +{% endfor %} + +### Fixed + +{% for item in fixed %} +* {{ item | indent(2) }} +{% endfor %} + +### Security + +{% for item in security %} +* {{ item | indent(2) }} +{% endfor %} + diff --git a/Pipfile.lock b/Pipfile.lock index e6143397c..776e1a075 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -207,25 +207,25 @@ }, "pymisp": { "hashes": [ - "sha256:1983808d9a834c26d42d52871af1f86dc9739c9f2ee22091cf4a2a62ce6a171d", - "sha256:32675ce303f9d06698eb390c5381cb1de430d355e203612264bce6cd53972b95", - "sha256:9cf1187b5d618bd2b0e631cc877586b7cd5d02b59322a509a4f5ad07496cd171" + "sha256:17b145dbc39a1ba4ebce60e8b75a479d2c8fd3c2a239f32682f2e1a3636469ec", + "sha256:814023f346f9e1dcf6763d93450df44ff0157f2061c612a7eaf2020280f588a3", + "sha256:de67196f6a8916b9c52a84a1c45ea967c53fa9d2b3795b070ad2c1cbc28d79d7" ], "index": "pypi", - "version": "==2.4.117" + "version": "==2.4.117.2" }, "pyrsistent": { "hashes": [ - "sha256:34b47fa169d6006b32e99d4b3c4031f155e6e68ebcc107d6454852e8e0ee6533" + "sha256:eb6545dbeb1aa69ab1fb4809bfbf5a8705e44d92ef8fc7c2361682a47c46c778" ], - "version": "==0.15.4" + "version": "==0.15.5" }, "python-dateutil": { "hashes": [ - "sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb", - "sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e" + "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", + "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" ], - "version": "==2.8.0" + "version": "==2.8.1" }, "python-utils": { "hashes": [ @@ -262,19 +262,19 @@ }, "six": { "hashes": [ - "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", - "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + "sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd", + "sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66" ], - "version": "==1.12.0" + "version": "==1.13.0" }, "typing-extensions": { "hashes": [ - "sha256:2ed632b30bb54fc3941c382decfd0ee4148f5c591651c9272473fea2c6397d95", - "sha256:b1edbbf0652660e32ae780ac9433f4231e7339c7f9a8057d0f042fcbcea49b87", - "sha256:d8179012ec2c620d3791ca6fe2bf7979d979acdbef1fca0bc56b37411db682ed" + "sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2", + "sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d", + "sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575" ], "markers": "python_version < '3.7'", - "version": "==3.7.4" + "version": "==3.7.4.1" }, "urllib3": { "hashes": [ diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml new file mode 100644 index 000000000..5e42646de --- /dev/null +++ b/rules/generic/generic_brute_force.yml @@ -0,0 +1,26 @@ +title: Brute Force +description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity +references: + - None +tags: + - attack.t1110 +author: Aleksandr Akhremchik, oscd.community +date: 2019/10/25 +status: experimental +logsource: + category: authentication +detection: + selection: + action: failure + timeframe: 600s + condition: selection | count(category) by dst_ip > 30 +fields: + - src_ip + - dst_ip + - user +falsepositives: + - Inventarization + - Penetration testing + - Vulnerability scanner + - Legitimate application +level: medium diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml new file mode 100644 index 000000000..cd02b1595 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -0,0 +1,33 @@ +title: Auditing configuration changes on linux host +description: Detect changes if auditd configuration files + # Example config for this one (place it at the top of audit.rules) + # -w /etc/audit/ -p wa -k etc_modify_auditconfig + # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig + # -w /etc/audisp/ -p wa -k etc_modify_audispconfig +references: + - https://github.com/Neo23x0/auditd/blob/master/audit.rules + - self experience +tags: + - attack.defense_evasion + - attack.t1054 +author: Mikhail Larin, oscd.community +status: experimental +date: 2019/10/25 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + key: + - 'etc_modify_auditconfig' + - 'etc_modify_libauditconfig' + - 'etc_modify_audispconfig' + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml new file mode 100644 index 000000000..526e3f965 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -0,0 +1,23 @@ +title: Modification of ld.so.preload +description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: '/etc/ld.so.preload' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml new file mode 100644 index 000000000..c9977f619 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -0,0 +1,32 @@ +title: Logging configuration changes on linux host +description: Detect changes of syslog daemons configuration files + # Example config for this one (place it at the top of audit.rules) + # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig + # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig + # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig +references: + - self experience +tags: + - attack.defense_evasion + - attack.t1054 +author: Mikhail Larin, oscd.community +status: experimental +date: 2019/10/25 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + key: + - 'etc_modify_syslogconfig' + - 'etc_modify_rsyslogconfig' + - 'etc_modify_syslogngconfig' + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml new file mode 100644 index 000000000..8e0e6012e --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -0,0 +1,22 @@ +title: Masquerading as Linux crond process +status: experimental +description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml +logsource: + product: linux + service: auditd +detection: + selection: + type: 'execve' + a0: 'cp' + a1: '-i' + a2: '/bin/sh' + a3: '*/crond' + condition: selection +level: medium +tags: + - attack.defense_evasion + - attack.t1036 diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml new file mode 100644 index 000000000..8ccef1273 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -0,0 +1,24 @@ +title: System Owner or User Discovery +status: experimental +description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml +logsource: + product: linux + service: auditd +detection: + selection: + type: 'EXECVE' + a0: + - 'users' + - 'w' + - 'who' + condition: selection +falsepositives: + - Admin activity +level: low +tags: + - attack.discovery + - attack.t1033 diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml new file mode 100644 index 000000000..d7c6463cd --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -0,0 +1,28 @@ +title: Webshell Remote Command Execution +status: experimental +description: Detects posible command execution by web application/web shell +# You need to add to the config auditd.conf: +# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www +# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www +# change 33 to id you webserver user. default: www-data:x:33:33 +tags: + - attack.persistence + - attack.t1100 +references: + - personal experience +author: Ilyas Ochkov, Beyu Denis, oscd.community +date: 2019/10/12 +modified: 2019/11/04 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + SYSCALL: 'execve' + key: 'detect_execve_www' + condition: selection +falsepositives: + - Admin activity + - Crazy web applications +level: critical diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml new file mode 100644 index 000000000..00bd269b0 --- /dev/null +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -0,0 +1,30 @@ +title: Data Compressed +status: experimental +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'execve' + a0: 'zip' + selection2: + type: 'execve' + a0: 'gzip' + a1: '-f' + selection3: + type: 'execve' + a0: 'tar' + a1|contains: '-c' + condition: 1 of them +falsepositives: + - Legitimate use of archiving tools by legitimate user +level: low +tags: + - attack.exfiltration + - attack.t1002 diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml new file mode 100644 index 000000000..4049f170c --- /dev/null +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -0,0 +1,30 @@ +title: Network Sniffing +status: experimental +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'execve' + a0: 'tcpdump' + a1: '-c' + a3|contains: '-i' + selection2: + type: 'execve' + a0: 'tshark' + a1: '-c' + a3: '-i' + condition: selection1 or selection2 +falsepositives: + - Legitimate administrator or user uses network sniffing tool for legitimate reason +level: low +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 90a889dc2..fd47f29df 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -7,7 +7,7 @@ references: author: Patrick Bareiss date: 2019/04/07 logsource: - product: dns + category: dns detection: selection: parent_domain: '*' @@ -16,4 +16,5 @@ falsepositives: - Valid software, which uses dns for transferring data level: high tags: - - attack.t1043 + - attack.t1048 + - attack.exfiltration diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml new file mode 100644 index 000000000..b435c5359 --- /dev/null +++ b/rules/network/net_high_dns_bytes_out.yml @@ -0,0 +1,29 @@ +--- +action: global +title: High DNS bytes out +description: High DNS queries bytes amount from host per short period of time +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate high DNS bytes out rate to domain name which should be added to whitelist +level: medium +--- +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection | sum(question_length) by src_ip > 300000 +--- +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | sum(message_size) by src_ip > 300000 diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml new file mode 100644 index 000000000..3eb99ede7 --- /dev/null +++ b/rules/network/net_high_dns_requests_rate.yml @@ -0,0 +1,29 @@ +--- +action: global +title: High DNS requests rate +description: High DNS requests amount from host per short period of time +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate high DNS requests rate to domain name which should be added to whitelist +level: medium +--- +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection | count() by src_ip > 1000 +--- +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | count() by src_ip > 1000 diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml new file mode 100644 index 000000000..3a42156a0 --- /dev/null +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -0,0 +1,18 @@ +title: High NULL records requests rate +description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + record_type: "NULL" + timeframe: 1m + condition: selection | count() by src_ip > 50 +falsepositives: + - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist +level: medium diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml new file mode 100644 index 000000000..58f19c5ef --- /dev/null +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -0,0 +1,18 @@ +title: High TXT records requests rate +description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + record_type: "TXT" + timeframe: 1m + condition: selection | count() by src_ip > 50 +falsepositives: + - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist +level: medium \ No newline at end of file diff --git a/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml new file mode 100644 index 000000000..68a629cda --- /dev/null +++ b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml @@ -0,0 +1,18 @@ +title: Suspicious reverse connect via HTTP proxy +status: experimental +description: Detects auth on proxy-server by machine account (aka SYSTEM) +author: Ilyas Ochkov, oscd.community +references: + - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html +tags: + - attack.command_and_control + - attack.t1043 +logsource: + category: proxy +detection: + selection: + username|re: '\S+\$$' + condition: selection +falsepositives: + - Update OS or other softs which start by SYSTEM + - User account with $ in attribute "SamAccountName" diff --git a/rules/unsupported_logic/net_dns_high_subdomain_rate.yml b/rules/unsupported_logic/net_dns_high_subdomain_rate.yml new file mode 100644 index 000000000..6b76a1ef7 --- /dev/null +++ b/rules/unsupported_logic/net_dns_high_subdomain_rate.yml @@ -0,0 +1,41 @@ +title: High DNS subdomain requests rate per domain +description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + dns_question_name: + query: "*" + default_list_of_well_known_domains: + query_etld_plus_one: + - "akadns.net" + - "akamaiedge.net" + - "amazonaws.com" + - "apple.com" + - "apple-dns.net" + - "cloudfront.net" + - "icloud.com" + - "in-addr.arpa" + - "google.com" + - "yahoo.com" + - "dropbox.com" + - "windowsupdate.com" + - "microsoftonline.com" + - "s-microsoft.com" + - "office365.com" + - "linkedin.com" + timeframe: 15m + condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains + # for each host in timeframe + # for each dns_question_etld_plus_one + # if number of dns_question_name > 200 + # dns_question_etld_plus_one is not in default_list_of_well_known_domains +falsepositives: + - Legitimate domain name requested, which should be added to whitelist +level: high +status: experimental diff --git a/rules/unsupported_logic/net_dns_large_domain_name.yml b/rules/unsupported_logic/net_dns_large_domain_name.yml new file mode 100644 index 000000000..463ff1e05 --- /dev/null +++ b/rules/unsupported_logic/net_dns_large_domain_name.yml @@ -0,0 +1,36 @@ +title: Large domain name request +description: Detects large DNS domain names +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + query_length: "> 70" # IS MORE THAN 70 bytes + default_list_of_well_known_domains: + query_etld_plus_one: + - "akadns.net" + - "akamaiedge.net" + - "amazonaws.com" + - "apple.com" + - "apple-dns.net" + - "cloudfront.net" + - "icloud.com" + - "in-addr.arpa" + - "google.com" + - "yahoo.com" + - "dropbox.com" + - "windowsupdate.com" + - "microsoftonline.com" + - "s-microsoft.com" + - "office365.com" + - "linkedin.com" + condition: selection and not default_list_of_well_known_domains +falsepositives: + - Legitimate domain name requested, which should be added to whitelist +level: high +status: experimental \ No newline at end of file diff --git a/rules/unsupported_logic/net_possible_dns_rebinding.yml b/rules/unsupported_logic/net_possible_dns_rebinding.yml new file mode 100644 index 000000000..cc8f2a234 --- /dev/null +++ b/rules/unsupported_logic/net_possible_dns_rebinding.yml @@ -0,0 +1,22 @@ +title: Possible DNS Rebinding +status: experimental +description: 'Detects DNS-answer with TTL <10.' +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: dns +detection: + selection: + answer: '*' + filter1: + ttl: '>0' + filter2: + ttl: '<10' + timeframe: 30s + condition: selection and filter1 and filter2 | count(answer) by src_ip > 3 +level: medium diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml index db9abdd80..fb54b399d 100644 --- a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml @@ -2,7 +2,7 @@ title: Powerview Add-DomainObjectAcl DCSync AD Extend Right description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 -author: Samir Bousseaden +author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community references: - https://twitter.com/menasec1/status/1111556090137903104 - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf @@ -16,9 +16,10 @@ detection: selection: EventID: 5136 LDAPDisplayName: 'ntSecurityDescriptor' - Value: - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*' + Value|contains: + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + - '89e95b76-444d-4c62-991a-0facbeda640c' condition: selection falsepositives: - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account. diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml new file mode 100644 index 000000000..882e33aa2 --- /dev/null +++ b/rules/windows/builtin/win_ad_object_writedac_access.yml @@ -0,0 +1,22 @@ +title: T1000 AD Object WriteDAC Access +description: Detects WRITE_DAC access to a domain object +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md +logsource: + product: windows + service: security +detection: + selection_one: + EventID: 4662 + ObjectServer: 'DS' + AccessMask: 0x40000 + ObjectType: + - '19195a5b-6da0-11d0-afd3-00c04fd930c9' + - 'domainDNS' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml new file mode 100644 index 000000000..8aa4d1fcb --- /dev/null +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -0,0 +1,28 @@ +title: T1003 Active Directory Replication from Non Machine Account +description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. +status: experimental +date: 2019/07/26 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4662 + AccessMask: '0x100' + Properties|contains: + - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + - '89e95b76-444d-4c62-991a-0facbeda640c' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index cb39ccfb1..e8f4a9028 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -14,7 +14,8 @@ detection: selection: EventID: 4704 keywords: - - 'SeEnableDelegationPrivilege' + Message: + - '*SeEnableDelegationPrivilege*' condition: all of them falsepositives: - Unknown diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index b09d69b7a..7d2974ba3 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -15,11 +15,13 @@ detection: selection: EventID: 4738 keywords: - - 'DES' - - 'Preauth' - - 'Encrypted' + Message: + - '*DES*' + - '*Preauth*' + - '*Encrypted*' filters: - - 'Enabled' + Message: + - '*Enabled*' condition: selection and keywords and filters falsepositives: - Unknown diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 5ba0670cb..e0d4033be 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -14,6 +14,7 @@ logsource: product: windows detection: keywords: + Message: - "* mimikatz *" - "* mimilib *" - "* <3 eo.oe *" diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index b30270453..6187109d3 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -6,29 +6,31 @@ logsource: service: application detection: keywords: - - HTool - - Hacktool - - ASP/Backdoor - - JSP/Backdoor - - PHP/Backdoor - - Backdoor.ASP - - Backdoor.JSP - - Backdoor.PHP - - Webshell - - Portscan - - Mimikatz - - WinCred - - PlugX - - Korplug - - Pwdump - - Chopper - - WmiExec - - Xscan - - Clearlog - - ASPXSpy + Message: + - "*HTool*" + - "*Hacktool*" + - "*ASP/Backdoor*" + - "*JSP/Backdoor*" + - "*PHP/Backdoor*" + - "*Backdoor.ASP*" + - "*Backdoor.JSP*" + - "*Backdoor.PHP*" + - "*Webshell*" + - "*Portscan*" + - "*Mimikatz*" + - "*WinCred*" + - "*PlugX*" + - "*Korplug*" + - "*Pwdump*" + - "*Chopper*" + - "*WmiExec*" + - "*Xscan*" + - "*Clearlog*" + - "*ASPXSpy*" filters: - - Keygen - - Crack + Message: + - "*Keygen*" + - "*Crack*" condition: keywords and not 1 of filters falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml new file mode 100644 index 000000000..c28d7941f --- /dev/null +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -0,0 +1,23 @@ +title: T1003 DPAPI Domain Backup Key Extraction +description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers +status: experimental +date: 2019/06/20 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4662 + ObjectType: 'SecretObject' + AccessMask: '0x2' + ObjectName: 'BCKUPKEY' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml new file mode 100644 index 000000000..c47abde49 --- /dev/null +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -0,0 +1,20 @@ +title: T1003 DPAPI Domain Master Key Backup Attempt +description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. +status: experimental +date: 2019/08/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4692 + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml new file mode 100644 index 000000000..03b7d9a92 --- /dev/null +++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml @@ -0,0 +1,27 @@ +title: T1003 LSASS Access from Non System Account +description: Detects potential mimikatz-like tools accessing LSASS from non system account +status: experimental +date: 2019/06/20 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4663 + - 4656 + ObjectType: 'Process' + ObjectName|endswith: '\lsass.exe' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 1b748ef41..01039d732 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -15,9 +15,10 @@ detection: EventID: - 7045 keywords: - - 'WCE SERVICE' - - 'WCESERVICE' - - 'DumpSvc' + Message: + - '*WCE SERVICE*' + - '*WCESERVICE*' + - '*DumpSvc*' quarkspwdump: EventID: 16 HiveName: '*\AppData\Local\Temp\SAM*.dmp' diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml new file mode 100644 index 000000000..3c5415e55 --- /dev/null +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -0,0 +1,62 @@ +--- +action: global +title: Meterpreter or Cobalt Strike getsystem service installation +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +author: Teymur Kheirkhabarov +date: 2019/10/26 +modified: 2019/11/11 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 +detection: + selection: + - ServiceFileName|contains: + - 'cmd' + - 'comspec' + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - ServiceFileName|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection +fields: + - ServiceFileName +falsepositives: + - Highly unlikely +level: critical +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml new file mode 100644 index 000000000..4b1924c1a --- /dev/null +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -0,0 +1,26 @@ +title: New (or renamed) user account with '$' in attribute 'SamAccountName'. +status: experimental +description: Detects possible bypass EDR and SIEM via abnormal user account name. +tags: + - attack.defense_evasion + - attack.t1036 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4720 # create user + - 4781 # rename user + UserName|contains: '$' #SamAccountName + condition: selection +fields: + - EventID + - UserName + - SubjectAccountName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml new file mode 100644 index 000000000..b73091fd4 --- /dev/null +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -0,0 +1,24 @@ +title: Possible DC Sync +description: Detects DC sync via create new SPN +status: experimental +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +references: + - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml + - https://twitter.com/gentilkiwi/status/1003236624925413376 + - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 + - https://jsecurity101.com/2019/Syncing-into-the-Shadows/ +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + ServicePrincipalNames: '*GC/*' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml new file mode 100644 index 000000000..b726363ad --- /dev/null +++ b/rules/windows/builtin/win_protected_storage_service_access.yml @@ -0,0 +1,23 @@ +title: T1003 Protected Storage Service Access +description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers +status: experimental +date: 2019/08/10 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md +tags: + - attack.lateral_movement + - attack.t1021 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + ShareName|contains: 'IPC' + RelativeTargetName: "protected_storage" + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml new file mode 100644 index 000000000..7be412525 --- /dev/null +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -0,0 +1,23 @@ +title: Register new logon process by Rubeus +description: Detects potential use of Rubeus via registered new trusted logon process +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security + definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end +detection: + selection: + - EventID: 4611 + LogonProcessName: 'User32LogonProcesss' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml new file mode 100644 index 000000000..c763215ef --- /dev/null +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -0,0 +1,21 @@ +title: T1086 Remote PowerShell Sessions +description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestPort: + - 5985 + - 5986 + LayerRTID: 44 + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml new file mode 100644 index 000000000..b6f36b5cd --- /dev/null +++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml @@ -0,0 +1,23 @@ +title: T1012 SAM Registry Hive Handle Request +description: Detects handles requested to SAM registry hive +status: experimental +date: 2019/08/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md +tags: + - attack.discovery + - attack.t1012 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4656 + ObjectType: 'Key' + ObjectName|endswith: '\SAM' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml new file mode 100644 index 000000000..4945a34c0 --- /dev/null +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -0,0 +1,21 @@ +title: T1000 SCM Database Handle Failure +description: Detects non-system users failing to get a handle of the SCM database. +status: experimental +date: 2019/08/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 4656 + ObjectType: 'SC_MANAGER OBJECT' + ObjectName: 'servicesactive' + Keywords: "Audit Failure" + SubjectLogonId: "0x3e4" + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml new file mode 100644 index 000000000..0f16c6c38 --- /dev/null +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -0,0 +1,21 @@ +title: T1000 SCM Database Privileged Operation +description: Detects non-system users performing privileged operation os the SCM database +status: experimental +date: 2019/08/15 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 4674 + ObjectType: 'SC_MANAGER OBJECT' + ObjectName: 'servicesactive' + PrivilegeList: 'SeTakeOwnershipPrivilege' + SubjectLogonId: "0x3e4" + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 5f5daa7a0..3452d6138 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -25,4 +25,4 @@ detection: condition: selection1 or (selection2 and not selection3) falsepositives: - Migration of an account into a new domain -level: medium +level: low diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index c935fface..9f725c6d4 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -21,8 +21,9 @@ detection: Source: 'Windows Error Reporting' EventID: 1001 keywords: - - 'MsMpEng.exe' - - 'mpengine.dll' + Message: + - '*MsMpEng.exe*' + - '*mpengine.dll*' condition: 1 of selection* and all of keywords falsepositives: - MsMpEng.exe can crash when C:\ is full diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 0f71f622b..b8ed30dbe 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -13,7 +13,8 @@ detection: selection: EventID: 16 keywords: - - '*\AppData\Local\Temp\SAM-*.dmp *' + Message: + - '*\AppData\Local\Temp\SAM-*.dmp *' condition: all of them falsepositives: - Penetration testing diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..df534a554 --- /dev/null +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,28 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +modified: 2019/11/13 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestinationPort: 88 + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml new file mode 100644 index 000000000..58dbe641b --- /dev/null +++ b/rules/windows/builtin/win_syskey_registry_access.yml @@ -0,0 +1,29 @@ +title: T1012 SysKey Registry Keys Access +description: Detects handle requests and access operations to specific registry keys to calculate the SysKey +status: experimental +date: 2019/08/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md +tags: + - attack.discovery + - attack.t1012 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4656 + - 4663 + ObjectType: 'key' + ObjectName|endswith: + - 'lsa\JD' + - 'lsa\GBG' + - 'lsa\Skew1' + - 'lsa\Data' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml new file mode 100644 index 000000000..537d8a20c --- /dev/null +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -0,0 +1,38 @@ +--- +action: global +title: Tap driver installation +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium +detection: + selection: + ImagePath|contains: 'tap0901' + condition: selection +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml new file mode 100644 index 000000000..90a55c0f1 --- /dev/null +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -0,0 +1,23 @@ +title: User couldn't call a privileged service 'LsaRegisterLogonProcess' +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security +detection: + selection: + - EventID: 4673 + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure + condition: selection +falsepositives: + - Unkown +level: high \ No newline at end of file diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 58bf3033d..077f0aacb 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -16,14 +16,15 @@ detection: selection: EventID: 5861 keywords: - - 'ActiveScriptEventConsumer' - - 'CommandLineEventConsumer' - - 'CommandLineTemplate' + Message: + - '*ActiveScriptEventConsumer*' + - '*CommandLineEventConsumer*' + - '*CommandLineTemplate*' # - 'Binding EventFilter' # too many false positive with HP Health Driver selection2: EventID: 5859 condition: selection and 1 of keywords or selection2 falsepositives: - Unknown (data set is too small; further testing needed) -level: high +level: medium diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml new file mode 100644 index 000000000..b5e43040a --- /dev/null +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -0,0 +1,21 @@ +title: T1086 Alternate PowerShell Hosts +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: experimental +date: 2019/08/11 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +logsource: + product: windows + service: powershell +detection: + selection: + EventID: + - 4103 + - 400 + filter: + HostApplication: 'powershell.