From ac8308dfc91d49d5536980150e9ddd28eb77eb67 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 21 Oct 2019 11:14:24 +0200 Subject: [PATCH 001/269] add rule lnx_auditd_web_rce.yml --- rules/linux/auditd/lnx_auditd_web_rce.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_web_rce.yml diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml new file mode 100644 index 000000000..93e1ffc94 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -0,0 +1,15 @@ +title: Webshell/RCE command execute detect status: experimental description: Posible command execute detect on web application/web shell +# You need to add to the config auditd.conf: -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www change 33 to id you webserver user. default: +#www-data:x:33:33 +tags: + - attack.persistence references: + - personal experience author: Beyu Denis, oscd.community date: 2019/10/21 logsource: + product: linux + service: auditd detection: + selection: + type: 'SYSCALL' + SYSCALL: 'execve' + key: 'detect_execve_www' + condition: selection falsepositives: + - Admin activity + - Crazy web applications level: critical From a4991414838dc0b9260ff3adcff9f06341be9519 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 21 Oct 2019 11:28:59 +0200 Subject: [PATCH 002/269] modified rule lnx_auditd_web_rce.yml --- rules/linux/auditd/lnx_auditd_web_rce.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 93e1ffc94..c95a4d27a 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -1,5 +1,8 @@ title: Webshell/RCE command execute detect status: experimental description: Posible command execute detect on web application/web shell -# You need to add to the config auditd.conf: -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www change 33 to id you webserver user. default: +# You need to add to the config auditd.conf: +# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www +# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www +# change 33 to id you webserver user. default: #www-data:x:33:33 tags: - attack.persistence references: From e47caf4749f380c82ea2c6ac7560b34b47345400 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 21 Oct 2019 11:54:21 +0200 Subject: [PATCH 003/269] add rule lnx_auditd_web_rce.yml --- rules/linux/auditd/lnx_auditd_web_rce.yml | 28 +++++++++++++++-------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index c95a4d27a..30bb782fa 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -1,18 +1,26 @@ -title: Webshell/RCE command execute detect status: experimental description: Posible command execute detect on web application/web shell +title: Webshell/RCE command execute detect +status: experimental +description: Posible command execute detect on web application/web shell # You need to add to the config auditd.conf: -# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www -# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www -# change 33 to id you webserver user. default: -#www-data:x:33:33 +# -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www +# -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www +# change 33 to id you webserver user. default: www-data:x:33:33 tags: - - attack.persistence references: - - personal experience author: Beyu Denis, oscd.community date: 2019/10/21 logsource: + - attack.persistence +references: + - personal experience +author: Beyu Denis, oscd.community +date: 2019/10/12 +logsource: product: linux - service: auditd detection: + service: auditd +detection: selection: type: 'SYSCALL' SYSCALL: 'execve' key: 'detect_execve_www' - condition: selection falsepositives: + condition: selection +falsepositives: - Admin activity - - Crazy web applications level: critical + - Crazy web applications +level: critical \ No newline at end of file From 784d7138cabe62dcdeb7b72c48fcd7d3dd074a39 Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 21 Oct 2019 22:22:55 +0300 Subject: [PATCH 004/269] OSCD Task 7 ART T1220 OSCD Task 7 ART T1220 rule add --- .../sysmon/sysmon_xsl_script_processing.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_xsl_script_processing.yml diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml new file mode 100644 index 000000000..67c43e145 --- /dev/null +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -0,0 +1,33 @@ +title: XSL Script Processing +status: experimental +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1220/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml +logsource: + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + ParentImage: + - 'C:\Windows\System32\wbem\WMIC.exe' + ParentCommandLine: + - '*/FORMAT*' # wmic process list /FORMAT /? + selection2: + EventID: 1 + Image: + - 'C:\Windows\Temp\msxsl.exe' + - '*msxsl.exe*' + condition: + selection1 or selection2 +fields: + - +falsepositives: + - WMIC.exe - depend on scripts and administrative methods used in the monitored environment + - msxsl.exe - is not installed by default so unlikely. +level: medium +tags: + - attack.xsl_script_processing + - attack.t1220 From a685c9c3be76a2e9fd275121aff97ef011282f54 Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 21 Oct 2019 23:39:33 +0300 Subject: [PATCH 005/269] Update sysmon_xsl_script_processing.yml --- rules/windows/sysmon/sysmon_xsl_script_processing.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index 67c43e145..24eb7c8f3 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -12,7 +12,7 @@ detection: selection1: EventID: 1 ParentImage: - - 'C:\Windows\System32\wbem\WMIC.exe' + - '*\wmic.exe' ParentCommandLine: - '*/FORMAT*' # wmic process list /FORMAT /? selection2: @@ -29,5 +29,4 @@ falsepositives: - msxsl.exe - is not installed by default so unlikely. level: medium tags: - - attack.xsl_script_processing - attack.t1220 From 5248f83fb3c52cfa38047faf5e4bb0ed15bec82e Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 21 Oct 2019 23:46:11 +0300 Subject: [PATCH 006/269] Update sysmon_xsl_script_processing.yml --- rules/windows/sysmon/sysmon_xsl_script_processing.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index 24eb7c8f3..9b5462155 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -18,15 +18,12 @@ detection: selection2: EventID: 1 Image: - - 'C:\Windows\Temp\msxsl.exe' - - '*msxsl.exe*' + - '*\msxsl.exe*' condition: selection1 or selection2 -fields: - - falsepositives: - - WMIC.exe - depend on scripts and administrative methods used in the monitored environment - - msxsl.exe - is not installed by default so unlikely. + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment + - msxsl.exe is not installed by default so unlikely. level: medium tags: - attack.t1220 From a1d72f20c88b4c7cd0fa9a52c22b12c1210e81cd Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 21 Oct 2019 23:51:39 +0300 Subject: [PATCH 007/269] Update sysmon_xsl_script_processing.yml --- rules/windows/sysmon/sysmon_xsl_script_processing.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index 9b5462155..7cc3fabec 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -1,6 +1,6 @@ title: XSL Script Processing status: experimental -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses author: Timur Zinniatullin, oscd.community references: - https://attack.mitre.org/techniques/T1220/ @@ -26,4 +26,5 @@ falsepositives: - msxsl.exe is not installed by default so unlikely. level: medium tags: + - attack.persistence - attack.t1220 From 0d8eff0d8641f55f83f0209833b3f540aea341cb Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 00:06:10 +0300 Subject: [PATCH 008/269] Update sysmon_xsl_script_processing.yml --- rules/windows/sysmon/sysmon_xsl_script_processing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index 7cc3fabec..a60867737 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -6,8 +6,8 @@ references: - https://attack.mitre.org/techniques/T1220/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml logsource: + category: process_creation product: windows - service: sysmon detection: selection1: EventID: 1 From 56f807cb4408b2542825f32732b22703d2cbaf5b Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 00:06:54 +0300 Subject: [PATCH 009/269] Update sysmon_xsl_script_processing.yml --- rules/windows/sysmon/sysmon_xsl_script_processing.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index a60867737..3799897bf 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -10,13 +10,11 @@ logsource: product: windows detection: selection1: - EventID: 1 ParentImage: - '*\wmic.exe' ParentCommandLine: - '*/FORMAT*' # wmic process list /FORMAT /? selection2: - EventID: 1 Image: - '*\msxsl.exe*' condition: From 789782ef5908506ac03fab964bdb4fb271910a28 Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 00:08:46 +0300 Subject: [PATCH 010/269] Update sysmon_xsl_script_processing.yml --- rules/windows/sysmon/sysmon_xsl_script_processing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index 3799897bf..5d7c34160 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -24,5 +24,5 @@ falsepositives: - msxsl.exe is not installed by default so unlikely. level: medium tags: - - attack.persistence + - attack.execution - attack.t1220 From daf1034621d712709f01c3e8bca2e59c5a20ec8e Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 00:54:29 +0300 Subject: [PATCH 011/269] Update win_possible_applocker_bypass.yml --- rules/windows/process_creation/win_possible_applocker_bypass.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 4181ec748..6bfe84ce9 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -25,6 +25,7 @@ detection: - '*\msbuild.exe*' - '*\ieexec.exe*' - '*\mshta.exe*' + - '*\csc.exe*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From fb53855ae51b3e86c670c52ec73d2d7285c565c1 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Oct 2019 05:50:49 +0200 Subject: [PATCH 012/269] add rule sysmon_webshell_creation_detect.yml --- rules/linux/auditd/lnx_auditd_web_rce.yml | 6 ++-- .../sysmon_webshell_creation_detect.yml | 35 +++++++++++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 rules/windows/sysmon/sysmon_webshell_creation_detect.yml diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 30bb782fa..2f4baa176 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -9,7 +9,7 @@ tags: - attack.persistence references: - personal experience -author: Beyu Denis, oscd.community +author: Ilyas Ochkov and Beyu Denis , oscd.community date: 2019/10/12 logsource: product: linux @@ -23,4 +23,6 @@ detection: falsepositives: - Admin activity - Crazy web applications -level: critical \ No newline at end of file +level: critical + + diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml new file mode 100644 index 000000000..a609cec0d --- /dev/null +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -0,0 +1,35 @@ +title: Windows webshell creation +status: experimental +description: Posible webshell file creation on a static web site +references: + - PT ESC rule and personal experience +author: Beyu Denis, oscd.community +date: 2019/10/22 +tags: + - attack.persistence + - attack.t1100 +level: critical +logsource: + product: windows + service: sysmon +detection: + selection: + # Sysmon: File Creation (ID 11) + EventID: 11 + #.NET webshells + TargetFilename: '*\inetpub\wwwroot\*.asp' + TargetFilename: '*\inetpub\wwwroot\*.aspx' + TargetFilename: '*\inetpub\wwwroot\*.ashx' + #php webshells + TargetFilename: '*\inetpub\wwwroot\*.ph*' + TargetFilename: '*\www\*.ph*' + TargetFilename: '*\htdocs\*.ph*' + TargetFilename: '*\html\*.ph*' + #apache tomcap webshell + TargetFilename: '*\*.jsp*' + #cgi-bin perl webshell + TargetFilename: '*\cgi-bin\*.pl' + condition: selection +falsepositives: + - Unknown + - Admin activity From 2bd9d8a9d876288800cb6bd5bfa90af12331b1d8 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Oct 2019 05:56:37 +0200 Subject: [PATCH 013/269] add rule sysmon_webshell_creation_detect.yml --- .../sysmon_webshell_creation_detect.yml | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index a609cec0d..72c24271d 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -17,18 +17,19 @@ detection: # Sysmon: File Creation (ID 11) EventID: 11 #.NET webshells - TargetFilename: '*\inetpub\wwwroot\*.asp' - TargetFilename: '*\inetpub\wwwroot\*.aspx' - TargetFilename: '*\inetpub\wwwroot\*.ashx' - #php webshells - TargetFilename: '*\inetpub\wwwroot\*.ph*' - TargetFilename: '*\www\*.ph*' - TargetFilename: '*\htdocs\*.ph*' - TargetFilename: '*\html\*.ph*' - #apache tomcap webshell - TargetFilename: '*\*.jsp*' - #cgi-bin perl webshell - TargetFilename: '*\cgi-bin\*.pl' + TargetFilename: + - '*\inetpub\wwwroot\*.asp' + - '*\inetpub\wwwroot\*.aspx' + - '*\inetpub\wwwroot\*.ashx' + #php webshells + - '*\inetpub\wwwroot\*.ph*' + - '*\www\*.ph*' + - '*\htdocs\*.ph*' + - '*\html\*.ph*' + #apache tomcap webshell + - '*\*.jsp*' + #cgi-bin perl webshell + - '*\cgi-bin\*.pl' condition: selection falsepositives: - Unknown From 00a757959e190466b92205c1c64cb02e3af6dfb1 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 22 Oct 2019 06:06:07 +0200 Subject: [PATCH 014/269] add rule win_susp_capture_screenshots.yml --- .../win_susp_capture_screenshots.