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml new file mode 100644 index 000000000..6f5eeed2c --- /dev/null +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -0,0 +1,23 @@ +title: Clear PowerShell History +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +tags: + - attack.defense_evasion + - attack.t1146 +logsource: + product: windows + service: powershell +detection: + keywords: + - 'del (Get-PSReadlineOption).HistorySavePath' + - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' + - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' + - 'rm (Get-PSReadlineOption).HistorySavePath' + condition: keywords +falsepositives: + - some PS-scripts +level: medium diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml new file mode 100644 index 000000000..567014d9c --- /dev/null +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -0,0 +1,28 @@ +title: Data Compressed +status: experimental +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml +logsource: + product: windows + service: powershell + description: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + keyword_1: + - '*-Recurse*' + keyword_2: + - '*|*' + keyword_3: + - '*Compress-Archive*' + condition: selection and all of keyword_* +falsepositives: + - highly likely if archive ops are done via PS +level: low +tags: + - attack.exfiltration + - attack.t1002 diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml new file mode 100644 index 000000000..314cad819 --- /dev/null +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -0,0 +1,19 @@ +title: Dnscat execution +description: Dnscat exfiltration tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: "Start-Dnscat2" + condition: selection +falsepositives: + - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely) +level: medium diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index fcc15429f..c01420607 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -14,100 +14,101 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - - Invoke-DllInjection - - Invoke-Shellcode - - Invoke-WmiCommand - - Get-GPPPassword - - Get-Keystrokes - - Get-TimedScreenshot - - Get-VaultCredential - - Invoke-CredentialInjection - - Invoke-Mimikatz - - Invoke-NinjaCopy - - Invoke-TokenManipulation - - Out-Minidump - - VolumeShadowCopyTools - - Invoke-ReflectivePEInjection - - Invoke-UserHunter - - Find-GPOLocation - - Invoke-ACLScanner - - Invoke-DowngradeAccount - - Get-ServiceUnquoted - - Get-ServiceFilePermission - - Get-ServicePermission - - Invoke-ServiceAbuse - - Install-ServiceBinary - - Get-RegAutoLogon - - Get-VulnAutoRun - - Get-VulnSchTask - - Get-UnattendedInstallFile - - Get-ApplicationHost - - Get-RegAlwaysInstallElevated - - Get-Unconstrained - - Add-RegBackdoor - - Add-ScrnSaveBackdoor - - Gupt-Backdoor - - Invoke-ADSBackdoor - - Enabled-DuplicateToken - - Invoke-PsUaCme - - Remove-Update - - Check-VM - - Get-LSASecret - - Get-PassHashes - - Show-TargetScreen - - Port-Scan - - Invoke-PoshRatHttp - - Invoke-PowerShellTCP - - Invoke-PowerShellWMI - - Add-Exfiltration - - Add-Persistence - - Do-Exfiltration - - Start-CaptureServer - - Get-ChromeDump - - Get-ClipboardContents - - Get-FoxDump - - Get-IndexedItem - - Get-Screenshot - - Invoke-Inveigh - - Invoke-NetRipper - - Invoke-EgressCheck - - Invoke-PostExfil - - Invoke-PSInject - - Invoke-RunAs - - MailRaider - - New-HoneyHash - - Set-MacAttribute - - Invoke-DCSync - - Invoke-PowerDump - - Exploit-Jboss - - Invoke-ThunderStruck - - Invoke-VoiceTroll - - Set-Wallpaper - - Invoke-InveighRelay - - Invoke-PsExec - - Invoke-SSHCommand - - Get-SecurityPackages - - Install-SSP - - Invoke-BackdoorLNK - - PowerBreach - - Get-SiteListPassword - - Get-System - - Invoke-BypassUAC - - Invoke-Tater - - Invoke-WScriptBypassUAC - - PowerUp - - PowerView - - Get-RickAstley - - Find-Fruit - - HTTP-Login - - Find-TrustedDocuments - - Invoke-Paranoia - - Invoke-WinEnum - - Invoke-ARPScan - - Invoke-PortScan - - Invoke-ReverseDNSLookup - - Invoke-SMBScanner - - Invoke-Mimikittenz + Message: + - "*Invoke-DllInjection*" + - "*Invoke-Shellcode*" + - "*Invoke-WmiCommand*" + - "*Get-GPPPassword*" + - "*Get-Keystrokes*" + - "*Get-TimedScreenshot*" + - "*Get-VaultCredential*" + - "*Invoke-CredentialInjection*" + - "*Invoke-Mimikatz*" + - "*Invoke-NinjaCopy*" + - "*Invoke-TokenManipulation*" + - "*Out-Minidump*" + - "*VolumeShadowCopyTools*" + - "*Invoke-ReflectivePEInjection*" + - "*Invoke-UserHunter*" + - "*Find-GPOLocation*" + - "*Invoke-ACLScanner*" + - "*Invoke-DowngradeAccount*" + - "*Get-ServiceUnquoted*" + - "*Get-ServiceFilePermission*" + - "*Get-ServicePermission*" + - "*Invoke-ServiceAbuse*" + - "*Install-ServiceBinary*" + - "*Get-RegAutoLogon*" + - "*Get-VulnAutoRun*" + - "*Get-VulnSchTask*" + - "*Get-UnattendedInstallFile*" + - "*Get-ApplicationHost*" + - "*Get-RegAlwaysInstallElevated*" + - "*Get-Unconstrained*" + - "*Add-RegBackdoor*" + - "*Add-ScrnSaveBackdoor*" + - "*Gupt-Backdoor*" + - "*Invoke-ADSBackdoor*" + - "*Enabled-DuplicateToken*" + - "*Invoke-PsUaCme*" + - "*Remove-Update*" + - "*Check-VM*" + - "*Get-LSASecret*" + - "*Get-PassHashes*" + - "*Show-TargetScreen*" + - "*Port-Scan*" + - "*Invoke-PoshRatHttp*" + - "*Invoke-PowerShellTCP*" + - "*Invoke-PowerShellWMI*" + - "*Add-Exfiltration*" + - "*Add-Persistence*" + - "*Do-Exfiltration*" + - "*Start-CaptureServer*" + - "*Get-ChromeDump*" + - "*Get-ClipboardContents*" + - "*Get-FoxDump*" + - "*Get-IndexedItem*" + - "*Get-Screenshot*" + - "*Invoke-Inveigh*" + - "*Invoke-NetRipper*" + - "*Invoke-EgressCheck*" + - "*Invoke-PostExfil*" + - "*Invoke-PSInject*" + - "*Invoke-RunAs*" + - "*MailRaider*" + - "*New-HoneyHash*" + - "*Set-MacAttribute*" + - "*Invoke-DCSync*" + - "*Invoke-PowerDump*" + - "*Exploit-Jboss*" + - "*Invoke-ThunderStruck*" + - "*Invoke-VoiceTroll*" + - "*Set-Wallpaper*" + - "*Invoke-InveighRelay*" + - "*Invoke-PsExec*" + - "*Invoke-SSHCommand*" + - "*Get-SecurityPackages*" + - "*Install-SSP*" + - "*Invoke-BackdoorLNK*" + - "*PowerBreach*" + - "*Get-SiteListPassword*" + - "*Get-System*" + - "*Invoke-BypassUAC*" + - "*Invoke-Tater*" + - "*Invoke-WScriptBypassUAC*" + - "*PowerUp*" + - "*PowerView*" + - "*Get-RickAstley*" + - "*Find-Fruit*" + - "*HTTP-Login*" + - "*Find-TrustedDocuments*" + - "*Invoke-Paranoia*" + - "*Invoke-WinEnum*" + - "*Invoke-ARPScan*" + - "*Invoke-PortScan*" + - "*Invoke-ReverseDNSLookup*" + - "*Invoke-SMBScanner*" + - "*Invoke-Mimikittenz*" false_positives: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 condition: keywords and not false_positives diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index d2ec581e6..d553efe23 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -14,26 +14,27 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - - AdjustTokenPrivileges - - IMAGE_NT_OPTIONAL_HDR64_MAGIC - - Microsoft.Win32.UnsafeNativeMethods - - ReadProcessMemory.Invoke - - SE_PRIVILEGE_ENABLED - - LSA_UNICODE_STRING - - MiniDumpWriteDump - - PAGE_EXECUTE_READ - - SECURITY_DELEGATION - - TOKEN_ADJUST_PRIVILEGES - - TOKEN_ALL_ACCESS - - TOKEN_ASSIGN_PRIMARY - - TOKEN_DUPLICATE - - TOKEN_ELEVATION - - TOKEN_IMPERSONATE - - TOKEN_INFORMATION_CLASS - - TOKEN_PRIVILEGES - - TOKEN_QUERY - - Metasploit - - Mimikatz + Message: + - "*AdjustTokenPrivileges*" + - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*" + - "*Microsoft.Win32.UnsafeNativeMethods*" + - "*ReadProcessMemory.Invoke*" + - "*SE_PRIVILEGE_ENABLED*" + - "*LSA_UNICODE_STRING*" + - "*MiniDumpWriteDump*" + - "*PAGE_EXECUTE_READ*" + - "*SECURITY_DELEGATION*" + - "*TOKEN_ADJUST_PRIVILEGES*" + - "*TOKEN_ALL_ACCESS*" + - "*TOKEN_ASSIGN_PRIMARY*" + - "*TOKEN_DUPLICATE*" + - "*TOKEN_ELEVATION*" + - "*TOKEN_IMPERSONATE*" + - "*TOKEN_INFORMATION_CLASS*" + - "*TOKEN_PRIVILEGES*" + - "*TOKEN_QUERY*" + - "*Metasploit*" + - "*Mimikatz*" condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 6203a5d23..ea97c4a5c 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -17,7 +17,8 @@ detection: selection: EventID: 4104 keyword: - - 'PromptForCredential' + Message: + - '*PromptForCredential*' condition: all of them falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml new file mode 100644 index 000000000..035cbb974 --- /dev/null +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -0,0 +1,22 @@ +title: T1086 Remote PowerShell Session +description: Detects remote PowerShell sessions +status: experimental +date: 2019/08/10 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: powershell +detection: + selection: + EventID: + - 4103 + - 400 + HostName: 'ServerRemoteHost' + HostApplication|contains: 'wsmprovhost.exe' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index ad8ff90b6..a56980438 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -10,8 +10,9 @@ logsource: service: powershell detection: keywords: - - 'System.Net.WebClient).DownloadString(' - - 'system.net.webclient).downloadfile(' + Message: + - '*System.Net.WebClient).DownloadString(*' + - '*system.net.webclient).downloadfile(*' condition: keywords falsepositives: - PowerShell scripts that download content from the Internet diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 84ddfe55c..5e7aae6c3 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -10,12 +10,13 @@ logsource: service: powershell detection: keywords: - - ' -nop -w hidden -c * [Convert]::FromBase64String' - - ' -w hidden -noni -nop -c "iex(New-Object' - - ' -w hidden -ep bypass -Enc' - - 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run' - - 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download' - - 'iex(New-Object Net.WebClient).Download' + Message: + - '* -nop -w hidden -c * [Convert]::FromBase64String*' + - '* -w hidden -noni -nop -c "iex(New-Object*' + - '* -w hidden -ep bypass -Enc*' + - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*' + - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*' + - '*iex(New-Object Net.WebClient).Download*' condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 21a193193..e8efdc065 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -15,8 +15,9 @@ logsource: service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' detection: - keywords: + Message: - "System.Reflection.Assembly.Load" + - "[System.Reflection.Assembly]::Load" - "[Reflection.Assembly]::Load" - "System.Reflection.AssemblyName" - "Reflection.Emit.AssemblyBuilderAccess" diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml new file mode 100644 index 000000000..b9b8c03e4 --- /dev/null +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -0,0 +1,27 @@ +title: Winlogon Helper DLL +status: experimental +description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml +logsource: + product: windows + service: powershell + description: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + keyword1: + - '*Set-ItemProperty*' + - '*New-Item*' + keyword2: + - '*CurrentVersion\Winlogon*' + condition: selection and ( keyword1 and keyword2 ) +falsepositives: + - Unknown +level: medium +tags: + - attack.persistence + - attack.t1004 diff --git a/rules/windows/process_creation/silenttrinity_stage_use.yml b/rules/windows/process_creation/silenttrinity_stage_use.yml new file mode 100644 index 000000000..a99a63b32 --- /dev/null +++ b/rules/windows/process_creation/silenttrinity_stage_use.yml @@ -0,0 +1,30 @@ +--- +action: global +title: SILENTTRINITY stager execution +status: experimental +description: Detects SILENTTRINITY stager use +references: + - https://github.com/byt3bl33d3r/SILENTTRINITY +author: Aleksey Potapov, oscd.community +date: 2019/10/22 +modified: 2019/11/04 +tags: + - attack.execution +detection: + selection: + Description|contains: 'st2stager' + condition: selection +falsepositives: + - unknown +level: high +--- +logsource: + category: process_creation + product: windows +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml new file mode 100644 index 000000000..34a58ba53 --- /dev/null +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -0,0 +1,30 @@ +title: Mustang Panda Dropper +status: experimental +description: Detects specific process parameters as used by Mustang Panda droppers +author: Florian Roth +date: 2019/10/30 +references: + - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ + - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ + - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*Temp\wtask.exe /create*' + - '*%windir:~-3,1%%PUBLIC:~-9,1%*' + - '*/E:vbscript * C:\Users\*.txt" /F' + - '*/tn "Security Script *' + - '*%windir:~-1,1%*' + selection2: + Image: + - '*Temp\winwsh.exe' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml new file mode 100644 index 000000000..aff9b51ef --- /dev/null +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -0,0 +1,30 @@ +title: Modification of Boot Configuration +description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html +tags: + - attack.impact + - attack.t1490 +detection: + selection1: + Image|endswith: '\bcdedit.exe' + CommandLine: 'set' + selection2: + - CommandLine|contains|all: + - 'bootstatuspolicy' + - 'ignoreallfailures' + - CommandLine|contains|all: + - 'recoveryenabled' + - 'no' + condition: selection1 and selection2 +falsepositives: + - Unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml new file mode 100644 index 000000000..315ff7035 --- /dev/null +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -0,0 +1,32 @@ +title: Change Default File Association +status: experimental +description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'cmd' + - '/c' + - 'assoc' + condition: selection +falsepositives: + - Admin activity +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +level: low +tags: + - attack.persistence + - attack.t1042 diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml new file mode 100644 index 000000000..023e35fce --- /dev/null +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -0,0 +1,31 @@ +title: Data Compressed +status: experimental +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +author: Timur Zinniatullin, E.M. Anhaus, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rar.exe' + CommandLine|contains: ' a ' + condition: selection +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - highly likely if rar is default archiver in the monitored environment +level: low +tags: + - attack.exfiltration + - attack.t1002 diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml new file mode 100644 index 000000000..cfd25684e --- /dev/null +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -0,0 +1,19 @@ +title: DNS exfiltration tools execution +description: Well-known DNS Exfiltration tools execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '*\iodine.exe' + - Image|contains: '\dnscat2' + condition: selection +falsepositives: + - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely) +level: medium diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml new file mode 100644 index 000000000..171b87c37 --- /dev/null +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -0,0 +1,22 @@ +title: Exfiltration and tunneling tools execution +description: Execution of well known tools for data exfiltration and tunneling +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1020 +logsource: + category: process_creation + product: windows +detection: + selection: + NewProcessName|endswith: + - '\plink.exe' + - '\socat.exe' + - '\stunnel.exe' + - '\httptunnel.exe' + condition: selection +falsepositives: + - Legitimate Administrator using tool for exfiltration for other needs +level: medium diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml new file mode 100644 index 000000000..a4f6756a3 --- /dev/null +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -0,0 +1,24 @@ +title: HH.exe execution +description: Identifies usage of hh.exe executing recently modified .chm files. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html +date: 2019/10/24 +modified: 2019/11/11 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1223 +detection: + selection: + Image|endswith: '\hh.exe' + CommandLine|contains: '.chm' + condition: selection +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml new file mode 100644 index 000000000..41c13d4c5 --- /dev/null +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -0,0 +1,25 @@ +title: Indirect Command Execution +description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html +date: 2019/10/24 +modified: 2019/11/11 +tags: + - attack.defense_evasion + - attack.t1202 +detection: + selection: + ParentImage|endswith: + - '\pcalua.exe' + - '\forfiles.exe' + condition: selection +falsepositives: + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts + - Legit usage of scripts +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml new file mode 100644 index 000000000..b7c3340e7 --- /dev/null +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -0,0 +1,23 @@ +title: Interactive AT Job +description: Detect an interactive AT job, which may be used as a form of privilege escalation +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html +date: 2019/10/24 +modified: 2019/11/11 +tags: + - attack.privilege_escalation + - attack.t1053 +detection: + selection: + Image|endswith: '\at.exe' + CommandLine|contains: 'interactive' + condition: selection +falsepositives: + - Unlikely (at.exe deprecated as of Windows 8) +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml new file mode 100644 index 000000000..50c945dd3 --- /dev/null +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -0,0 +1,60 @@ +title: Local accounts discovery +status: experimental +description: Local accounts, System Owner/User discovery using operating systems utilities +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml +logsource: + category: process_creation + product: windows +detection: + selection_1: + - Image|endswith: '\whoami.exe' + - Image|endswith: '\wmic.exe' + CommandLine|contains|all: + - 'useraccount' + - 'get' + - Image|endswith: + - '\quser.exe' + - '\qwinsta.exe' + - Image|endswith: '\cmdkey.exe' + CommandLine|contains: '/list' + - Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - '/c' + - 'dir' + - '\Users\' + selection_2: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'user' + filter: + CommandLine|contains: + - '/domain' # local account discovery only + - '/add' # discovery only + - '/delete' # discovery only + - '/active' # discovery only + - '/expires' # discovery only + - '/passwordreq' # discovery only + - '/scriptpath' # discovery only + - '/times' # discovery only + - '/workstations' # discovery only + condition: selection_1 or ( selection_2 and not filter ) +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - Legitimate administrator or user enumerates local users for legitimate reason +level: low +tags: + - attack.discovery + - attack.t1033 + - attack.t1087 diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml new file mode 100644 index 000000000..0124c25f3 --- /dev/null +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -0,0 +1,31 @@ +title: LSASS Memory Dumping +description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html + - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml +tags: + - attack.credential_access + - attack.t1003 +detection: + selection1: + CommandLine|contains|all: + - 'lsass' + - '.dmp' + selection2: + Image|endswith: '\werfault.exe' + selection3: + Image|contains: '\procdump' + Image|endswith: '.exe' + CommandLine|contains: 'lsass' + condition: selection1 and not selection2 or selection3 +falsepositives: + - Unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml new file mode 100644 index 000000000..75e4e3ed3 --- /dev/null +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -0,0 +1,22 @@ +title: DTRACK Process Creation +status: experimental +description: Detects specific process parameters as seen in DTRACK infections +author: Florian Roth +date: 2019/10/30 +references: + - https://securelist.com/my-name-is-dtrack/93338/ + - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ + - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '* echo EEEE > *' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index 2ae667dc4..99cd1e664 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -3,10 +3,12 @@ status: experimental description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. author: Florian Roth date: 2019/09/30 +modified: 2019/10/31 references: - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ + - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ logsource: category: process_creation product: windows @@ -15,10 +17,13 @@ detection: # Parent command line should not contain a space value # This avoids false positives not caused by process injection # e.g. wscript.exe /B sysmon-install.vbs - ParentCommandLine: 'C:\Windows\System32\\*.exe' + ParentCommandLine: + - 'C:\Windows\System32\\*.exe' + - 'C:\Windows\SysWOW64\\*.exe' CommandLine: - - '*\cmd.exe /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' - - '*\cmd.exe /c del "C:\Users\\*\Desktop\\*.exe' + - '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' + - '* /c del "C:\Users\\*\Desktop\\*.exe' + - '* /C type nul > "C:\Users\\*\Desktop\\*.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index a3da623be..79ed43cf0 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -8,9 +8,7 @@ references: author: Florian Roth date: 2018/12/12 tags: - - attack.process_injection - attack.t1055 - - attack.signed_binary_proxy_execution - attack.t1218 logsource: category: process_creation diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml new file mode 100644 index 000000000..e82b73c7f --- /dev/null +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -0,0 +1,42 @@ +title: Meterpreter or Cobalt Strike getsystem service start +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +author: Teymur Kheirkhabarov +date: 2019/10/26 +modified: 2019/11/11 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 +logsource: + category: process_creation + product: windows +detection: + selection_1: + ParentImage|endswith: '\services.exe' + selection_2: + - CommandLine|contains: + - 'cmd' + - 'comspec' + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - CommandLine|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - CommandLine|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - CommandLine|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection_1 and selection_2 +falsepositives: + - Highly unlikely +level: critical diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml new file mode 100644 index 000000000..86ab993e7 --- /dev/null +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -0,0 +1,25 @@ +title: Mshta Network Connections +description: Identifies suspicious mshta.exe commands +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml +tags: + - attack.execution + - attack.defense_evasion + - attack.t1170 +detection: + selection: + Image|endswith: '\mshta.exe' + CommandLine|contains: 'javascript' + condition: selection +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows +## todo — add sysmon eid 3 for this rule diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml new file mode 100644 index 000000000..62d76d6db --- /dev/null +++ b/rules/windows/process_creation/win_net_enum.yml @@ -0,0 +1,27 @@ +title: Windows Network Enumeration +status: stable +description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml +author: Endgame, JHasenbusch (ported for oscd.community) +date: 2018/10/30 +modified: 2019/11/11 +tags: + - attack.discovery + - attack.t1018 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'view' + filter: + CommandLine|contains: '\\' + condition: selection and not filter +falsepositives: + - Legitimate use of net.exe utility by legitimate user +level: low diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml new file mode 100644 index 000000000..7dbef3b56 --- /dev/null +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -0,0 +1,29 @@ +title: Net.exe User Account Creation +status: experimental +description: Identifies creation of local users via the net.exe command +references: + - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml +author: Endgame, JHasenbusch (adapted to sigma for oscd.community) +date: 2018/10/30 +modified: 2019/11/11 +tags: + - attack.persistance + - attack.credential_access + - attack.t1136 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'user' + - 'add' + condition: selection +falsepositives: + - Legit user creation + - Better use event ids for user creation rather than command line rules +level: low diff --git a/rules/windows/process_creation/win_netsh_packet_capture.yml b/rules/windows/process_creation/win_netsh_packet_capture.yml new file mode 100644 index 000000000..d89c40c4a --- /dev/null +++ b/rules/windows/process_creation/win_netsh_packet_capture.yml @@ -0,0 +1,23 @@ +title: Capture a Network Trace with netsh.exe +status: experimental +description: Detects capture a network trace via netsh.exe trace functionality +references: + - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ +author: Kutepov Anton, oscd.community +date: 2019/10/24 +tags: + - attack.discovery + - attack.t1040 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - netsh + - trace + - start + condition: selection +falsepositives: + - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason +level: medium diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml new file mode 100644 index 000000000..fdcb9a287 --- /dev/null +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -0,0 +1,32 @@ +title: Network Sniffing +status: experimental +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\tshark.exe' + CommandLine|contains: '-i' + - Image|endswith: '\windump.exe' + condition: selection +falsepositives: + - Admin activity +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +level: low +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml new file mode 100644 index 000000000..766dea5f9 --- /dev/null +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -0,0 +1,20 @@ +title: T1086 Non Interactive PowerShell +description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. +status: experimental +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + filter: + ParentImage|endswith: '\explorer.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 85ce692ec..d620bf1cf 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -16,15 +16,16 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\msdt.exe*' - - '*\installutil.exe*' - - '*\regsvcs.exe*' - - '*\regasm.exe*' - # - '*\regsvr32.exe*' # too many FPs, very noisy - - '*\msbuild.exe*' - - '*\ieexec.exe*' - - '*\mshta.exe*' + CommandLine|contains: + - '\msdt.exe' + - '\installutil.exe' + - '\regsvcs.exe' + - '\regasm.exe' + # - '\regsvr32.exe' # too many FPs, very noisy + - '\msbuild.exe' + - '\ieexec.exe' + #- '\mshta.exe' + #- '\csc.exe' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml new file mode 100644 index 000000000..d960252f1 --- /dev/null +++ b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml @@ -0,0 +1,31 @@ +title: Possible Rotten Potato detection - privilege escalation fro Service accounts to SYSTEM +description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ +tags: + - attack.privilege_escalation + - attack.t1134 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +modified: 2019/11/11 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentUser: + - 'NT AUTHORITY\NETWORK SERVICE' + - 'NT AUTHORITY\LOCAL SERVICE' + User: 'NT AUTHORITY\SYSTEM' + rundllexception: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'DavSetCookie' + condition: selection and not rundllexception +falsepositives: + - Unknown +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml new file mode 100644 index 000000000..dbfdf05db --- /dev/null +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -0,0 +1,22 @@ +title: Audio Capture via PowerShell +description: Detects audio capture via PowerShell Cmdlet +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html +tags: + - attack.collection + - attack.t1123 +detection: + selection: + CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' + condition: selection +falsepositives: + - Legitimate audio capture by legitimate user +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yml b/rules/windows/process_creation/win_powershell_bitsjob.yml new file mode 100644 index 000000000..1bbba2098 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_bitsjob.yml @@ -0,0 +1,24 @@ +title: Suspicious Bitsadmin Job via PowerShell +status: experimental +description: Detect download by BITS jobs via PowerShell +references: + - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md +author: Endgame, JHasenbusch (ported to sigma for oscd.community) +date: 2018/10/30 +modified: 2019/11/11 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: 'Start-BitsTransfer' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index 8ed0e5a5c..06e403401 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -8,6 +8,7 @@ references: - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf - https://attack.mitre.org/techniques/T1036/ date: 2019/02/23 +modified: 2019/08/20 tags: - attack.defense_evasion - attack.t1036 @@ -30,6 +31,8 @@ detection: ParentImage: - '*\System32\\*' - '*\SysWOW64\\*' + - '*\SavService.exe' + - '*\Windows Defender\\*\MsMpEng.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml new file mode 100644 index 000000000..ee312aefc --- /dev/null +++ b/rules/windows/process_creation/win_query_registry.yml @@ -0,0 +1,44 @@ +title: Query Registry +status: experimental +description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml +logsource: + category: process_creation + product: windows +detection: + selection_1: + Image|endswith: '\reg.exe' + CommandLine|contains: + - 'query' + - 'save' + - 'export' + selection_2: + CommandLine|contains: + - 'currentVersion\windows' + - 'currentVersion\runServicesOnce' + - 'currentVersion\runServices' + - 'winlogon\' + - 'currentVersion\shellServiceObjectDelayLoad' + - 'currentVersion\runOnce' + - 'currentVersion\runOnceEx' + - 'currentVersion\run' + - 'currentVersion\policies\explorer\run' + - 'currentcontrolset\services' + condition: selection_1 and selection_2 +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +level: low +tags: + - attack.discovery + - attack.t1012 + - attack.t1007 diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml new file mode 100644 index 000000000..9367378cd --- /dev/null +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -0,0 +1,19 @@ +title: T1086 Remote PowerShell Session +description: Detects remote PowerShell seccions by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote sessionn) +status: experimental +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\wsmprovhost.exe' + - ParentImage|endswith: '\wsmprovhost.exe' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml new file mode 100644 index 000000000..55491edc2 --- /dev/null +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -0,0 +1,29 @@ +title: Discovery of a system time +description: Identifies use of various commands to query a system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md +tags: + - attack.discovery + - attack.t1124 +detection: + selection: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'time' + - Image|endswith: '\w32tm.exe' + CommandLine|contains: 'tz' + - Image|endswith: '\powershell.exe' + CommandLine|contains: 'Get-Date' + condition: selection +falsepositives: + - Legitimate use of the system utilities to discover system time for legitimate reason +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 864ed1504..bb6e0d91c 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -1,8 +1,9 @@ title: Renamed Binary status: experimental description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -author: Matthew Green - @mgreen27 +author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements) date: 2019/06/15 +modified: 2019/11/11 references: - https://attack.mitre.org/techniques/T1036/ - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html @@ -16,40 +17,46 @@ logsource: detection: selection: OriginalFileName: - - "cmd.exe" - - "powershell.exe" - - "powershell_ise.exe" - - "psexec.exe" - - "psexec.c" # old versions of psexec (2016 seen) - - "cscript.exe" - - "wscript.exe" - - "mshta.exe" - - "regsvr32.exe" - - "wmic.exe" - - "certutil.exe" - - "rundll32.exe" - - "cmstp.exe" - - "msiexec.exe" - - "7z.exe" - - "winrar.exe" + - 'cmd.exe' + - 'powershell.exe' + - 'powershell_ise.exe' + - 'psexec.exe' + - 'psexec.c' # old versions of psexec (2016 seen) + - 'cscript.exe' + - 'wscript.exe' + - 'mshta.exe' + - 'regsvr32.exe' + - 'wmic.exe' + - 'certutil.exe' + - 'rundll32.exe' + - 'cmstp.exe' + - 'msiexec.exe' + - '7z.exe' + - 'winrar.exe' + - 'wevtutil.exe' + - 'net.exe' + - 'net1.exe' filter: - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\powershell_ise.exe' - - '*\psexec.exe' - - '*\psexec64.