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_capture_screenshots.yml diff --git a/rules/windows/process_creation/win_susp_capture_screenshots.yml b/rules/windows/process_creation/win_susp_capture_screenshots.yml new file mode 100644 index 000000000..061e174a5 --- /dev/null +++ b/rules/windows/process_creation/win_susp_capture_screenshots.yml @@ -0,0 +1,23 @@ +title: psr.exe capture screenshots +status: experimental +description: The psr.exe captures desktop screenshots and saves them on the local machine +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Psr.yml + - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf +author: Beyu Denis, oscd.community +date: 2019/10/12 +tags: + - attack.persistence + - attack.t1218 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\Psr.exe' + CommandLine: '*/start*' + condition: selection +falsepositives: + - Unknown + From cc6d4b05acb9c4292c25864c330510d60565f427 Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 14:00:52 +0300 Subject: [PATCH 015/269] OSCD Task 7 : ART T1002 Exfiltration With Rar OSCD Task 7 : ART T1002 Compress Data for Exfiltration With Rar --- .../process_creation/win_data_compressed.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_data_compressed.yml diff --git a/rules/windows/process_creation/win_data_compressed.yml b/rules/windows/process_creation/win_data_compressed.yml new file mode 100644 index 000000000..dbf60a753 --- /dev/null +++ b/rules/windows/process_creation/win_data_compressed.yml @@ -0,0 +1,31 @@ +title: Data Compressed +status: experimental +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\rar.exe' + CommandLine: + - '* a -r *' + condition: selection +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - highly likely if default archivator in the monitored environment is rar, and even if not +level: low +tags: + - attack.exfiltration + - attack.t1002 From 74d1fef8b8c3232c5176f92b25276ecd59f5ce5f Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 14:53:43 +0300 Subject: [PATCH 016/269] Update win_data_compressed.yml --- rules/windows/process_creation/win_data_compressed.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_data_compressed.yml b/rules/windows/process_creation/win_data_compressed.yml index dbf60a753..d39240a85 100644 --- a/rules/windows/process_creation/win_data_compressed.yml +++ b/rules/windows/process_creation/win_data_compressed.yml @@ -9,12 +9,17 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image: - '*\rar.exe' CommandLine: - '* a -r *' - condition: selection + selection2: + Image: + - '*\powershell.exe' + CommandLine: + - '*-Recurse | Compress-Archive*' + condition: selection1 or selection2 fields: - Image - CommandLine @@ -29,3 +34,4 @@ level: low tags: - attack.exfiltration - attack.t1002 + From a8bd2c8e7845915d74b36abaa84a03a43879755b Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 14:57:53 +0300 Subject: [PATCH 017/269] Update win_data_compressed.yml --- rules/windows/process_creation/win_data_compressed.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_data_compressed.yml b/rules/windows/process_creation/win_data_compressed.yml index d39240a85..92f4269a8 100644 --- a/rules/windows/process_creation/win_data_compressed.yml +++ b/rules/windows/process_creation/win_data_compressed.yml @@ -19,6 +19,9 @@ detection: - '*\powershell.exe' CommandLine: - '*-Recurse | Compress-Archive*' + - '*-Recurse| Compress-Archive*' + - '*-Recurse |Compress-Archive*' + - '*-Recurse|Compress-Archive*' condition: selection1 or selection2 fields: - Image @@ -34,4 +37,3 @@ level: low tags: - attack.exfiltration - attack.t1002 - From 49f9b797a799824844bdfebe650eb8ddc3ac931e Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 22 Oct 2019 15:20:15 +0300 Subject: [PATCH 018/269] Update sysmon_xsl_script_processing.yml --- rules/windows/sysmon/sysmon_xsl_script_processing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index 5d7c34160..283f6626f 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -13,7 +13,7 @@ detection: ParentImage: - '*\wmic.exe' ParentCommandLine: - - '*/FORMAT*' # wmic process list /FORMAT /? + - '*/format*' # wmic process list /FORMAT /? selection2: Image: - '*\msxsl.exe*' From 8d0c89b598de4edfde4bc578cf103b6eade771c7 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 01:55:03 +0300 Subject: [PATCH 019/269] added new rules add rule MiniDumpWriteDump via COM+, renamed_binary_description, cobalt_execute_assembly, win_sysmon_driver_onload --- .../process_creation/minidumpwritedump.yml | 21 +++++++ .../renamed_binary_description.yml | 60 +++++++++++++++++++ .../sysmon/cobalt_execute_assembly.yml | 24 ++++++++ .../sysmon/win_sysmon_driver_onload.yml | 23 +++++++ 4 files changed, 128 insertions(+) create mode 100644 rules/windows/process_creation/minidumpwritedump.yml create mode 100644 rules/windows/process_creation/renamed_binary_description.yml create mode 100644 rules/windows/sysmon/cobalt_execute_assembly.yml create mode 100644 rules/windows/sysmon/win_sysmon_driver_onload.yml diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml new file mode 100644 index 000000000..6a2158b8d --- /dev/null +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -0,0 +1,21 @@ +title: MiniDumpWriteDump via COM+ +description: Detect dump memory via minidump +references: + - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ +tags: + - attack.credential_access + - attack.t1003 +status: experimental +author: Aleksey Potapov, oscd.community +date: 2019/10/22 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\rundll32.exe' + CommandLine: '*comsvcs.dll*minidump*' + condition: selection +falsepositives: + - unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml new file mode 100644 index 000000000..2001ddb1c --- /dev/null +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -0,0 +1,60 @@ +title: Renamed Binary +status: experimental +description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon Description datapoint. +author: Aleksey Potapov, oscd.community +date: 2019/10/22 +references: + - https://attack.mitre.org/techniques/T1036/ +tags: + - attack.t1036 + - attack.defense_evasion +logsource: + category: process_creation + product: windows + service: sysmon +detection: + selection: + Description: + - "active directory editor" + - "sysinternals process dump utility" + - "msbuild.exe" + - ".net core host" + - "windows command processor" + - "windows powershell" + - "execute processes remotely" + - ".net framework installation utility" + - "microsoft ® console based script host" + - "microsoft ® windows based script host" + - "microsoft (r) html application host" + - "microsoft(c) register server" + - "wmi commandline utility" + - "certutil.exe" + - "windows host process (rundll32)" + - "microsoft connection manager profile Installer" + - "windows ® installer" + - "7-zip console" + + filter: + Image: + - '*\adexplorer.exe' + - '*\procdump.exe' + - '*\msbuild.exe' + - '*\dotnet.exe' + - '*\cmd.exe' + - '*\powershell.exe' + - '*\psexec.exe' + - '*\installutil.exe' + - '*\cscript.exe' + - '*\wscript.exe' + - '*\mshta.exe' + - '*\regsvr32.exe' + - '*\wmic.exe' + - '*\certutil.exe' + - '*\rundll32.exe' + - '*\cmstp.exe' + - '*\msiexec.exe' + - '*\7z.exe' + condition: selection and not filter +falsepositives: + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist +level: medium \ No newline at end of file diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml new file mode 100644 index 000000000..0029c82af --- /dev/null +++ b/rules/windows/sysmon/cobalt_execute_assembly.yml @@ -0,0 +1,24 @@ +title: CobaltStrike Execute-Assembly command detect +description: Cobalt Strike’s in-memory threat emulation and evasion capabilities, adds a means to run .NET executable assemblies without touching disk, and implements the Token Duplication UAC bypass attack. For CobaltStrike version 3.12-3.14 +references: + - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ +tags: + - attack.defense_evasion + - attack.t1055 +status: experimental +author: Aleksey Potapov, oscd.community +date: 2019/10/22 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + TargetProcessAddress: + - '*0B80' + - '*0C7C' + - '*0C88' + condition: selection +falsepositives: + - unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/win_sysmon_driver_onload.yml b/rules/windows/sysmon/win_sysmon_driver_onload.yml new file mode 100644 index 000000000..44dc9a70b --- /dev/null +++ b/rules/windows/sysmon/win_sysmon_driver_onload.yml @@ -0,0 +1,23 @@ +title: Sysmon driver onload +status: experimental +author: Kirill Kiryanov, oscd.community +description: Detect possible shutdown Sysmon +references: + - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +fields: + - CommandLine + - Details +falsepositives: Unknown +level: medium +logsource: + product: windows + service: security +detection: + selection: + EventID: 4688 + ProcessName: '*\fltMC.exe' + CommandLine: '*unload*Sys*' + selection1: + EventID: 4673 + PrivilegeList: '*\SeLoadDriverPrivilege' + condition: selection and selection1 From 6c4f4ce3091cf80d328c9d1d3fe084cddd56484f Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 02:25:04 +0300 Subject: [PATCH 020/269] fix --- .../process_creation/minidumpwritedump.yml | 2 +- .../renamed_binary_description.yml | 16 ++++++++-------- rules/windows/sysmon/cobalt_execute_assembly.yml | 6 +++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml index 6a2158b8d..17ede0542 100644 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -14,7 +14,7 @@ logsource: detection: selection: Image: '*\rundll32.exe' - CommandLine: '*comsvcs.dll*minidump*' + CommandLine: '*comsvcs.dll*minidump*' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml index 2001ddb1c..8fd444bf7 100644 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -11,7 +11,7 @@ tags: logsource: category: process_creation product: windows - service: sysmon + service: sysmon detection: selection: Description: @@ -28,22 +28,22 @@ detection: - "microsoft (r) html application host" - "microsoft(c) register server" - "wmi commandline utility" - - "certutil.exe" + - "certutil.exe" - "windows host process (rundll32)" - "microsoft connection manager profile Installer" - "windows ® installer" - - "7-zip console" + - "7-zip console" filter: Image: - - '*\adexplorer.exe' - - '*\procdump.exe' - - '*\msbuild.exe' - - '*\dotnet.exe' + - '*\adexplorer.exe' + - '*\procdump.exe' + - '*\msbuild.exe' + - '*\dotnet.exe' - '*\cmd.exe' - '*\powershell.exe' - '*\psexec.exe' - - '*\installutil.exe' + - '*\installutil.exe' - '*\cscript.exe' - '*\wscript.exe' - '*\mshta.exe' diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml index 0029c82af..6b886dc19 100644 --- a/rules/windows/sysmon/cobalt_execute_assembly.yml +++ b/rules/windows/sysmon/cobalt_execute_assembly.yml @@ -15,9 +15,9 @@ detection: selection: EventID: 8 TargetProcessAddress: - - '*0B80' - - '*0C7C' - - '*0C88' + - '*0B80' + - '*0C7C' + - '*0C88' condition: selection falsepositives: - unknown From 5a260db459202ebb598e71b129d8e17c27900d6d Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 02:27:14 +0300 Subject: [PATCH 021/269] fix --- rules/windows/process_creation/renamed_binary_description.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml index 8fd444bf7..bd2030d84 100644 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -33,10 +33,9 @@ detection: - "microsoft connection manager profile Installer" - "windows ® installer" - "7-zip console" - filter: Image: - - '*\adexplorer.exe' + - '*\adexplorer.exe' - '*\procdump.exe' - '*\msbuild.exe' - '*\dotnet.exe' From 29cd7fed3eb7f78d864ccdea1327fffbfdd6f45c Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 02:39:40 +0300 Subject: [PATCH 022/269] fix --- .../renamed_binary_description.yml | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml index bd2030d84..5f207ab04 100644 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -35,24 +35,24 @@ detection: - "7-zip console" filter: Image: - - '*\adexplorer.exe' - - '*\procdump.exe' - - '*\msbuild.exe' - - '*\dotnet.exe' - - '*\cmd.exe' - - '*\powershell.exe' - - '*\psexec.exe' - - '*\installutil.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' - - '*\7z.exe' + -'*\adexplorer.exe' + -'*\procdump.exe' + -'*\msbuild.exe' + -'*\dotnet.exe' + -'*\cmd.exe' + -'*\powershell.exe' + -'*\psexec.exe' + -'*\installutil.exe' + -'*\cscript.exe' + -'*\wscript.exe' + -'*\mshta.exe' + -'*\regsvr32.exe' + -'*\wmic.exe' + -'*\certutil.exe' + -'*\rundll32.exe' + -'*\cmstp.exe' + -'*\msiexec.exe' + -'*\7z.exe' condition: selection and not filter falsepositives: - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist From ebe4fe0377c5d22b58d5e9557e9ec12072d9b533 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 02:42:37 +0300 Subject: [PATCH 023/269] fix --- rules/windows/process_creation/minidumpwritedump.yml | 4 ++-- rules/windows/sysmon/cobalt_execute_assembly.yml | 6 +++--- rules/windows/sysmon/win_sysmon_driver_onload.yml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml index 17ede0542..b45f298b4 100644 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image: '*\rundll32.exe' - CommandLine: '*comsvcs.dll*minidump*' + Image:'*\rundll32.exe' + CommandLine:'*comsvcs.dll*minidump*' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml index 6b886dc19..4bfa4ada7 100644 --- a/rules/windows/sysmon/cobalt_execute_assembly.yml +++ b/rules/windows/sysmon/cobalt_execute_assembly.yml @@ -15,9 +15,9 @@ detection: selection: EventID: 8 TargetProcessAddress: - - '*0B80' - - '*0C7C' - - '*0C88' + -'*0B80' + -'*0C7C' + -'*0C88' condition: selection falsepositives: - unknown diff --git a/rules/windows/sysmon/win_sysmon_driver_onload.yml b/rules/windows/sysmon/win_sysmon_driver_onload.yml index 44dc9a70b..db3e4a008 100644 --- a/rules/windows/sysmon/win_sysmon_driver_onload.yml +++ b/rules/windows/sysmon/win_sysmon_driver_onload.yml @@ -15,8 +15,8 @@ logsource: detection: selection: EventID: 4688 - ProcessName: '*\fltMC.exe' - CommandLine: '*unload*Sys*' + ProcessName:'*\fltMC.exe' + CommandLine:'*unload*Sys*' selection1: EventID: 4673 PrivilegeList: '*\SeLoadDriverPrivilege' From f4ea01217e58b199cff8514830f4aaa5a927e4cf Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 02:47:04 +0300 Subject: [PATCH 024/269] fix --- .../process_creation/minidumpwritedump.yml | 4 +-- .../renamed_binary_description.yml | 36 +++++++++---------- .../sysmon/win_sysmon_driver_onload.yml | 4 +-- 3 files changed, 22 insertions(+), 22 deletions(-) diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml index b45f298b4..17ede0542 100644 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image:'*\rundll32.exe' - CommandLine:'*comsvcs.dll*minidump*' + Image: '*\rundll32.exe' + CommandLine: '*comsvcs.dll*minidump*' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml index 5f207ab04..c201c4b08 100644 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -15,24 +15,24 @@ logsource: detection: selection: Description: - - "active directory editor" - - "sysinternals process dump utility" - - "msbuild.exe" - - ".net core host" - - "windows command processor" - - "windows powershell" - - "execute processes remotely" - - ".net framework installation utility" - - "microsoft ® console based script host" - - "microsoft ® windows based script host" - - "microsoft (r) html application host" - - "microsoft(c) register server" - - "wmi commandline utility" - - "certutil.exe" - - "windows host process (rundll32)" - - "microsoft connection manager profile Installer" - - "windows ® installer" - - "7-zip console" + -"active directory editor" + -"sysinternals process dump utility" + -"msbuild.exe" + -".net core host" + -"windows command processor" + -"windows powershell" + -"execute processes remotely" + -".net framework installation utility" + -"microsoft ® console based script host" + -"microsoft ® windows based script host" + -"microsoft (r) html application host" + -"microsoft(c) register server" + -"wmi commandline utility" + -"certutil.exe" + -"windows host process (rundll32)" + -"microsoft connection manager profile Installer" + -"windows ® installer" + -"7-zip console" filter: Image: -'*\adexplorer.exe' diff --git a/rules/windows/sysmon/win_sysmon_driver_onload.yml b/rules/windows/sysmon/win_sysmon_driver_onload.yml index db3e4a008..1501c553f 100644 --- a/rules/windows/sysmon/win_sysmon_driver_onload.yml +++ b/rules/windows/sysmon/win_sysmon_driver_onload.yml @@ -15,8 +15,8 @@ logsource: detection: selection: EventID: 4688 - ProcessName:'*\fltMC.exe' - CommandLine:'*unload*Sys*' + ProcessName: '*\fltMC.exe' + CommandLine: '*unload*Sys*' selection1: EventID: 4673 PrivilegeList: '*\SeLoadDriverPrivilege' From fa4a8c974d1ef501228090af18066f41e17faaba Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 12:45:06 +0300 Subject: [PATCH 025/269] fix --- rules/windows/process_creation/minidumpwritedump.yml | 2 +- rules/windows/sysmon/cobalt_execute_assembly.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml index 17ede0542..237a974c2 100644 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -6,7 +6,7 @@ tags: - attack.credential_access - attack.t1003 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: category: process_creation diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml index 4bfa4ada7..bdeb2cf09 100644 --- a/rules/windows/sysmon/cobalt_execute_assembly.yml +++ b/rules/windows/sysmon/cobalt_execute_assembly.yml @@ -6,7 +6,7 @@ tags: - attack.defense_evasion - attack.t1055 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: product: windows @@ -15,9 +15,9 @@ detection: selection: EventID: 8 TargetProcessAddress: - -'*0B80' - -'*0C7C' - -'*0C88' + -'*0B80' + -'*0C7C' + -'*0C88' condition: selection falsepositives: - unknown From ad9b98541c0956afa8c33c270f30464c9980b4e3 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 13:05:38 +0300 Subject: [PATCH 026/269] fix --- .../process_creation/minidumpwritedump.yml | 22 ++--- .../renamed_binary_description.yml | 97 ++++++++++--------- .../sysmon/cobalt_execute_assembly.yml | 28 +++--- ...nload.yml => win_sysmon_driver_unload.yml} | 4 +- 4 files changed, 76 insertions(+), 75 deletions(-) rename rules/windows/sysmon/{win_sysmon_driver_onload.yml => win_sysmon_driver_unload.yml} (89%) diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml index 237a974c2..4e0765755 100644 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -1,21 +1,21 @@ title: MiniDumpWriteDump via COM+ description: Detect dump memory via minidump references: - - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ + - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\rundll32.exe' - CommandLine: '*comsvcs.dll*minidump*' - condition: selection + selection: + Image: '*\rundll32.exe' + CommandLine: '*comsvcs.dll*minidump*' + condition: selection falsepositives: - - unknown + - unknown level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml index c201c4b08..ed74e8d14 100644 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -4,56 +4,57 @@ description: Detects the execution of a renamed binary often used by attackers o author: Aleksey Potapov, oscd.community date: 2019/10/22 references: - - https://attack.mitre.org/techniques/T1036/ + - https://attack.mitre.org/techniques/T1036/ tags: - - attack.t1036 - - attack.defense_evasion + - attack.t1036 + - attack.defense_evasion logsource: - category: process_creation - product: windows - service: sysmon + category: process_creation + product: windows + service: sysmon detection: - selection: - Description: - -"active directory editor" - -"sysinternals process dump utility" - -"msbuild.exe" - -".net core host" - -"windows command processor" - -"windows powershell" - -"execute processes remotely" - -".net framework installation utility" - -"microsoft ® console based script host" - -"microsoft ® windows based script host" - -"microsoft (r) html application host" - -"microsoft(c) register server" - -"wmi commandline utility" - -"certutil.exe" - -"windows host process (rundll32)" - -"microsoft connection manager profile Installer" - -"windows ® installer" - -"7-zip console" - filter: - Image: - -'*\adexplorer.exe' - -'*\procdump.exe' - -'*\msbuild.exe' - -'*\dotnet.exe' - -'*\cmd.exe' - -'*\powershell.exe' - -'*\psexec.exe' - -'*\installutil.exe' - -'*\cscript.exe' - -'*\wscript.exe' - -'*\mshta.exe' - -'*\regsvr32.exe' - -'*\wmic.exe' - -'*\certutil.exe' - -'*\rundll32.exe' - -'*\cmstp.exe' - -'*\msiexec.exe' - -'*\7z.exe' - condition: selection and not filter + selection: + Description: + - "active directory editor" + - "sysinternals process dump utility" + - "msbuild.exe" + - ".net core host" + - "windows command processor" + - "windows powershell" + - "execute processes remotely" + - ".net framework installation utility" + - "microsoft ® console based script host" + - "microsoft ® windows based script host" + - "microsoft (r) html application host" + - "microsoft(c) register server" + - "wmi commandline utility" + - "certutil.exe" + - "windows host process (rundll32)" + - "microsoft connection manager profile Installer" + - "windows ® installer" + - "7-zip console" + + filter: + Image: + - '*\adexplorer.exe' + - '*\procdump.exe' + - '*\msbuild.exe' + - '*\dotnet.exe' + - '*\cmd.exe' + - '*\powershell.exe' + - '*\psexec.exe' + - '*\installutil.exe' + - '*\cscript.exe' + - '*\wscript.exe' + - '*\mshta.exe' + - '*\regsvr32.exe' + - '*\wmic.exe' + - '*\certutil.exe' + - '*\rundll32.exe' + - '*\cmstp.exe' + - '*\msiexec.exe' + - '*\7z.exe' + condition: selection and not filter falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist level: medium \ No newline at end of file diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml index bdeb2cf09..954b6bff6 100644 --- a/rules/windows/sysmon/cobalt_execute_assembly.yml +++ b/rules/windows/sysmon/cobalt_execute_assembly.yml @@ -1,24 +1,24 @@ title: CobaltStrike Execute-Assembly command detect description: Cobalt Strike’s in-memory threat emulation and evasion capabilities, adds a means to run .NET executable assemblies without touching disk, and implements the Token Duplication UAC bypass attack. For CobaltStrike version 3.12-3.14 references: - - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ + - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - - attack.defense_evasion - - attack.t1055 + - attack.defense_evasion + - attack.t1055 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: - selection: - EventID: 8 - TargetProcessAddress: - -'*0B80' - -'*0C7C' - -'*0C88' - condition: selection + selection: + EventID: 8 + TargetProcessAddress: + - '*0B80' + - '*0C7C' + - '*0C88' + condition: selection falsepositives: - - unknown + - unknown level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/win_sysmon_driver_onload.yml b/rules/windows/sysmon/win_sysmon_driver_unload.yml similarity index 89% rename from rules/windows/sysmon/win_sysmon_driver_onload.yml rename to rules/windows/sysmon/win_sysmon_driver_unload.yml index 1501c553f..c7323366c 100644 --- a/rules/windows/sysmon/win_sysmon_driver_onload.yml +++ b/rules/windows/sysmon/win_sysmon_driver_unload.yml @@ -1,4 +1,4 @@ -title: Sysmon driver onload +title: Sysmon driver unload status: experimental author: Kirill Kiryanov, oscd.community description: Detect possible shutdown Sysmon @@ -16,7 +16,7 @@ detection: selection: EventID: 4688 ProcessName: '*\fltMC.exe' - CommandLine: '*unload*Sys*' + CommandLine: '*unload*Sys*' selection1: EventID: 4673 PrivilegeList: '*\SeLoadDriverPrivilege' From c1cfbacd243d6a332373ebb1b520b6285e46df10 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 13:18:57 +0300 Subject: [PATCH 027/269] fix --- .../process_creation/minidumpwritedump.yml | 4 +- .../renamed_binary_description.yml | 46 +++++++++---------- .../sysmon/cobalt_execute_assembly.yml | 2 +- .../sysmon/win_sysmon_driver_unload.yml | 2 +- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml index 4e0765755..2e73e1c01 100644 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ b/rules/windows/process_creation/minidumpwritedump.yml @@ -6,7 +6,7 @@ tags: - attack.credential_access - attack.t1003 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: category: process_creation @@ -14,7 +14,7 @@ logsource: detection: selection: Image: '*\rundll32.exe' - CommandLine: '*comsvcs.dll*minidump*' + CommandLine: '*comsvcs.dll*minidump*' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml index ed74e8d14..9d31a8b66 100644 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ b/rules/windows/process_creation/renamed_binary_description.yml @@ -13,7 +13,7 @@ logsource: product: windows service: sysmon detection: - selection: + selection: Description: - "active directory editor" - "sysinternals process dump utility" @@ -34,27 +34,27 @@ detection: - "windows ® installer" - "7-zip console" - filter: - Image: - - '*\adexplorer.exe' - - '*\procdump.exe' - - '*\msbuild.exe' - - '*\dotnet.exe' - - '*\cmd.exe' - - '*\powershell.exe' - - '*\psexec.exe' - - '*\installutil.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' - - '*\7z.exe' - condition: selection and not filter + filter: + Image: + - '*\adexplorer.exe' + - '*\procdump.exe' + - '*\msbuild.exe' + - '*\dotnet.exe' + - '*\cmd.exe' + - '*\powershell.exe' + - '*\psexec.exe' + - '*\installutil.exe' + - '*\cscript.exe' + - '*\wscript.exe' + - '*\mshta.exe' + - '*\regsvr32.exe' + - '*\wmic.exe' + - '*\certutil.exe' + - '*\rundll32.exe' + - '*\cmstp.exe' + - '*\msiexec.exe' + - '*\7z.exe' + condition: selection and not filter falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist + - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist level: medium \ No newline at end of file diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml index 954b6bff6..3d1b82b47 100644 --- a/rules/windows/sysmon/cobalt_execute_assembly.yml +++ b/rules/windows/sysmon/cobalt_execute_assembly.yml @@ -6,7 +6,7 @@ tags: - attack.defense_evasion - attack.t1055 status: experimental -author: Aleksey Potapov, oscd.community +author: Aleksey Potapov, oscd.community date: 2019/10/22 logsource: product: windows diff --git a/rules/windows/sysmon/win_sysmon_driver_unload.yml b/rules/windows/sysmon/win_sysmon_driver_unload.yml index c7323366c..e4f509878 100644 --- a/rules/windows/sysmon/win_sysmon_driver_unload.yml +++ b/rules/windows/sysmon/win_sysmon_driver_unload.yml @@ -16,7 +16,7 @@ detection: selection: EventID: 4688 ProcessName: '*\fltMC.exe' - CommandLine: '*unload*Sys*' + CommandLine: '*unload*Sys*' selection1: EventID: 4673 PrivilegeList: '*\SeLoadDriverPrivilege' From e38540a37f2b824ff878bd9d745f94a8fd1b1068 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 13:28:04 +0300 Subject: [PATCH 028/269] fix --- .../{sysmon => process_creation}/win_sysmon_driver_unload.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{sysmon => process_creation}/win_sysmon_driver_unload.yml (100%) diff --git a/rules/windows/sysmon/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml similarity index 100% rename from rules/windows/sysmon/win_sysmon_driver_unload.yml rename to rules/windows/process_creation/win_sysmon_driver_unload.yml From 043e3f7ca69c38b37520d899421c3a21f10a8157 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 13:48:44 +0300 Subject: [PATCH 029/269] fix --- .../win_sysmon_driver_unload.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/windows/process_creation/win_sysmon_driver_unload.yml diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml deleted file mode 100644 index e4f509878..000000000 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Sysmon driver unload -status: experimental -author: Kirill Kiryanov, oscd.community -description: Detect possible shutdown Sysmon -references: - - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon -fields: - - CommandLine - - Details -falsepositives: Unknown -level: medium -logsource: - product: windows - service: security -detection: - selection: - EventID: 4688 - ProcessName: '*\fltMC.exe' - CommandLine: '*unload*Sys*' - selection1: - EventID: 4673 - PrivilegeList: '*\SeLoadDriverPrivilege' - condition: selection and selection1 From edcbc49ce82cc298376ead756eb0276fad90ee92 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 23 Oct 2019 13:00:21 +0200 Subject: [PATCH 030/269] add rule win_susp_open with_execution.yml win_susp_devt oolslauncher_execution.yml --- .../win_susp_devtoolslauncher_execution.yml | 23 +++++++++++++++++++ .../win_susp_openwith_execution.yml | 23 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml create mode 100644 rules/windows/process_creation/win_susp_openwith_execution.yml diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml b/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml new file mode 100644 index 000000000..658a65949 --- /dev/null +++ b/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml @@ -0,0 +1,23 @@ +title: Devtoolslauncher.exe executes specified binary +status: experimental +description: The Devtoolslauncher.exe executes other binary +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Devtoolslauncher.yml + - https://twitter.com/_felamos/status/1179811992841797632 +author: Beyu Denis, oscd.community (rule), @_felamos (idea) +date: 2019/10/12 +tags: + - attack.persistence + - attack.t1218 +level: critical +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\devtoolslauncher.exe' + CommandLine: '*LaunchForDeploy*' + condition: selection +falsepositives: + - Unknown + diff --git a/rules/windows/process_creation/win_susp_openwith_execution.yml b/rules/windows/process_creation/win_susp_openwith_execution.yml new file mode 100644 index 000000000..ea6a21cc8 --- /dev/null +++ b/rules/windows/process_creation/win_susp_openwith_execution.yml @@ -0,0 +1,23 @@ +title: OpenWith.exe executes specified binary +status: experimental +description: The OpenWith.exe executes other binary +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml + - https://twitter.com/harr0ey/status/991670870384021504 +author: Beyu Denis, oscd.community (rule), harr0ey (idea) +date: 2019/10/12 +tags: + - attack.persistence + - attack.t1218 +level: critical +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*OpenWith.exe' + CommandLine: '*/c*' + condition: selection +falsepositives: + - Unknown + From 193c95a11a0c240392dd7991c4edbf625c423ea6 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 14:27:52 +0300 Subject: [PATCH 031/269] add new rule1 --- .../win_sysmon_driver_unload.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_sysmon_driver_unload.yml diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml new file mode 100644 index 000000000..0be87b171 --- /dev/null +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -0,0 +1,32 @@ +action: global +title: Sysmon driver unload +status: experimental +author: Kirill Kiryanov, oscd.community +description: Detect possible shutdown Sysmon +date: 2019/10/23 +references: + - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +fields: + - CommandLine + - Details +falsepositives: Unknown +level: high +detection: + condition: selection and selection1 +--- +logsource: + product: windows + category: process_creation +detection: + selection: + Image: '*\fltMC.exe' + CommandLine: '*unload*Sys*' +--- +logsource: + product: windows + service: security +detection: + selection1: + EventID: 4673 + PrivilegeList: '*\SeLoadDriverPrivilege' + From 215e500894fc691caadc63ce92c1bee66f100935 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 14:43:01 +0300 Subject: [PATCH 032/269] fix --- rules/windows/process_creation/win_sysmon_driver_unload.