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' - - '*\7z.exe' - - '*\winrar.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\powershell_ise.exe' + - '\psexec.exe' + - '\psexec64.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\certutil.exe' + - '\rundll32.exe' + - '\cmstp.exe' + - '\msiexec.exe' + - '\7z.exe' + - '\winrar.exe' + - '\wevtutil.exe' + - '\net.exe' + - '\net1.exe' condition: selection and not filter falsepositives: - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml new file mode 100644 index 000000000..807b4e5a0 --- /dev/null +++ b/rules/windows/process_creation/win_service_execution.yml @@ -0,0 +1,24 @@ +title: Service Execution +status: experimental +description: Detects manual service execution (start) via system utilities +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|re: '.*start.*[a-zA-Z0-9]' # search for a service name after 'net start', avoiding intersection with "service discovery" technique detection rules + condition: selection +falsepositives: + - Legitimate administrator or user executes a service for legitimate reason +level: low +tags: + - attack.execution + - attack.t1035 diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 0de77853c..66f89ad0a 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -18,7 +18,7 @@ detection: ParentImage: - '*\mshta.exe' - '*\powershell.exe' - - '*\cmd.exe' + # - '*\cmd.exe' # too many false positives - '*\rundll32.exe' - '*\cscript.exe' - '*\wscript.exe' diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml new file mode 100644 index 000000000..923d8ee36 --- /dev/null +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -0,0 +1,23 @@ +title: Audio Capture via SoundRecorder +description: Detect attacker collecting audio via SoundRecorder application +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html +tags: + - attack.collection + - attack.t1123 +detection: + selection: + Image|endswith: '\SoundRecorder.exe' + CommandLine|contains: '/FILE' + condition: selection +falsepositives: + - Legitimate audio capture by legitimate user +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml new file mode 100644 index 000000000..4038182a4 --- /dev/null +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -0,0 +1,26 @@ +title: Application whitelisting bypass via bginfo +status: experimental +description: Execute VBscript code that is referenced within the *.bgi file. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml + - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ +author: Beyu Denis, oscd.community +date: 2019/10/26 +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\bginfo.exe' + CommandLine|contains|all: + - '/popup' + - '/nolicprompt' + condition: selection +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml new file mode 100644 index 000000000..34e21dff2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -0,0 +1,24 @@ +title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner +status: experimental +description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml + - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html +author: Beyu Denis, oscd.community +date: 2019/10/26 +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cdb.exe' + CommandLine|contains: '-cf' + condition: selection +falsepositives: + - Legitimate use of debugging tools diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml new file mode 100644 index 000000000..da6379dc5 --- /dev/null +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -0,0 +1,24 @@ +title: Devtoolslauncher.exe executes specified binary +status: experimental +description: The Devtoolslauncher.exe executes other binary +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml + - https://twitter.com/_felamos/status/1179811992841797632 +author: Beyu Denis, oscd.community (rule), @_felamos (idea) +date: 2019/10/12 +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +level: critical +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\devtoolslauncher.exe' + CommandLine|contains: 'LaunchForDeploy' + condition: selection +falsepositives: + - Legitimate use of devtoolslauncher.exe by legitimate user diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml new file mode 100644 index 000000000..29077cc02 --- /dev/null +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -0,0 +1,38 @@ +title: Direct autorun keys modification +description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/25 +modified: 2019/11/10 +author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection_1: + Image|endswith: '*\reg.exe' + CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules + selection_2: + CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys + - '\software\Microsoft\Windows\CurrentVersion\Run' + - '\software\Microsoft\Windows\CurrentVersion\RunOnce' + - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - '\software\Microsoft\Windows\CurrentVersion\RunServices' + - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' + - '\software\Microsoft\Windows NT\CurrentVersion\Windows' + - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' + - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell' + condition: selection_1 and selection_2 +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason + - Legitimate administrator sets up autorun keys for legitimate reason +level: high diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml new file mode 100644 index 000000000..707ef7838 --- /dev/null +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -0,0 +1,23 @@ +title: Application Whitelisting bypass via dnx.exe +status: experimental +description: Execute C# code located in the consoleapp folder +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml + - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ +author: Beyu Denis, oscd.community +date: 2019/10/26 +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\dnx.exe' + condition: selection +falsepositives: + - Legitimate use of dnx.exe by legitimate user diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml new file mode 100644 index 000000000..ce9a91ad4 --- /dev/null +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -0,0 +1,26 @@ +title: Application Whitelisting bypass via dxcap.exe +status: experimental +description: Detects execution of of Dxcap.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml + - https://twitter.com/harr0ey/status/992008180904419328 +author: Beyu Denis, oscd.community +date: 2019/10/26 +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\dxcap.exe' + CommandLine|contains|all: + - '-c' + - '.exe' + condition: selection +falsepositives: + - Legitimate execution of dxcap.exe by legitimate user diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 0030bd8de..fb8b0f638 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,30 +1,37 @@ title: Suspicious eventlog clear or configuration using wevtutil -description: Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others) -author: Ecco +description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others) +author: Ecco, Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 +modified: 2019/11/11 tags: - - attack.execution - - attack.t1070 - - car.2016-04-002 + - attack.defense_evasion + - attack.t1070 + - car.2016-04-002 level: high logsource: category: process_creation product: windows detection: - selection_binary_1: - Image: '*\wevtutil.exe' - selection_binary_2: - OriginalFileName: 'wevtutil.exe' - selection_clear_1: - CommandLine: '* cl *' - selection_clear_2: - CommandLine: '* clear-log *' - selection_disable_1: - CommandLine: '* sl *' - selection_disable_2: - CommandLine: '* set-log *' - condition: (1 of selection_binary_*) and (1 of selection_clear_* or 1 of selection_disable_*) - + selection_wevtutil: + Image|endswith: '\wevtutil.exe' + CommandLine|contains: + - 'clear-log' # clears specified log + - 'cl' # short version of 'clear-log' + - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size + - 'sl' # short version of 'set-log' + selection_ps: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'Clear-EventLog' + - 'Remove-EventLog' + - 'Limit-EventLog' + selection_wmic: + Image|endswith: '\wmic.exe' + CommandLine|contains: 'ClearEventLog' + condition: 1 of them falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_firewall_disable.yml b/rules/windows/process_creation/win_susp_firewall_disable.yml new file mode 100644 index 000000000..e1d7b1ba0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_firewall_disable.yml @@ -0,0 +1,22 @@ +title: Firewall Disabled via Netsh +description: Detects netsh commands that turns off the Windows firewall +references: + - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ + - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ +date: 2019/11/01 +status: experimental +author: Fatih Sirin +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - netsh firewall set opmode mode=disable + - netsh advfirewall set * state off + condition: selection +falsepositives: + - Legitimate administration +level: medium diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index d006b2f89..b0ff8e831 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,25 +1,29 @@ title: Fsutil suspicious invocation description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) -author: Ecco +author: Ecco, E.M. Anhaus, oscd.community date: 2019/09/26 +modified: 2019/11/11 level: high references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html +tags: + - attack.defense_evasion + - attack.t1070 logsource: category: process_creation product: windows detection: binary_1: - Image: '*\fsutil.exe' + Image|endswith: '\fsutil.exe' binary_2: OriginalFileName: 'fsutil.exe' selection: - CommandLine: - - '* deletejournal *' # usn deletejournal ==> generally ransomware or attacker - - '* createjournal *' # usn createjournal ==> can modify config to set it to a tiny size - + CommandLine|contains: + - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker + - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size condition: (1 of binary_*) and selection - falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml index 6611b8e11..c1d8167bf 100644 --- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -14,7 +14,7 @@ logsource: detection: selection: CommandLine: - - '* msiexec*:\/\/*' + - '* msiexec*://*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml new file mode 100644 index 000000000..b036b25d5 --- /dev/null +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -0,0 +1,27 @@ +title: Malicious payload download via Office binaries +status: experimental +description: Downloads payload from remote server +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml + - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 + - Reegun J (OCBC Bank) +author: Beyu Denis, oscd.community +date: 2019/10/26 +modified: 2019/11/04 +tags: + - attack.command_and_control + - attack.t1105 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\powerpnt.exe' + - '\winword.exe' + - '\excel.exe' + CommandLine|contains: 'http' + condition: selection +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index 8f3ef0a65..31dd19509 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -3,11 +3,19 @@ status: experimental description: Detects execution of Net.exe, whether suspicious or benign. references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ -author: Michael Haag, Mark Woan (improvements) + - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html + - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html + - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html +author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) tags: - attack.s0039 + - attack.t1027 + - attack.t1049 + - attack.t1077 + - attack.t1135 - attack.lateral_movement - attack.discovery + - attack.defense_evasion logsource: category: process_creation product: windows @@ -16,6 +24,7 @@ detection: Image: - '*\net.exe' - '*\net1.exe' + cmdline: CommandLine: - '* group*' - '* localgroup*' @@ -25,7 +34,7 @@ detection: - '* accounts*' - '* use*' - '* stop *' - condition: selection + condition: selection and cmdline fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml new file mode 100644 index 000000000..b8a39044f --- /dev/null +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -0,0 +1,27 @@ +title: Suspicious netsh Dll persistence +description: Detects pesitence via netsh helper +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/25 +modified: 2019/10/25 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'add' + - 'helper' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unkown +level: high diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml new file mode 100644 index 000000000..585b63422 --- /dev/null +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -0,0 +1,29 @@ +title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe +description: Detects defence evasion attempt via odbcconf.exe execution to load DLL +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml + - https://twitter.com/Hexacorn/status/1187143326673330176 +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community +date: 2019/10/25 +modified: 2019/11/07 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_1: + Image|endswith: '\odbcconf.exe' + CommandLine|contains: + - '-f' + - 'regsvr' + selection_2: + ParentImage|endswith: '\odbcconf.exe' + Image|endswith: '\rundll32.exe' + condition: selection_1 or selection_2 +level: medium +falsepositives: + - Legitimate use of odbcconf.exe by legitimate user diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml new file mode 100644 index 000000000..5be5cce50 --- /dev/null +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -0,0 +1,24 @@ +title: OpenWith.exe executes specified binary +status: experimental +description: The OpenWith.exe executes other binary +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml + - https://twitter.com/harr0ey/status/991670870384021504 +author: 'Beyu Denis, oscd.community (rule), @harr0ey (idea)' +date: 2019/10/12 +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +level: critical +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\OpenWith.exe' + CommandLine|contains: '/c' + condition: selection +falsepositives: + - Legitimate use of OpenWith.exe by legitimate user diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml new file mode 100644 index 000000000..61ce4d314 --- /dev/null +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -0,0 +1,23 @@ +title: psr.exe capture screenshots +status: experimental +description: The psr.exe captures desktop screenshots and saves them on the local machine +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml + - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf +author: Beyu Denis, oscd.community +date: 2019/10/12 +modified: 2019/11/04 +tags: + - attack.persistence + - attack.t1218 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\Psr.exe' + CommandLine|contains: '/start' + condition: selection +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml new file mode 100644 index 000000000..f250bfa3e --- /dev/null +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -0,0 +1,31 @@ +title: Suspicious service path modification +description: Detects service path modification to powershell/cmd +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml +tags: + - attack.persistence + - attack.t1031 +date: 2019/10/21 +modified: 2019/11/10 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection_1: + Image|endswith: '\sc.exe' + CommandLine|contains|all: + - 'config' + - 'binpath' + selection_2: + CommandLine|contains: + - 'powershell' + - 'cmd' + condition: selection_1 and selection_2 +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index 1e4ddc89d..478dc155d 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -3,6 +3,7 @@ status: experimental description: Detects Possible Squirrel Packages Manager as Lolbin references: - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ + - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ tags: - attack.execution author: Karneades / Markus Neis @@ -49,7 +50,8 @@ detection: - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) CommandLine: - '*--processStart*.exe*' + - '*--processStartAndWait*.exe*' - '*–createShortcut*.exe*' condition: selection - \ No newline at end of file + diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml index bed1fbbfd..5a255ad87 100644 --- a/rules/windows/process_creation/win_susp_userinit_child.yml +++ b/rules/windows/process_creation/win_susp_userinit_child.yml @@ -1,6 +1,6 @@ title: Suspicious Userinit Child Process status: experimental -description: Detects the creation of a process from Windows task manager +description: Detects a suspicious child process of userinit references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) @@ -11,14 +11,14 @@ logsource: detection: selection: ParentImage: '*\userinit.exe' - filter: - CommandLine: - - '*\explorer.exe*' - - '*\\netlogon\\*' - condition: selection and not filter + filter1: + CommandLine: '*\\netlogon\\*' + filter2: + Image: '*\explorer.exe' + condition: selection and not filter1 and not filter2 fields: - CommandLine - ParentCommandLine falsepositives: - Administrative scripts -level: high +level: medium diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml new file mode 100644 index 000000000..422daa3b4 --- /dev/null +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -0,0 +1,23 @@ +title: Sysmon driver unload +status: experimental +author: Kirill Kiryanov, oscd.community +description: Detect possible Sysmon driver unload +date: 2019/10/23 +modified: 2019/11/07 +references: + - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\fltmc.exe' + CommandLine|contains|all: + - 'unload' + - 'sys' + condition: selection +falsepositives: Unknown +level: high +fields: + - CommandLine + - Details diff --git a/rules/windows/process_creation/win_tap_installer_execution.yml b/rules/windows/process_creation/win_tap_installer_execution.yml new file mode 100644 index 000000000..ad9ca6bf1 --- /dev/null +++ b/rules/windows/process_creation/win_tap_installer_execution.yml @@ -0,0 +1,18 @@ +title: Tap installer execution +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\tapinstall.exe' + condition: selection +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml new file mode 100644 index 000000000..3f667eaf0 --- /dev/null +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -0,0 +1,25 @@ +title: Domain Trust Discovery +description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md + - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html +tags: + - attack.discovery + - attack.t1482 +detection: + selection: + - Image|endswith: '\nltest.exe' + CommandLine|contains: 'domain_trusts' + - Image|endswith: '\dsquery.exe' + CommandLine|contains: 'trustedDomain' + condition: selection +falsepositives: + - Legitimate use of the utilities by legitimate user for legitimate reason +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml new file mode 100644 index 000000000..7acc1a1f0 --- /dev/null +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -0,0 +1,27 @@ +title: Bypass UAC via CMSTP +description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +modified: 2019/11/11 +date: 2019/10/24 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md +tags: + - attack.defense_evasion + - attack.execution + - attack.t1191 + - attack.t1088 +detection: + selection: + Image|endswith: '\cmstp.exe' + CommandLine|contains: + - '/s' + - '/au' + condition: selection +falsepositives: + - Legitimate use of cmstp.exe utility by legitimate user +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml new file mode 100644 index 000000000..9947b1f97 --- /dev/null +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -0,0 +1,22 @@ +title: Bypass UAC via Fodhelper.exe +description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage|endswith: '\fodhelper.exe' + condition: selection +falsepositives: + - Legitimate use of fodhelper.exe utility by legitimate user +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml new file mode 100644 index 000000000..928264392 --- /dev/null +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -0,0 +1,23 @@ +title: Bypass UAC via WSReset.exe +description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage|endswith: '\wsreset.exe' + filter: + Image|endswith: '\conhost.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml new file mode 100644 index 000000000..b40a53b9d --- /dev/null +++ b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -0,0 +1,31 @@ +title: Possible privilege escalation via weak service permissions +description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://pentestlab.blog/2017/03/30/weak-service-permissions/ +tags: + - attack.privilege_escalation + - attack.t1134 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +modified: 2019/11/11 +logsource: + category: process_creation + product: windows +detection: + scbynonadmin: + Image|endswith: '\sc.exe' + IntegrityLevel: 'Medium' + binpath: + CommandLine|contains|all: + - 'config' + - 'binPath' + failurecommand: + CommandLine|contains|all: + - 'failure' + - 'command' + condition: scbynonadmin and (binpath or failurecommand) +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml new file mode 100644 index 000000000..aa263ab9a --- /dev/null +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -0,0 +1,23 @@ +title: Run whoami as SYSTEM +status: experimental +description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment +author: Teymur Kheirkhabarov +date: 2019/10/23 +modified: 2019/11/11 +tags: + - attack.discovery + - attack.privilege_escalation + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + User: 'NT AUTHORITY\SYSTEM' + Image|endswith: '\whoami.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml new file mode 100644 index 000000000..9362869b7 --- /dev/null +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -0,0 +1,20 @@ +title: T1047 Wmiprvse Spawning Process +description: Detects wmiprvse spawning processes +status: experimental +date: 2019/08/15 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\WmiPrvSe.exe' + filter: + LogonId: '0x3e7' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml new file mode 100644 index 000000000..8670b9209 --- /dev/null +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -0,0 +1,24 @@ +title: XSL Script Processing +status: experimental +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses +author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\wmic.exe' + CommandLine|contains: '/format' # wmic process list /FORMAT /? + - Image|endswith: '\msxsl.exe' + condition: selection +falsepositives: + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment + - msxsl.exe is not installed by default so unlikely. +level: medium +tags: + - attack.execution + - attack.t1220 diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml new file mode 100644 index 000000000..854ea6a8e --- /dev/null +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml @@ -0,0 +1,22 @@ +title: T1086 Alternate PowerShell Hosts +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: experimental +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Description: 'system.management.automation' + ImageLoaded|contains: 'system.management.automation' + filter: + Image|endswith: '\powershell.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml new file mode 100644 index 000000000..3fffb15da --- /dev/null +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -0,0 +1,21 @@ +title: T1086 Alternate PowerShell Hosts +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: experimental +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 17 + PipeName|startswith: '\PSHost' + filter: + Image|startswith: '\powershell.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml new file mode 100644 index 000000000..e9e990b9d --- /dev/null +++ b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml @@ -0,0 +1,32 @@ +title: Autorun keys modification +description: Detects modification of autostart extensibility point (ASEP) in registry +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/21 +modified: 2019/11/10 +author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + TargetObject|contains: + - '\software\Microsoft\Windows\CurrentVersion\Run' + - '\software\Microsoft\Windows\CurrentVersion\RunOnce' + - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - '\software\Microsoft\Windows\CurrentVersion\RunServices' + - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' + - '\software\Microsoft\Windows NT\CurrentVersion\Windows' + - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' + condition: selection +falsepositives: + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason + - Legitimate administrator sets up autorun keys for legitimate reason +level: medium diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml index b7ae773ba..75d192cce 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml @@ -2,18 +2,24 @@ title: CobaltStrike Process Injection description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f + - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - attack.defense_evasion - attack.t1055 status: experimental -author: Olaf Hartong, Florian Roth +author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community +date: 2018/11/30 +modified: 2019/11/08 logsource: product: windows service: sysmon detection: selection: EventID: 8 - TargetProcessAddress: '*0B80' + TargetProcessAddress|endswith: + - '0B80' + - '0C7C' + - '0C88' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml new file mode 100644 index 000000000..6c2f972de --- /dev/null +++ b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml @@ -0,0 +1,20 @@ +title: T1055 CreateRemoteThread API and LoadLibrary +description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process +status: experimental +date: 2019/08/11 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + StartModule|endswith: '\kernel32.dll' + StartFunction: 'LoadLibraryA' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml new file mode 100644 index 000000000..57be53774 --- /dev/null +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -0,0 +1,31 @@ +title: Disable security events logging adding reg key MiniNt +status: experimental +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +references: + - https://twitter.com/0gtweet/status/1182516740955226112 +tags: + - attack.defense_evasion + - attack.t1089 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: 12 # key create + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\MiniNt' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\MiniNt' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: high diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index f4fdf4183..64e171ad8 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -15,20 +15,27 @@ detection: exec_selection: EventID: 1 # Migration to process_creation requires multipart YAML ParentImage: '*\userinit.exe' - exec_exclusion: + exec_exclusion1: Image: '*\explorer.exe' + exec_exclusion2: CommandLine: '*\netlogon.bat' - create_selection: + create_selection_cli: EventID: - 1 + create_selection_reg: + EventID: - 11 - 12 - 13 - 14 - create_keywords: - - UserInitMprLogonScript - condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords) + create_keywords_reg: + TargetObject: + - '*UserInitMprLogonScript*' + create_keywords_cli: + CommandLine: + - '*UserInitMprLogonScript*' + condition: (exec_selection and not exec_exclusion1 and not exec_exclusion2) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli) falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming -level: high \ No newline at end of file +level: high diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml new file mode 100644 index 000000000..687d7ea8c --- /dev/null +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -0,0 +1,26 @@ +title: Narrator's Feedback-Hub Persistence +description: Detects abusing Windows 10 Narrator's Feedback-Hub +references: + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html +tags: + - attack.persistence + - attack.t1060 +author: Dmitriy Lifanov, oscd.community +status: experimental +date: 2019/10/25 +modified: 2019/11/10 +logsource: + product: windows + service: sysmon +detection: + condition: 1 of them + selection1: + EventID: 12 + EventType: DeleteValue + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' + selection2: + EventID: 13 + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml new file mode 100644 index 000000000..6ef46657c --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -0,0 +1,34 @@ +title: New DLL added to AppCertDlls registry key +status: experimental +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +references: + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +tags: + - attack.persistence + - attack.t1182 