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index 0be87b171..f4dac03e2 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -12,7 +12,7 @@ fields: falsepositives: Unknown level: high detection: - condition: selection and selection1 + condition: selection --- logsource: product: windows @@ -26,7 +26,7 @@ logsource: product: windows service: security detection: - selection1: + selection: EventID: 4673 PrivilegeList: '*\SeLoadDriverPrivilege' - + \ No newline at end of file From bc943343df1d765a95261d4eeeeec0e8ac56d0f7 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 15:41:14 +0300 Subject: [PATCH 033/269] update win_sysmon_driver_unload --- .../process_creation/win_sysmon_driver_unload.yml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index f4dac03e2..13c4795a2 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -1,4 +1,3 @@ -action: global title: Sysmon driver unload status: experimental author: Kirill Kiryanov, oscd.community @@ -11,9 +10,6 @@ fields: - Details falsepositives: Unknown level: high -detection: - condition: selection ---- logsource: product: windows category: process_creation @@ -21,12 +17,4 @@ detection: selection: Image: '*\fltMC.exe' CommandLine: '*unload*Sys*' ---- -logsource: - product: windows - service: security -detection: - selection: - EventID: 4673 - PrivilegeList: '*\SeLoadDriverPrivilege' - \ No newline at end of file + condition: selection From 4c84412944c5d017ab4fc2c9ac5f71be3b60dda7 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 18:08:30 +0300 Subject: [PATCH 034/269] added new rule MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit silenttrinity_stage_ use, sysmon_mimikatz_сreds_dump, sysmon_registry_persistence_key_linking, sysmon_сreds_dump --- .../silenttrinity_stage_ use.yml | 31 +++++++++++++++++++ .../sysmon/sysmon_mimikatz_сreds_dump.yml | 25 +++++++++++++++ ...ysmon_registry_persistence_key_linking.yml | 21 +++++++++++++ rules/windows/sysmon/sysmon_сreds_dump.yml | 27 ++++++++++++++++ 4 files changed, 104 insertions(+) create mode 100644 rules/windows/process_creation/silenttrinity_stage_ use.yml create mode 100644 rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml create mode 100644 rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml create mode 100644 rules/windows/sysmon/sysmon_сreds_dump.yml diff --git a/rules/windows/process_creation/silenttrinity_stage_ use.yml b/rules/windows/process_creation/silenttrinity_stage_ use.yml new file mode 100644 index 000000000..b66aaef8c --- /dev/null +++ b/rules/windows/process_creation/silenttrinity_stage_ use.yml @@ -0,0 +1,31 @@ +action: global +title: SILENTTRINITY +status: experimental +description: Detect SILENTTRINITY stager use +references: + - https://github.com/byt3bl33d3r/SILENTTRINITY +author: Aleksey Potapov, oscd.community +date: 2019/10/22 +tags: + - attack.execution +detection: + condition: selection +falsepositives: + - unknown +level: high +--- +logsource: + category: process_creation + product: windows + service: sysmon +detection: + selection: + Description: '*st2stager*' +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Description: '*st2stager*' diff --git a/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml b/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml new file mode 100644 index 000000000..4c2c14611 --- /dev/null +++ b/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml @@ -0,0 +1,25 @@ +title: Mimikatz сred access dump +description: Detects process access to LSASS which is typical for like Mimikatz tools different version +references: + - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf +tags: + - attack.credential_access + - attack.t1003 +status: experimental +author: Aleksey Potapov, oscd.community +date: 2019/10/23 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 10 + TargetImage: 'C:\windows\system32\lsass.exe' + GrantedAccess: + - '0x1410' + - '0x1010' + - '0x143a' + condition: selection +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml new file mode 100644 index 000000000..e665ccec6 --- /dev/null +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -0,0 +1,21 @@ +title: Windows Registry Persistence - COM key linking +status: experimental +description: Detects COM object hijacking via TreatAs subkey +references: + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +author: Kutepov Anton, oscd.community +date: 2019/10/23 +tags: + - attack.persistence + - attack.t1122 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 12 + TargetObject: 'HKU\*_Classes\CLSID\*\TreatAs' + condition: selection +falsepositives: + - Maybe some system utilities in rare cases use linking keys for backward compability +level: medium diff --git a/rules/windows/sysmon/sysmon_сreds_dump.yml b/rules/windows/sysmon/sysmon_сreds_dump.yml new file mode 100644 index 000000000..dc13afd01 --- /dev/null +++ b/rules/windows/sysmon/sysmon_сreds_dump.yml @@ -0,0 +1,27 @@ +title: Cred access +description: The following GrantedAccess only privileged levels of memory access to specific processes. This will typically be very low volume, with Sysmon events only being logged in the event of attacker activity. +Most characteristic of powershell offensive tools. +references: + - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ +tags: + - attack.credential_access + - attack.t1003 +status: experimental +author: Aleksey Potapov, oscd.community +date: 2019/10/23 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 10 + TargetImage: 'C:\windows\system32\lsass.exe' + GrantedAccess: + - '0x1f0fff' + - '0x1f1fff' + - '0x1f2fff' + - '0x1f3fff' + condition: selection +falsepositives: + - unknown +level: high \ No newline at end of file From d3715a508b6c11ea3fa94c6663f80abb5b4973e6 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Wed, 23 Oct 2019 18:15:46 +0300 Subject: [PATCH 035/269] fix --- rules/windows/sysmon/sysmon_сreds_dump.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/sysmon/sysmon_сreds_dump.yml b/rules/windows/sysmon/sysmon_сreds_dump.yml index dc13afd01..42bf392c1 100644 --- a/rules/windows/sysmon/sysmon_сreds_dump.yml +++ b/rules/windows/sysmon/sysmon_сreds_dump.yml @@ -1,8 +1,7 @@ title: Cred access -description: The following GrantedAccess only privileged levels of memory access to specific processes. This will typically be very low volume, with Sysmon events only being logged in the event of attacker activity. -Most characteristic of powershell offensive tools. +description: The following GrantedAccess only privileged levels of memory access to specific processes. This will typically be very low volume, with Sysmon events only being logged in the event of attacker activity. Most characteristic of powershell offensive tools. references: - - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ + - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center tags: - attack.credential_access - attack.t1003 From f1ccf296f450bbc607aa34421d2995b5e63e9c9e Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Thu, 24 Oct 2019 00:40:58 +0300 Subject: [PATCH 036/269] fix --- ...ysmon_registry_persistence_key_linking.yml | 21 --------------- rules/windows/sysmon/sysmon_сreds_dump.yml | 26 ------------------- 2 files changed, 47 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml delete mode 100644 rules/windows/sysmon/sysmon_сreds_dump.yml diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml deleted file mode 100644 index e665ccec6..000000000 --- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Windows Registry Persistence - COM key linking -status: experimental -description: Detects COM object hijacking via TreatAs subkey -references: - - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ -author: Kutepov Anton, oscd.community -date: 2019/10/23 -tags: - - attack.persistence - - attack.t1122 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 12 - TargetObject: 'HKU\*_Classes\CLSID\*\TreatAs' - condition: selection -falsepositives: - - Maybe some system utilities in rare cases use linking keys for backward compability -level: medium diff --git a/rules/windows/sysmon/sysmon_сreds_dump.yml b/rules/windows/sysmon/sysmon_сreds_dump.yml deleted file mode 100644 index 42bf392c1..000000000 --- a/rules/windows/sysmon/sysmon_сreds_dump.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Cred access -description: The following GrantedAccess only privileged levels of memory access to specific processes. This will typically be very low volume, with Sysmon events only being logged in the event of attacker activity. Most characteristic of powershell offensive tools. -references: - - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center -tags: - - attack.credential_access - - attack.t1003 -status: experimental -author: Aleksey Potapov, oscd.community -date: 2019/10/23 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 10 - TargetImage: 'C:\windows\system32\lsass.exe' - GrantedAccess: - - '0x1f0fff' - - '0x1f1fff' - - '0x1f2fff' - - '0x1f3fff' - condition: selection -falsepositives: - - unknown -level: high \ No newline at end of file From cc998aa667d0a01df785aabafa2c9384b0fb0629 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Thu, 24 Oct 2019 00:48:43 +0300 Subject: [PATCH 037/269] fix --- ...e_ use.yml => silenttrinity_stage_use.yml} | 0 rules/windows/sysmon/sysmon_сreds_dump.yml | 26 +++++++++++++++++++ 2 files changed, 26 insertions(+) rename rules/windows/process_creation/{silenttrinity_stage_ use.yml => silenttrinity_stage_use.yml} (100%) create mode 100644 rules/windows/sysmon/sysmon_сreds_dump.yml diff --git a/rules/windows/process_creation/silenttrinity_stage_ use.yml b/rules/windows/process_creation/silenttrinity_stage_use.yml similarity index 100% rename from rules/windows/process_creation/silenttrinity_stage_ use.yml rename to rules/windows/process_creation/silenttrinity_stage_use.yml diff --git a/rules/windows/sysmon/sysmon_сreds_dump.yml b/rules/windows/sysmon/sysmon_сreds_dump.yml new file mode 100644 index 000000000..42bf392c1 --- /dev/null +++ b/rules/windows/sysmon/sysmon_сreds_dump.yml @@ -0,0 +1,26 @@ +title: Cred access +description: The following GrantedAccess only privileged levels of memory access to specific processes. This will typically be very low volume, with Sysmon events only being logged in the event of attacker activity. Most characteristic of powershell offensive tools. +references: + - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center +tags: + - attack.credential_access + - attack.t1003 +status: experimental +author: Aleksey Potapov, oscd.community +date: 2019/10/23 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 10 + TargetImage: 'C:\windows\system32\lsass.exe' + GrantedAccess: + - '0x1f0fff' + - '0x1f1fff' + - '0x1f2fff' + - '0x1f3fff' + condition: selection +falsepositives: + - unknown +level: high \ No newline at end of file From 7cfd47be7c42dbf0b7fc0dccc89c7780b14c8ba6 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Thu, 24 Oct 2019 02:40:11 +0200 Subject: [PATCH 038/269] add win_scm_database_handle_failure.yml, win_scm_database_privileged_operation.yml, win_syskey_registry_access.yml --- .../win_scm_database_handle_failure.yml | 21 ++++++++++++++ .../win_scm_database_privileged_operation.yml | 21 ++++++++++++++ .../builtin/win_syskey_registry_access.yml | 28 +++++++++++++++++++ 3 files changed, 70 insertions(+) create mode 100644 rules/windows/builtin/win_scm_database_handle_failure.yml create mode 100644 rules/windows/builtin/win_scm_database_privileged_operation.yml create mode 100644 rules/windows/builtin/win_syskey_registry_access.yml diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml new file mode 100644 index 000000000..4945a34c0 --- /dev/null +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -0,0 +1,21 @@ +title: T1000 SCM Database Handle Failure +description: Detects non-system users failing to get a handle of the SCM database. +status: experimental +date: 2019/08/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 4656 + ObjectType: 'SC_MANAGER OBJECT' + ObjectName: 'servicesactive' + Keywords: "Audit Failure" + SubjectLogonId: "0x3e4" + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml new file mode 100644 index 000000000..0f16c6c38 --- /dev/null +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -0,0 +1,21 @@ +title: T1000 SCM Database Privileged Operation +description: Detects non-system users performing privileged operation os the SCM database +status: experimental +date: 2019/08/15 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 4674 + ObjectType: 'SC_MANAGER OBJECT' + ObjectName: 'servicesactive' + PrivilegeList: 'SeTakeOwnershipPrivilege' + SubjectLogonId: "0x3e4" + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml new file mode 100644 index 000000000..d2c5c2b85 --- /dev/null +++ b/rules/windows/builtin/win_syskey_registry_access.yml @@ -0,0 +1,28 @@ +title: T1012 SysKey Registry Keys Access +description: Detects handle requests and access operations to specific registry keys to calculate the SysKey +status: experimental +date: 2019/08/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_access.md +tags: + - attack.discovery + - attack.t1012 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4656 + - 4663 + ObjectType: 'key' + ObjectName: + - '*lsa\JD' + - '*lsa\GBG' + - '*lsa\Skew1' + - '*lsa\Data' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file From 7c5dc0ca0195bc5dfb77732fe4b6ec63a77453a4 Mon Sep 17 00:00:00 2001 From: zinint Date: Thu, 24 Oct 2019 15:34:13 +0300 Subject: [PATCH 039/269] Update win_data_compressed.yml --- rules/windows/process_creation/win_data_compressed.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_data_compressed.yml b/rules/windows/process_creation/win_data_compressed.yml index 92f4269a8..469a946a2 100644 --- a/rules/windows/process_creation/win_data_compressed.yml +++ b/rules/windows/process_creation/win_data_compressed.yml @@ -14,15 +14,7 @@ detection: - '*\rar.exe' CommandLine: - '* a -r *' - selection2: - Image: - - '*\powershell.exe' - CommandLine: - - '*-Recurse | Compress-Archive*' - - '*-Recurse| Compress-Archive*' - - '*-Recurse |Compress-Archive*' - - '*-Recurse|Compress-Archive*' - condition: selection1 or selection2 + condition: selection1 fields: - Image - CommandLine From 3934f6c756b85d12afc66afc5a5fdc8488b7b6f7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 24 Oct 2019 14:34:16 +0200 Subject: [PATCH 040/269] add win_ad_object_writedac_access.yml, sysmon_createremotethread_loadlibrary.yml, sysmon_rdp_registry_modification.yml; modified win_account_backdoor_dcsync_rights.yml --- .../win_account_backdoor_dcsync_rights.yml | 3 ++- .../builtin/win_ad_object_writedac_access.yml | 22 +++++++++++++++++++ .../sysmon_createremotethread_loadlibrary.yml | 19 ++++++++++++++++ .../sysmon_rdp_registry_modification.yml | 21 ++++++++++++++++++ 4 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 rules/windows/builtin/win_ad_object_writedac_access.yml create mode 100644 rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml create mode 100644 rules/windows/sysmon/sysmon_rdp_registry_modification.yml diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml index db9abdd80..9bc99f507 100644 --- a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml @@ -2,7 +2,7 @@ title: Powerview Add-DomainObjectAcl DCSync AD Extend Right description: backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 -author: Samir Bousseaden +author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community references: - https://twitter.com/menasec1/status/1111556090137903104 - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf @@ -19,6 +19,7 @@ detection: Value: - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*' + - '*89e95b76-444d-4c62-991a-0facbeda640c*' condition: selection falsepositives: - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account. diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml new file mode 100644 index 000000000..882e33aa2 --- /dev/null +++ b/rules/windows/builtin/win_ad_object_writedac_access.yml @@ -0,0 +1,22 @@ +title: T1000 AD Object WriteDAC Access +description: Detects WRITE_DAC access to a domain object +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md +logsource: + product: windows + service: security +detection: + selection_one: + EventID: 4662 + ObjectServer: 'DS' + AccessMask: 0x40000 + ObjectType: + - '19195a5b-6da0-11d0-afd3-00c04fd930c9' + - 'domainDNS' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml new file mode 100644 index 000000000..cdee77d86 --- /dev/null +++ b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml @@ -0,0 +1,19 @@ +title: T1055 CreateRemoteThread API and LoadLibrary +description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process +status: experimental +date: 2019/08/11 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 8 + StartModule: '*\kernel32.dll' + StartFunction: 'LoadLibraryA' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml new file mode 100644 index 000000000..1fae0cc66 --- /dev/null +++ b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml @@ -0,0 +1,21 @@ +title: T1112 RDP Registry Modification +description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: sysmon +detection: + selection_one: + EventID: 13 + TargetObject: + - '*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' + - '*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file From 317e9d3df992dd70d45937d0727440a77ae8026b Mon Sep 17 00:00:00 2001 From: zinint Date: Thu, 24 Oct 2019 15:43:46 +0300 Subject: [PATCH 041/269] PS Data Compressed attack.t1002 PS Data Compressed attack.t1002 --- .../powershell/powershell_data_compressed.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/powershell/powershell_data_compressed.yml diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml new file mode 100644 index 000000000..6dbf737d1 --- /dev/null +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -0,0 +1,26 @@ +title: Data Compressed +status: experimental +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml +logsource: + product: windows + service: powershell + description: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + keyword: + - '*-Recurse | Compress-Archive*' + - '*-Recurse| Compress-Archive*' + - '*-Recurse |Compress-Archive*' + - '*-Recurse|Compress-Archive*' + condition: selection and keyword +falsepositives: + - highly likely if archive ops are done via PS +level: low +tags: + - attack.exfiltration + - attack.t1002 From 5a98fdbbbd85c40075a67882f44a240d528125f2 Mon Sep 17 00:00:00 2001 From: zinint Date: Thu, 24 Oct 2019 16:33:29 +0300 Subject: [PATCH 042/269] ART t1004 --- .../powershell_winlogon_helper_dll.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_winlogon_helper_dll.yaml diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yaml b/rules/windows/powershell/powershell_winlogon_helper_dll.yaml new file mode 100644 index 000000000..83a4e058a --- /dev/null +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yaml @@ -0,0 +1,27 @@ +title: Winlogon Helper DLL +status: test +description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1004/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml +logsource: + product: windows + service: powershell + description: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + keyword1: + - '*Set-ItemProperty*' + keyword2: + - '*New-Item*' + keyword3: + - '*CurrentVersion\Winlogon*' + condition: selection and (keyword1 or keyword2) and keyword3 +falsepositives: + - Unknown +level: medium +tags: + - attack.persistence + - attack.t1004 From aef5fa3c2ba5905e1cbd2655ce957875bb2db063 Mon Sep 17 00:00:00 2001 From: zinint Date: Thu, 24 Oct 2019 16:37:38 +0300 Subject: [PATCH 043/269] Rename powershell_winlogon_helper_dll.yaml to powershell_winlogon_helper_dll.yml --- ...inlogon_helper_dll.yaml => powershell_winlogon_helper_dll.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/{powershell_winlogon_helper_dll.yaml => powershell_winlogon_helper_dll.yml} (100%) diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yaml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml similarity index 100% rename from rules/windows/powershell/powershell_winlogon_helper_dll.yaml rename to rules/windows/powershell/powershell_winlogon_helper_dll.yml From 4fb9821b49817a84e8e5e2b066027725cae291c7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 24 Oct 2019 15:48:38 +0200 Subject: [PATCH 044/269] added: win_non_interactive_powershell.yml win_remote_powershell_session.yml win_wmiprvse_spawning_process.yml powershell_alternate_powershell_hosts.yml powershell_remote_powershell_session.yml sysmon_alternate_powershell_hosts_moduleload.yml sysmon_alternate_powershell_hosts_pipe.yml sysmon_non_interactive_powershell_execution.yml sysmon_powershell_execution_moduleload.yml sysmon_powershell_execution_pipe.yml sysmon_remote_powershell_session_network.yml sysmon_remote_powershell_session_process.yml sysmon_wmi_module_load.yml sysmon_wmiprvse_spawning_process.yml --- .../win_non_interactive_powershell.yml | 19 +++++++++++ .../builtin/win_remote_powershell_session.yml | 21 ++++++++++++ .../builtin/win_wmiprvse_spawning_process.yml | 20 ++++++++++++ .../powershell_alternate_powershell_hosts.yml | 21 ++++++++++++ .../powershell_remote_powershell_session.yml | 21 ++++++++++++ ..._alternate_powershell_hosts_moduleload.yml | 21 ++++++++++++ ...sysmon_alternate_powershell_hosts_pipe.yml | 20 ++++++++++++ ...n_non_interactive_powershell_execution.yml | 20 ++++++++++++ ...sysmon_powershell_execution_moduleload.yml | 19 +++++++++++ .../sysmon_powershell_execution_pipe.yml | 18 +++++++++++ ...smon_remote_powershell_session_network.yml | 22 +++++++++++++ ...smon_remote_powershell_session_process.yml | 21 ++++++++++++ .../windows/sysmon/sysmon_wmi_module_load.yml | 32 +++++++++++++++++++ .../sysmon_wmiprvse_spawning_process.yml | 20 ++++++++++++ 14 files changed, 295 insertions(+) create mode 100644 rules/windows/builtin/win_non_interactive_powershell.yml create mode 100644 rules/windows/builtin/win_remote_powershell_session.yml create mode 100644 rules/windows/builtin/win_wmiprvse_spawning_process.yml create mode 100644 rules/windows/powershell/powershell_alternate_powershell_hosts.yml create mode 100644 rules/windows/powershell/powershell_remote_powershell_session.yml create mode 100644 rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml create mode 100644 rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml create mode 100644 rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml create mode 100644 rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml create mode 100644 rules/windows/sysmon/sysmon_powershell_execution_pipe.yml create mode 100644 rules/windows/sysmon/sysmon_remote_powershell_session_network.yml create mode 100644 rules/windows/sysmon/sysmon_remote_powershell_session_process.yml create mode 100644 rules/windows/sysmon/sysmon_wmi_module_load.yml create mode 100644 rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml diff --git a/rules/windows/builtin/win_non_interactive_powershell.yml b/rules/windows/builtin/win_non_interactive_powershell.yml new file mode 100644 index 000000000..6ba84927d --- /dev/null +++ b/rules/windows/builtin/win_non_interactive_powershell.yml @@ -0,0 +1,19 @@ +title: T1086 Non Interactive PowerShell +description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. +status: experimental +date: 2019/12/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 4688 + NewProcessName: '*\powershell.exe' + ParentProcessName: '*\explorer.exe' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml new file mode 100644 index 000000000..c763215ef --- /dev/null +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -0,0 +1,21 @@ +title: T1086 Remote PowerShell Sessions +description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestPort: + - 5985 + - 5986 + LayerRTID: 44 + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_wmiprvse_spawning_process.yml b/rules/windows/builtin/win_wmiprvse_spawning_process.yml new file mode 100644 index 000000000..37ccaa4d2 --- /dev/null +++ b/rules/windows/builtin/win_wmiprvse_spawning_process.yml @@ -0,0 +1,20 @@ +title: T1047 Wmiprvse Spawning Process +description: Detects wmiprvse spawning processes +status: experimental +date: 2019/08/15 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md +logsource: + product: windows + service: security +detection: + selection: + EventID: 4688 + ParentProcessName: '*WmiPrvSe.exe' + filter: + TargetLogonId: '0x3e7' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml new file mode 100644 index 000000000..b5e43040a --- /dev/null +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -0,0 +1,21 @@ +title: T1086 Alternate PowerShell Hosts +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: experimental +date: 2019/08/11 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +logsource: + product: windows + service: powershell +detection: + selection: + EventID: + - 4103 + - 400 + filter: + HostApplication: 'powershell.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml new file mode 100644 index 000000000..b474f993c --- /dev/null +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -0,0 +1,21 @@ +title: T1086 Remote PowerShell Session +description: Detects remote PowerShell sessions +status: experimental +date: 2019/08/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: powershell +detection: + selection: + EventID: + - 4103 + - 400 + HostName: 'ServerRemoteHost' + HostApplication: '*wsmprovhost.exe*' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml new file mode 100644 index 000000000..0192877ae --- /dev/null +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml @@ -0,0 +1,21 @@ +title: T1086 Alternate PowerShell Hosts +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Description: 'system.management.automation' + ImageLoaded: '*system.management.automation*' + filter: + Image: '*\powershell.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml new file mode 100644 index 000000000..47ffd1649 --- /dev/null +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -0,0 +1,20 @@ +title: T1086 Alternate PowerShell Hosts +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 17 + PipeName: '\PSHost*' + filter: + Image: '*\powershell.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml b/rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml new file mode 100644 index 000000000..75ec63f63 --- /dev/null +++ b/rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml @@ -0,0 +1,20 @@ +title: T1086 Non Interactive PowerShell Execution +description: Detects execution of PowerShell with not explorer.exe as a parent. +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Image: '*\powershell.exe' + filter: + ParentImage: '*\explorer.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml new file mode 100644 index 000000000..2837ee65b --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml @@ -0,0 +1,19 @@ +title: T1086 PowerShell Execution +description: Detects execution of PowerShell +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Description: 'system.management.automation' + ImageLoaded: '*system.management.automation*' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml new file mode 100644 index 000000000..91ca4d8fc --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml @@ -0,0 +1,18 @@ +title: T1086 PowerShell Execution +description: Detects execution of PowerShell +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 17 + PipeName: '\PSHost*' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml new file mode 100644 index 000000000..850323f85 --- /dev/null +++ b/rules/windows/sysmon/sysmon_remote_powershell_session_network.yml @@ -0,0 +1,22 @@ +title: T1086 Remote PowerShell Session +description: Detects remote PowerShell seccions by monitoring network outbount connections to ports 5985 or 5986 from not network service account +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: + - 5985 + - 5986 + filter: + User: 'NT AUTHORITY\NETWORK SERVICE' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml new file mode 100644 index 000000000..2db614c8f --- /dev/null +++ b/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml @@ -0,0 +1,21 @@ +title: T1086 Remote PowerShell Session +description: Detects remote PowerShell seccions by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote sessionn) +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md +logsource: + product: windows + service: sysmon +detection: + selection_one: + EventID: 1 + Image: '*\wsmprovhost.exe' + selection_two: + EventID: 1 + ParentImage: '*\wsmprovhost.exe' + condition: selection_one or selection_two +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml new file mode 100644 index 000000000..82368ec0a --- /dev/null +++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml @@ -0,0 +1,32 @@ +title: T1047 WMI Modules Loaded +description: Detects non wmiprvse loading WMI modules +status: experimental +date: 2019/08/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + ImageLoaded: + - '*wmiclnt.dll' + - '*WmiApRpl.dll' + - '*wmiprov.dll' + - '*wmiutils.dll' + - '*wbemcomn.dll' + - '*wbemprox.dll' + - '*WMINet_Utils.dll' + - '*wbemsvc.dll' + - '*fastprox.dll' + filter: + Image: + - '*WmiPrvSe.exe' + - '*WmiAPsrv.exe' + - '*svchost.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml b/rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml new file mode 100644 index 000000000..ed05c5424 --- /dev/null +++ b/rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml @@ -0,0 +1,20 @@ +title: T1047 Wmiprvse Spawning Process +description: Detects wmiprvse spawning processes +status: experimental +date: 2019/08/15 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + ParentImage: '*WmiPrvSe.exe' + filter: + LogonId: '0x3e7' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file From a7a753862cc0af9614fd9c483ecf5a8f37daba08 Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Fri, 25 Oct 2019 12:06:32 +1100 Subject: [PATCH 045/269] Update win_susp_net_execution.yml Added: 1. Additional tags for techniques as defined by Atomic Blue. 2. Detection for OriginalFileName as net.exe can easily be renamed. Part of oscd.community effort. --- .../process_creation/win_susp_net_execution.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index 8f3ef0a65..cb43538f2 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -3,11 +3,17 @@ status: experimental description: Detects execution of Net.exe, whether suspicious or benign. references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ -author: Michael Haag, Mark Woan (improvements) + - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html + - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html +author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) tags: - attack.s0039 + - attack.t1027 + - attack.t1049 + - attack.t1135 - attack.lateral_movement - attack.discovery + - attack.defense.evasion logsource: category: process_creation product: windows @@ -16,6 +22,11 @@ detection: Image: - '*\net.exe' - '*\net1.exe' + filename: + OriginalFileName: + - 'net.exe' + - 'net1.exe' + cmdline: CommandLine: - '* group*' - '* localgroup*' @@ -25,7 +36,7 @@ detection: - '* accounts*' - '* use*' - '* stop *' - condition: selection + condition: selection or filename and cmdline fields: - CommandLine - ParentCommandLine From 5678357f4ee9b88c59f4b6c6c576a5cb9e1853cf Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Fri, 25 Oct 2019 12:20:47 +1100 Subject: [PATCH 046/269] Update win_susp_net_execution.yml Added tag for: References: https://attack.mitre.org/techniques/T1077/ https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html --- rules/windows/process_creation/win_susp_net_execution.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index cb43538f2..ad5fcd6bc 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -5,11 +5,13 @@ references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html + - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) tags: - attack.s0039 - attack.t1027 - attack.t1049 + - attack.t1077 - attack.t1135 - attack.lateral_movement - attack.discovery From 5eb484a06207defeadb9572f089b85a87594767e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 25 Oct 2019 04:30:55 +0200 Subject: [PATCH 047/269] add tieto dns exfiltration rules --- rules/network/net_dns_c2_detection.yml | 5 +-- rules/network/net_high_dns_bytes_out.yml | 29 +++++++++++++++++ rules/network/net_high_dns_requests_rate.yml | 29 +++++++++++++++++ .../net_high_null_records_requests_rate.yml | 18 +++++++++++ .../net_high_txt_records_requests_rate.yml | 18 +++++++++++ .../powershell_dnscat_execution.yml | 19 ++++++++++++ .../win_dns_exfiltration_tools_execution.yml | 20 ++++++++++++ ...ltration_and_tunneling_tools_execution.yml | 22 +++++++++++++ .../win_tap_installer_execution.yml | 18 +++++++++++ .../sysmon/win_tap_driver_installation.yml | 31 +++++++++++++++++++ 10 files changed, 207 insertions(+), 2 deletions(-) create mode 100644 rules/network/net_high_dns_bytes_out.yml create mode 100644 rules/network/net_high_dns_requests_rate.yml create mode 100644 rules/network/net_high_null_records_requests_rate.yml create mode 100644 rules/network/net_high_txt_records_requests_rate.yml create mode 100644 rules/windows/powershell/powershell_dnscat_execution.yml create mode 100644 rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml create mode 100644 rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml create mode 100644 rules/windows/process_creation/win_tap_installer_execution.yml create mode 100644 rules/windows/sysmon/win_tap_driver_installation.yml diff --git a/rules/network/net_dns_c2_detection.yml b/rules/network/net_dns_c2_detection.yml index 90a889dc2..fd47f29df 100644 --- a/rules/network/net_dns_c2_detection.yml +++ b/rules/network/net_dns_c2_detection.yml @@ -7,7 +7,7 @@ references: author: Patrick Bareiss date: 2019/04/07 logsource: - product: dns + category: dns detection: selection: parent_domain: '*' @@ -16,4 +16,5 @@ falsepositives: - Valid software, which uses dns for transferring data level: high tags: - - attack.t1043 + - attack.t1048 + - attack.exfiltration diff --git a/rules/network/net_high_dns_bytes_out.yml b/rules/network/net_high_dns_bytes_out.yml new file mode 100644 index 000000000..b435c5359 --- /dev/null +++ b/rules/network/net_high_dns_bytes_out.yml @@ -0,0 +1,29 @@ +--- +action: global +title: High DNS bytes out +description: High DNS queries bytes amount from host per short period of time +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate high DNS bytes out rate to domain name which should be added to whitelist +level: medium +--- +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection | sum(question_length) by src_ip > 300000 +--- +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | sum(message_size) by src_ip > 300000 diff --git a/rules/network/net_high_dns_requests_rate.yml b/rules/network/net_high_dns_requests_rate.yml new file mode 100644 index 000000000..3eb99ede7 --- /dev/null +++ b/rules/network/net_high_dns_requests_rate.yml @@ -0,0 +1,29 @@ +--- +action: global +title: High DNS requests rate +description: High DNS requests amount from host per short period of time +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate high DNS requests rate to domain name which should be added to whitelist +level: medium +--- +logsource: + category: dns +detection: + selection: + query: '*' + timeframe: 1m + condition: selection | count() by src_ip > 1000 +--- +logsource: + category: firewall +detection: + selection: + dst_port: 53 + timeframe: 1m + condition: selection | count() by src_ip > 1000 diff --git a/rules/network/net_high_null_records_requests_rate.yml b/rules/network/net_high_null_records_requests_rate.yml new file mode 100644 index 000000000..3a42156a0 --- /dev/null +++ b/rules/network/net_high_null_records_requests_rate.yml @@ -0,0 +1,18 @@ +title: High NULL records requests rate +description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + record_type: "NULL" + timeframe: 1m + condition: selection | count() by src_ip > 50 +falsepositives: + - Legitimate high DNS NULL requests rate to domain name which should be added to whitelist +level: medium diff --git a/rules/network/net_high_txt_records_requests_rate.yml b/rules/network/net_high_txt_records_requests_rate.yml new file mode 100644 index 000000000..58f19c5ef --- /dev/null +++ b/rules/network/net_high_txt_records_requests_rate.yml @@ -0,0 +1,18 @@ +title: High TXT records requests rate +description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + record_type: "TXT" + timeframe: 1m + condition: selection | count() by src_ip > 50 +falsepositives: + - Legitimate high DNS TXT requests rate to domain name which should be added to whitelist +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml new file mode 100644 index 000000000..e8f698eaf --- /dev/null +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -0,0 +1,19 @@ +title: Dnscat execution +description: Dnscat exfiltration tool execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText: "*Start-Dnscat2*" + condition: selection +falsepositives: + - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely) +level: medium diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml new file mode 100644 index 000000000..6f072e792 --- /dev/null +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -0,0 +1,20 @@ +title: DNS exfiltration tools execution +description: Well-known DNS Exfiltration tools execution +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection: + NewProcessName: + - "*\\iodine.exe" + - "*\\dnscat2*" + condition: selection +falsepositives: + - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely) +level: medium diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml new file mode 100644 index 000000000..0cd906be8 --- /dev/null +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -0,0 +1,22 @@ +title: Exfiltration and tunneling tools execution +description: Execution of well known tools for data exfiltration and tunneling +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1020 +logsource: + category: process_creation + product: windows +detection: + selection: + NewProcessName: + - "*\\plink.exe" + - "*\\socat.exe" + - "*\\stunnel.exe" + - "*\\httptunnel.exe" + condition: selection +falsepositives: + - Legitimate Administrator using tool for exfiltration for other needs +level: medium diff --git a/rules/windows/process_creation/win_tap_installer_execution.yml b/rules/windows/process_creation/win_tap_installer_execution.yml new file mode 100644 index 000000000..b9c0395f1 --- /dev/null +++ b/rules/windows/process_creation/win_tap_installer_execution.yml @@ -0,0 +1,18 @@ +title: Tap installer execution +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: "*\\tapinstall.exe" + condition: selection +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium diff --git a/rules/windows/sysmon/win_tap_driver_installation.yml b/rules/windows/sysmon/win_tap_driver_installation.yml new file mode 100644 index 000000000..3d09ad4fb --- /dev/null +++ b/rules/windows/sysmon/win_tap_driver_installation.yml @@ -0,0 +1,31 @@ +--- +action: global +title: Tap driver installation +description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques +status: experimental +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1048 +falsepositives: + - Legitimate OpenVPN TAP insntallation +level: medium +detection: + selection: + ImagePath: "*tap0901*" + condition: selection +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 From dcaacd07bf0e9b3966842a50958869169ffff975 Mon Sep 17 00:00:00 2001 From: stvetro <57000749+stvetro@users.noreply.github.com> Date: Fri, 25 Oct 2019 15:38:47 +0400 Subject: [PATCH 048/269] 4 rules to cover ART --- .../win_susp_direct_run_key_modification.yml | 27 ++++++++++++++++++ .../win_susp_netsh_dll_persistence.yml | 27 ++++++++++++++++++ .../win_susp_service_path_modification.yml | 28 +++++++++++++++++++ .../sysmon/sysmon_runkey_from_powershell.yml | 27 ++++++++++++++++++ 4 files changed, 109 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_direct_run_key_modification.yml create mode 100644 rules/windows/process_creation/win_susp_netsh_dll_persistence.yml create mode 100644 rules/windows/process_creation/win_susp_service_path_modification.yml create mode 100644 rules/windows/sysmon/sysmon_runkey_from_powershell.yml diff --git a/rules/windows/process_creation/win_susp_direct_run_key_modification.yml b/rules/windows/process_creation/win_susp_direct_run_key_modification.yml new file mode 100644 index 000000000..e6b707a29 --- /dev/null +++ b/rules/windows/process_creation/win_susp_direct_run_key_modification.yml @@ -0,0 +1,27 @@ +title: Direct Run key modification +description: Detects direct Run key modification for persistence using reg.exe. +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/25 +modified: 2019/10/25 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\reg.exe' + CommandLine: + - '*add*Microsoft\Windows\CurrentVersion\Run*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Admin scripts +level: high diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml new file mode 100644 index 000000000..46e1f21f3 --- /dev/null +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -0,0 +1,27 @@ +title: Suspicious netsh Dll persistence +description: Detects pesitence via netsh helper +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/25 +modified: 2019/10/25 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\netsh.exe' + CommandLine: + - '*add*helper*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unkown +level: high diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml new file mode 100644 index 000000000..93ae0e96a --- /dev/null +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -0,0 +1,28 @@ +title: Suspicious service path modification +description: Detects service path modification to powershell/cmd +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml +tags: + - attack.persistence + - attack.t1031 +date: 2019/10/21 +modified: 2019/10/21 +author: Victor Sergeev, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\sc.exe' + CommandLine: + - '*config*binpath*powershell*' + - '*config*binpath*cmd*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_runkey_from_powershell.yml b/rules/windows/sysmon/sysmon_runkey_from_powershell.yml new file mode 100644 index 000000000..3cda627fc --- /dev/null +++ b/rules/windows/sysmon/sysmon_runkey_from_powershell.yml @@ -0,0 +1,27 @@ +title: Autorun key modification from powershell/cmd +description: Detects possible persistence from powershell/cmd scripts +status: test +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/21 +modified: 2019/10/21 +author: Victor Sergeev, oscd.community +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + Image: + - '*\powershell.exe' + - '*\cmd.exe' + TargetObject: + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' + condition: selection +falsepositives: + - Admin scripts +level: medium From 6e94e798be6b34319e7a9142cb303648d73e4bc5 Mon Sep 17 00:00:00 2001 From: zinint Date: Fri, 25 Oct 2019 16:12:51 +0300 Subject: [PATCH 049/269] t1010 --- .../win_app_windows_descovery.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/win_app_windows_descovery.yml diff --git a/rules/windows/process_creation/win_app_windows_descovery.yml b/rules/windows/process_creation/win_app_windows_descovery.yml new file mode 100644 index 000000000..6ef25ce14 --- /dev/null +++ b/rules/windows/process_creation/win_app_windows_descovery.yml @@ -0,0 +1,31 @@ +title: Application Window Discovery +status: experimental +description: Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small AppleScript script - https://attack.mitre.org/techniques/T1155/ +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1010/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.yaml +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\csc.exe' + CommandLine: + - '*-out:*.cs*' + condition: selection1 +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - Unknown +level: low +tags: + - attack.exfiltration + - attack.t1010 From 334301c18580d625b96810c2b858c5aeff6f10fa Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Fri, 25 Oct 2019 17:57:56 +0300 Subject: [PATCH 050/269] OSCD event rules from Jet CSIRT team --- rules/generic/generic_brute_force.yml | 26 ++++++++++++++ .../lnx_auditd_auditing_config_change.yml | 34 ++++++++++++++++++ .../lnx_auditd_logging_config_change.yml | 33 +++++++++++++++++ .../unsupported/sysmon_process_reimaging.yml | 35 +++++++++++++++++++ .../sysmon_narrator_feedback_persistance.yml | 26 ++++++++++++++ .../sysmon_regsvr32_network_activity.yml | 34 ++++++++++++++++++ 6 files changed, 188 insertions(+) create mode 100644 rules/generic/generic_brute_force.yml create mode 100644 rules/linux/auditd/lnx_auditd_auditing_config_change.yml create mode 100644 rules/linux/auditd/lnx_auditd_logging_config_change.yml create mode 100644 rules/unsupported/sysmon_process_reimaging.yml create mode 100644 rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml create mode 100644 rules/windows/sysmon/sysmon_regsvr32_network_activity.yml diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml new file mode 100644 index 000000000..b540449da --- /dev/null +++ b/rules/generic/generic_brute_force.yml @@ -0,0 +1,26 @@ +title: Brute Force +description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity +references: + - https://attack.mitre.org/techniques/T1110/ +tags: + - attack.t1110 +author: Aleksandr Akhremchik, oscd.community +date: 2019/10/25 +status: experimental +logsource: + category: authentication +detection: + selection: + action: failure + timeframe: 600s + condition: selection | count(category) by dst_ip > 30 +fields: + - src_ip + - dst_ip + - user +falsepositives: + - Inventarization + - Penetration testing + - Vulnerability scanner + - Legitimate application +level: medium diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml new file mode 100644 index 000000000..2e0594bd8 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -0,0 +1,34 @@ +title: Auditing configuration changes on linux host +description: Detect changes if auditd configuration files + # Example config for this one (place it at the top of audit.rules) + # -w /etc/audit/ -p wa -k etc_modify_auditconfig + # -w /etc/libaudit.conf -p wa -k etc_modify_libauditconfig + # -w /etc/audisp/ -p wa -k etc_modify_audispconfig +references: + - https://