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\Session Manager\AppCertDlls' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\Session Manager\AppCertDlls' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml new file mode 100644 index 000000000..c660735b6 --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -0,0 +1,33 @@ +title: New DLL added to AppInit_DLLs registry key +status: experimental +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll +references: + - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html +tags: + - attack.persistence + - attack.t1103 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SOFTWARE\' + TargetObject|endswith: '\Windows\AppInit_Dlls' + - EventID: 14 # key rename + NewName|contains: '\SOFTWARE\' + NewName|endswith: '\Windows\AppInit_Dlls' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml new file mode 100644 index 000000000..a53182be2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -0,0 +1,43 @@ +title: Possible DNS Rebinding +status: experimental +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). +date: 2019/10/25 +modified: 2019/11/13 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: windows + service: sysmon +detection: + dns_answer: + EventID: 22 + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 +level: medium diff --git a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml new file mode 100644 index 000000000..83fc32d84 --- /dev/null +++ b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml @@ -0,0 +1,31 @@ +title: Possible privilege escalation via service registry permissions weakness +description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ +tags: + - attack.privilege_escalation + - attack.t1058 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +modified: 2019/11/11 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + IntegrityLevel: 'Medium' + TargetObject|contains: '\services\' + TargetObject|endswith: + - '\ImagePath' + - '\FailureCommand' + - '\Parameters\ServiceDll' + condition: selection +falsepositives: + - Unknown +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0003_enrich_other_sysmon_events_with_event_id_1_data # http://bit.ly/2ojW7fw diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml new file mode 100644 index 000000000..c9e16c9f1 --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml @@ -0,0 +1,20 @@ +title: T1086 PowerShell Execution +description: Detects execution of PowerShell +status: experimental +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Description: 'system.management.automation' + ImageLoaded|contains: 'system.management.automation' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml new file mode 100644 index 000000000..64c22df7c --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml @@ -0,0 +1,19 @@ +title: T1086 PowerShell Execution +description: Detects execution of PowerShell +status: experimental +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 17 + PipeName|startswith: '\PSHost' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml new file mode 100644 index 000000000..a01d3a0eb --- /dev/null +++ b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml @@ -0,0 +1,22 @@ +title: T1112 RDP Registry Modification +description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. +status: experimental +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + TargetObject|endswith: + - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' + - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml new file mode 100644 index 000000000..71455dabe --- /dev/null +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -0,0 +1,24 @@ +title: Windows Registry Persistence - COM key linking +status: experimental +description: Detects COM object hijacking via TreatAs subkey +references: + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +author: Kutepov Anton, oscd.community +date: 2019/10/23 +modified: 2019/11/07 +tags: + - attack.persistence + - attack.t1122 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 12 + TargetObject|startswith: 'HKU\' + TargetObject|contains: '_Classes\CLSID\' + TargetObject|endswith: '\TreatAs' + condition: selection +falsepositives: + - Maybe some system utilities in rare cases use linking keys for backward compability +level: medium diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml new file mode 100644 index 000000000..5194d4090 --- /dev/null +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -0,0 +1,27 @@ +title: Regsvr32 network activity +description: Detects network connections and DNS queries initiated by Regsvr32.exe +references: + - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ + - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md +tags: + - attack.execution + - attack.defense_evasion + - attack.t1117 +author: Dmitriy Lifanov, oscd.community +status: experimental +date: 2019/10/25 +modified: 2019/11/10 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: + - 3 + - 22 + Image|endswith: '\regsvr32.exe' + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml new file mode 100644 index 000000000..850323f85 --- /dev/null +++ b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml @@ -0,0 +1,22 @@ +title: T1086 Remote PowerShell Session +description: Detects remote PowerShell seccions by monitoring network outbount connections to ports 5985 or 5986 from not network service account +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: + - 5985 + - 5986 + filter: + User: 'NT AUTHORITY\NETWORK SERVICE' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml index 19956fce5..d55dac169 100644 --- a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml +++ b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml @@ -6,6 +6,7 @@ references: - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection author: Markus Neis date: 2018/11/22 +modified: 2019/11/09 tags: - attack.defense_evasion - attack.execution @@ -29,4 +30,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..8daac1661 --- /dev/null +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,29 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +modified: 2019/11/13 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: 88 + Initiated: 'true' + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml new file mode 100644 index 000000000..1af4f31f8 --- /dev/null +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -0,0 +1,44 @@ +title: Windows webshell creation +status: experimental +description: Posible webshell file creation on a static web site +references: + - PT ESC rule and personal experience +author: Beyu Denis, oscd.community +date: 2019/10/22 +modified: 2019/11/04 +tags: + - attack.persistence + - attack.t1100 +level: critical +logsource: + product: windows + service: sysmon +detection: + selection_1: + EventID: 11 + selection_2: + TargetFilename|contains: '\inetpub\wwwroot\' + selection_3: + TargetFilename|contains: + - '.asp' + - '.ashx' + - '.ph' + selection_4: + TargetFilename|contains: + - '\www\' + - '\htdocs\' + - '\html\' + selection_5: + TargetFilename|contains: '.ph' + selection_6: + - TargetFilename|contains|all: + - '\' + - '.jsp' + - TargetFilename|contains|all: + - '\cgi-bin\' + - '.pl' + condition: selection_1 and ( selection_2 and selection_3 ) or + selection_1 and ( selection_4 and selection_5 ) or + selection_1 and selection_6 +falsepositives: + - Legitimate administrator or developer creating legitimate executable files in a web application folder diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml new file mode 100644 index 000000000..05422cf03 --- /dev/null +++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml @@ -0,0 +1,33 @@ +title: T1047 WMI Modules Loaded +description: Detects non wmiprvse loading WMI modules +status: experimental +date: 2019/08/10 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + ImageLoaded|endswith: + - '\wmiclnt.dll' + - '\WmiApRpl.dll' + - '\wmiprov.dll' + - '\wmiutils.dll' + - '\wbemcomn.dll' + - '\wbemprox.dll' + - '\WMINet_Utils.dll' + - '\wbemsvc.dll' + - '\fastprox.dll' + filter: + Image|endswith: + - '\WmiPrvSe.exe' + - '\WmiAPsrv.exe' + - '\svchost.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/tests/test-modifiers.yml b/tests/test-modifiers.yml index e856e19d5..8e578234c 100644 --- a/tests/test-modifiers.yml +++ b/tests/test-modifiers.yml @@ -13,4 +13,6 @@ detection: - foo - bar - bla + end|endswith: test + start|startswith: test condition: selection diff --git a/tests/test_rules.py b/tests/test_rules.py index 98b7f7510..f481d11aa 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -12,12 +12,12 @@ import yaml import re class TestRules(unittest.TestCase): - MITRE_TECHNIQUES = ["t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102", "t1500"] + MITRE_TECHNIQUES = ["t1007", "t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102", "t1500"] MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control"] MITRE_GROUPS = ["g0018", "g0006", "g0005", "g0023", "g0025", "g0026", "g0073", "g0007", "g0016", "g0022", "g0013", "g0050", "g0064", "g0067", "g0001", "g0063", "g0060", "g0008", "g0058", "g0003", "g0080", "g0052", "g0070", "g0012", "g0079", "g0009", "g0035", "g0074", "g0017", "g0031", "g0066", "g0020", "g0051", "g0053", "g0037", "g0046", "g0061", "g0047", "g0036", "g0078", "g0043", "g0072", "g0004", "g0032", "g0077", "g0065", "g0030", "g0059", "g0045", "g0002", "g0021", "g0069", "g0019", "g0055", "g0014", "g0049", "g0071", "g0040", "g0011", "g0068", "g0033", "g0056", "g0024", "g0075", "g0048", "g0034", "g0029", "g0054", "g0038", "g0041", "g0039", "g0062", "g0015", "g0028", "g0027", "g0076", "g0010", "g0044"] MITRE_SOFTWARE = ["s0066", "s0065", "s0202", "s0309", "s0045", "s0092", "s0319", "s0296", "s0304", "s0310", "s0292", "s0099", "s0073", "s0110", "s0129", "s0093", "s0031", "s0245", "s0128", "s0234", "s0239", "s0127", "s0017", "s0268", "s0190", "s0069", "s0089", "s0114", "s0293", "s0252", "s0204", "s0014", "s0043", "s0119", "s0025", "s0274", "s0077", "s0030", "s0261", "s0222", "s0160", "s0220", "s0323", "s0144", "s0107", "s0020", "s0023", "s0054", "s0106", "s0154", "s0244", "s0126", "s0212", "s0137", "s0050", "s0046", "s0115", "s0235", "s0187", "s0255", "s0243", "s0301", "s0021", "s0200", "s0213", "s0281", "s0134", "s0186", "s0300", "s0320", "s0105", "s0315", "s0038", "s0062", "s0024", "s0081", "s0064", "s0082", "s0091", "s0152", "s0076", "s0181", "s0171", "s0267", "s0120", "s0182", "s0143", "s0036", "s0173", "s0193", "s0277", "s0095", "s0168", "s0049", "s0032", "s0026", "s0249", "s0290", "s0237", "s0008", "s0132", "s0047", "s0151", "s0037", "s0214", "s0246", "s0224", "s0071", "s0061", "s0170", "s0087", "s0135", "s0009", "s0232", "s0040", "s0070", "s0068", "s0322", "s0321", "s0203", "s0101", "s0278", "s0259", "s0260", "s0231", "s0100", "s0189", "s0015", "s0163", "s0044", "s0201", "s0283", "s0325", "s0215", "s0088", "s0265", "s0276", "s0271", "s0288", "s0250", "s0162", "s0156", "s0236", "s0211", "s0042", "s0121", "s0010", "s0282", "s0317", "s0167", "s0303", "s0175", "s0002", "s0179", "s0133", "s0051", "s0280", "s0084", "s0083", "s0080", "s0079", "s0149", "s0284", "s0256", "s0233", "s0205", "s0228", "s0247", "s0102", "s0272", "s0210", "s0039", "s0056", "s0034", "s0108", "s0104", "s0033", "s0198", "s0118", "s0299", "s0286", "s0138", "s0285", "s0052", "s0264", "s0229", "s0165", "s0072", "s0016", "s0208", "s0122", "s0316", "s0289", "s0158", "s0048", "s0097", "s0124", "s0291", "s0254", "s0013", "s0067", "s0012", "s0216", "s0150", "s0177", "s0139", "s0145", "s0194", "s0223", "s0184", "s0113", "s0279", "s0238", "s0029", "s0078", "s0147", "s0196", "s0197", "s0192", "s0006", "s0269", "s0262", "s0055", "s0241", "s0169", "s0295", "s0172", "s0326", "s0153", "s0075", "s0019", "s0166", "s0125", "s0174", "s0258", "s0003", "s0112", "s0270", "s0240", "s0103", "s0090", "s0148", "s0313", "s0253", "s0085", "s0074", "s0111", "s0195", "s0053", "s0185", "s0140", "s0294", "s0028", "s0063", "s0217", "s0007", "s0327", "s0218", "s0226", "s0159", "s0273", "s0157", "s0035", "s0227", "s0324", "s0305", "s0225", "s0058", "s0188", "s0328", "s0142", "s0018", "s0242", "s0060", "s0096", "s0098", "s0011", "s0329", "s0057", "s0164", "s0146", "s0131", "s0004", "s0183", "s0266", "s0307", "s0306", "s0308", "s0094", "s0001", "s0178", "s0199", "s0302", "s0263", "s0116", "s0221", "s0130", "s0275", "s0022", "s0136", "s0207", "s0257", "s0180", "s0109", "s0206", "s0005", "s0155", "s0219", "s0191", "s0176", "s0059", "s0141", "s0041", "s0312", "s0314", "s0161", "s0298", "s0123", "s0297", "s0318", "s0117", "s0311", "s0248", "s0251", "s0287", "s0027", "s0230", "s0086"] - MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] + MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] path_to_rules = "rules" diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index dc3691201..83b143c96 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -12,4 +12,3 @@ logsources: fieldmappings: Image: NewProcessName ParentImage: ParentProcessName - CommandLine: ProcessCommandLine diff --git a/tools/setup.py b/tools/setup.py index 110b9aff6..8059c88e6 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.13', + version='0.14', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", @@ -36,7 +36,7 @@ setup( keywords='security monitoring siem logging signatures elasticsearch splunk ids sysmon', packages=['sigma', 'sigma.backends', 'sigma.config', 'sigma.parser', 'sigma.parser.modifiers'], python_requires='~=3.6', - install_requires=['PyYAML', 'pymisp'], + install_requires=['PyYAML', 'pymisp', 'progressbar2'], extras_require={ 'test': ['coverage', 'yamllint'], }, @@ -70,5 +70,6 @@ setup( 'sigmac', 'merge_sigma', 'sigma2misp', + 'sigma-similarity', ] ) diff --git a/tools/sigma-similarity b/tools/sigma-similarity index 0253b6000..de5022c3e 100755 --- a/tools/sigma-similarity +++ b/tools/sigma-similarity @@ -18,6 +18,7 @@ argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse i argparser.add_argument("--verbose", "-v", action="count", help="Be verbose. Use once more for debug output.") argparser.add_argument("--top", "-t", type=int, help="Only output the n most similar rule pairs.") argparser.add_argument("--min-similarity", "-m", type=int, help="Only output pairs with a similarity above this threshold (percent)") +argparser.add_argument("--primary", "-p", help="File with list of paths to primary rules. If given, only rule combinations with at leat one primary rule are compared. Primary rules must also be contained in input rule set.") argparser.add_argument("inputs", nargs="+", help="Sigma input files") args = argparser.parse_args() @@ -62,6 +63,11 @@ if args.recursive: else: paths = [ pathlib.Path(pathname) for pathname in args.inputs ] +primary_paths = None +if args.primary: + with open(args.primary, "r") as f: + primary_paths = { pathname.strip() for pathname in f.readlines() } + parsed = { str(path): SigmaCollectionParser(path.open().read()) for path in paths @@ -75,7 +81,11 @@ converted_flat = ( for path, nlist in converted.items() for i, normalized in zip(range(len(nlist)), nlist) ) -converted_pairs = list(itertools.combinations(converted_flat, 2)) +converted_pairs_iter = itertools.combinations(converted_flat, 2) +if primary_paths: + converted_pairs = [ pair for pair in converted_pairs_iter if pair[0][0] in primary_paths or pair[1][0] in paths ] +else: + converted_pairs = list(converted_pairs_iter) similarities = [ (item1[:2], item2[:2], difflib.SequenceMatcher(None, item1[2], item2[2]).ratio()) for item1, item2 in progressbar.progressbar(converted_pairs) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index fb09b841f..4675b0197 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -89,6 +89,7 @@ class BaseBackend: file_list = None options = tuple() # a list of tuples with following elements: option name, default value, help text, target attribute name (option name if None) config_required = True + default_config = None def __init__(self, sigmaconfig, backend_options=dict()): """ diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index c61421a3f..423b93dc4 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -22,6 +22,7 @@ import sys import sigma import yaml from sigma.parser.modifiers.type import SigmaRegularExpressionModifier +from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError @@ -109,6 +110,29 @@ class ElasticsearchQuerystringBackend(ElasticsearchWildcardHandlingMixin, Single if expression: return "(%s%s)" % (self.notToken, expression) + def generateSubexpressionNode(self, node): + """Check for search not bound to a field and restrict search to keyword fields""" + nodetype = type(node.items) + if nodetype in { ConditionAND, ConditionOR } and type(node.items.items) == list and { type(item) for item in node.items.items }.issubset({str, int}): + newitems = list() + for item in node.items: + newitem = item + if type(item) == str: + if not item.startswith("*"): + newitem = "*" + newitem + if not item.endswith("*"): + newitem += "*" + newitems.append(newitem) + else: + newitems.append(item) + newnode = NodeSubexpression(nodetype(None, None, *newitems)) + self.matchKeyword = True + result = "\\*.keyword:" + super().generateSubexpressionNode(newnode) + self.matchKeyword = False # one of the reasons why the converter needs some major overhaul + return result + else: + return super().generateSubexpressionNode(node) + class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend): """ElasticSearch DSL backend""" identifier = 'es-dsl' @@ -188,8 +212,6 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin def generateMapItemNode(self, node): key, value = node - if type(value) not in (str, int, list, type(None)): - raise TypeError("Map values must be strings, numbers, lists or null, not " + str(type(value))) if type(value) is list: res = {'bool': {'should': []}} for v in value: @@ -206,7 +228,7 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin elif value is None: key_mapped = self.fieldNameMapping(key, value) return { "bool": { "must_not": { "exists": { "field": key_mapped } } } } - else: + elif type(value) in (str, int): key_mapped = self.fieldNameMapping(key, value) if self.matchKeyword: # searches against keyowrd fields are wildcard searches, phrases otherwise queryType = 'wildcard' @@ -215,6 +237,11 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin queryType = 'match_phrase' value_cleaned = self.cleanValue(str(value)) return {queryType: {key_mapped: value_cleaned}} + elif isinstance(value, SigmaRegularExpressionModifier): + key_mapped = self.fieldNameMapping(key, value) + return { 'regexp': { key_mapped: str(value) } } + else: + raise TypeError("Map values must be strings, numbers, lists, null or regular expression, not " + str(type(value))) def generateValueNode(self, node): return {'multi_match': {'query': node, 'fields': [], 'type': 'phrase'}} @@ -888,7 +915,7 @@ class ElastalertBackend(MultiRuleOutputMixin): def finalize(self): result = "" for rulename, rule in self.elastalert_alerts.items(): - result += yaml.dump(rule, default_flow_style=False) + result += yaml.dump(rule, default_flow_style=False, width=10000) result += '\n' return result diff --git a/tools/sigma/backends/graylog.py b/tools/sigma/backends/graylog.py index 6a875e04c..615cca1b1 100644 --- a/tools/sigma/backends/graylog.py +++ b/tools/sigma/backends/graylog.py @@ -15,24 +15,13 @@ # along with this program. If not, see . import re -from .base import SingleTextQueryBackend +from .elasticsearch import ElasticsearchQuerystringBackend -class GraylogQuerystringBackend(SingleTextQueryBackend): +class GraylogQuerystringBackend(ElasticsearchQuerystringBackend): """Converts Sigma rule into Graylog query string. Only searches, no aggregations.""" identifier = "graylog" active = True config_required = False reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|(?', val) - val = re.sub('\\*', '.*', val) - val = re.sub('\\?', '.', val) - return ("matches", val) - # value possibly only starts and/or ends with *, use prefix/postfix match - # TODO: this is actually not correct since the string could end with - # a \* expression which would mean it's NOT a wildcard. We'll gloss over - # it for now to get something out but it should eventually be fixed - # so that it's accurate in all corner cases. - if val.endswith("*") and val.startswith("*"): - return ("contains", val[1:-1]) - elif val.endswith("*"): - return ("starts with", val[:-1]) - elif val.startswith("*"): - return ("ends with", val[1:]) - return ("is", val) \ No newline at end of file + + # Is there any wildcard in this string? If not, we can short circuit. + if "*" not in val and "?" not in val: + return ("is", val) + + # Now we do a small optimization for the shortcut operators + # available in LC. We try to see if the wildcards are around + # the main value, but NOT within. If that's the case we can + # use the "starts with", "ends with" or "contains" operators. + isStartsWithWildcard = False + isEndsWithWildcard = False + tmpVal = val + if tmpVal.startswith("*"): + isStartsWithWildcard = True + tmpVal = tmpVal[1:] + if tmpVal.endswith("*") and not (tmpVal.endswith("\\*") and not tmpVal.endswith("\\\\*")): + isEndsWithWildcard = True + if tmpVal.endswith("\\\\*"): + # An extra \ had to be there so it didn't escapte the + # *, but since we plan on removing the *, we can also + # remove one \. + tmpVal = tmpVal[:-2] + else: + tmpVal = tmpVal[:-1] + + # Check to see if there are any other wildcards. If there are + # we cannot use our shortcuts. + if "*" not in tmpVal and "?" not in tmpVal: + if isStartsWithWildcard and isEndsWithWildcard: + return ("contains", tmpVal) + + if isStartsWithWildcard: + return ("ends with", tmpVal) + + if isEndsWithWildcard: + return ("starts with", tmpVal) + + # This is messy, but it is accurate in generating a RE based on + # the simplified wildcard system, while also supporting the + # escaping of those wildcards. + segments = [] + tmpVal = val + while True: + nEscapes = 0 + for i in range(len(tmpVal)): + # We keep a running count of backslash escape + # characters we see so that if we meet a wildcard + # we can tell whether the wildcard is escaped + # (with odd number of escapes) or if it's just a + # backslash literal before a wildcard (even number). + if "\\" == tmpVal[i]: + nEscapes += 1 + continue + + if "*" == tmpVal[i]: + if 0 == nEscapes: + segments.append(re.escape(tmpVal[:i])) + segments.append(".*") + elif nEscapes % 2 == 0: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i]) + segments.append(".*") + else: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i + 1]) + tmpVal = tmpVal[i + 1:] + break + + if "?" == tmpVal[i]: + if 0 == nEscapes: + segments.append(re.escape(tmpVal[:i])) + segments.append(".") + elif nEscapes % 2 == 0: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i]) + segments.append(".") + else: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i + 1]) + tmpVal = tmpVal[i + 1:] + break + + nEscapes = 0 + else: + segments.append(re.escape(tmpVal)) + break + + val = ''.join(segments) + + return ("matches", val) + + def _mapKeywordVals(self, values): + # This function ensures that the list of values passed + # are proper D&R operations, if they are strings it indicates + # they were requested as keyword matches. We only support + # keyword matches when specified in the config. We generally just + # map them to the most common field in LC that makes sense. + mapped = [] + + for val in values: + # Non-keywords are just passed through. + if not isinstance(val, str): + mapped.append(val) + continue + + if self._keywordField is None: + raise NotImplementedError("Full-text keyboard searches not supported.") + + # This seems to be indicative only of "keywords" which are mostly + # representative of full-text searches. We don't suport that but + # in some data sources we can alias them to an actual field. + op, newVal = self._valuePatternToLcOp(val) + newOp = { + "op": op, + "path": self._keywordField, + } + if op == "matches": + newOp["re"] = newVal + else: + newOp["value"] = newVal + mapped.append(newOp) + + return mapped \ No newline at end of file diff --git a/tools/sigma/backends/logpoint.py b/tools/sigma/backends/logpoint.py index 230b5139e..6b8edd58a 100644 --- a/tools/sigma/backends/logpoint.py +++ b/tools/sigma/backends/logpoint.py @@ -22,6 +22,8 @@ class LogPointBackend(SingleTextQueryBackend): """Converts Sigma rule into LogPoint query""" identifier = "logpoint" active = True + config_required = False + default_config = ["sysmon", "logpoint-windows"] # \ -> \\ # \* -> \* diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py index fbbd5ed22..25aed08d0 100644 --- a/tools/sigma/backends/netwitness.py +++ b/tools/sigma/backends/netwitness.py @@ -24,6 +24,8 @@ from .mixins import MultiRuleOutputMixin class NetWitnessBackend(SingleTextQueryBackend): """Converts Sigma rule into NetWitness saved search. Contributed by @tuckner""" identifier = "netwitness" + config_required = False + default_config = ["sysmon", "netwitness"] active = True reEscape = re.compile('(")') reClear = None diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py index a6fbb1d74..a4de4f9d6 100644 --- a/tools/sigma/backends/powershell.py +++ b/tools/sigma/backends/powershell.py @@ -23,6 +23,8 @@ class PowerShellBackend(SingleTextQueryBackend): """Converts Sigma rule into PowerShell event log cmdlets.""" identifier = "powershell" active = True + config_required = False + default_config = ["sysmon", "powershell"] options = ( ("csv", False, "Return the results in CSV format instead of Powershell objects", None), ) diff --git a/tools/sigma/backends/qradar.py b/tools/sigma/backends/qradar.py index 996faf6dd..455a368f0 100644 --- a/tools/sigma/backends/qradar.py +++ b/tools/sigma/backends/qradar.py @@ -27,6 +27,8 @@ class QRadarBackend(SingleTextQueryBackend): """Converts Sigma rule into Qradar saved search. Contributed by SOC Prime. https://socprime.com""" identifier = "qradar" active = True + config_required = False + default_config = ["sysmon", "qradar"] reEscape = re.compile('(")') reClear = None andToken = " and " diff --git a/tools/sigma/backends/qualys.py b/tools/sigma/backends/qualys.py index fbe0ff4e7..668cf6db8 100644 --- a/tools/sigma/backends/qualys.py +++ b/tools/sigma/backends/qualys.py @@ -22,6 +22,8 @@ class QualysBackend(SingleTextQueryBackend): """Converts Sigma rule into Qualys saved search. Contributed by SOC Prime. https://socprime.com""" identifier = "qualys" active = True + config_required = False + default_config = ["sysmon", "qualys"] andToken = " and " orToken = " or " notToken = "not " diff --git a/tools/sigma/backends/sumologic.py b/tools/sigma/backends/sumologic.py index db63d5163..0613c7fbf 100644 --- a/tools/sigma/backends/sumologic.py +++ b/tools/sigma/backends/sumologic.py @@ -32,6 +32,8 @@ class SumoLogicBackend(SingleTextQueryBackend): """Converts Sigma rule into SumoLogic query""" identifier = "sumologic" active = True + config_required = False + default_config = ["sysmon", "sumologic"] index_field = "_index" reClear = None diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 626b6093e..db40575d3 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -202,11 +202,11 @@ class ConditionAND(ConditionBase): """AND Condition""" op = COND_AND - def __init__(self, sigma=None, op=None, val1=None, val2=None): - if sigma == None and op == None and val1 == None and val2 == None: # no parameters given - initialize empty + def __init__(self, sigma=None, op=None, *args): + if sigma == None and op == None and len(args) == 0: # no parameters given - initialize empty self.items = list() else: # called by parser, use given values - self.items = [ val1, val2 ] + self.items = args class ConditionOR(ConditionAND): """OR Condition""" diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index 63b36fd8c..c30f92daf 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -31,6 +31,26 @@ class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): val += "*" return val +class SigmaStartswithModifier(ListOrStringModifierMixin, SigmaTransformModifier): + """Add *-wildcard before and after all string(s)""" + identifier = "startswith" + active = True + + def apply_str(self, val : str): + if not val.endswith("*"): + val += "*" + return val + +class SigmaEndswithModifier(ListOrStringModifierMixin, SigmaTransformModifier): + """Add *-wildcard before and after all string(s)""" + identifier = "endswith" + active = True + + def apply_str(self, val : str): + if not val.startswith("*"): + val = "*" + val + return val + class SigmaAllValuesModifier(SigmaTransformModifier): """Override default OR-linking behavior for list with AND-linking of all list values""" identifier = "all" diff --git a/tools/sigmac b/tools/sigmac index d3d90d875..4bb1a15bd 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -168,6 +168,16 @@ if cmdargs.filter: sys.exit(ERR_RULE_FILTER_PARSING) sigmaconfigs = SigmaConfigurationChain() +backend_class = backends.getBackend(cmdargs.target) +if cmdargs.config is None: + if backend_class.config_required and not cmdargs.shoot_yourself_in_the_foot: + print("The backend you want to use usually requires a configuration to generate valid results. Please provide one with --config/-c.", file=sys.stderr) + print("Available choices for this backend (get complete list with --lists/-l):") + list_configurations(cmdargs.target) + sys.exit(ERR_CONFIG_REQUIRED) + if backend_class.default_config is not None: + cmdargs.config = backend_class.default_config + if cmdargs.config: order = 0 for conf_name in cmdargs.config: @@ -198,12 +208,7 @@ if cmdargs.config: exit(ERR_CONFIG_PARSING) backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) -backend = backends.getBackend(cmdargs.target)(sigmaconfigs, backend_options) -if backend.config_required and cmdargs.config is None and not cmdargs.shoot_yourself_in_the_foot: - print("The backend you want to use usually requires a configuration to generate valid results. Please provide one with --config/-c.", file=sys.stderr) - print("Available choices for this backend (get complete list with --lists/-l):") - list_configurations(cmdargs.target) - sys.exit(ERR_CONFIG_REQUIRED) +backend = backend_class(sigmaconfigs, backend_options) filename = cmdargs.output if filename: @@ -252,7 +257,7 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) - except NotImplementedError as e: + except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr) if not cmdargs.ignore_backend_errors: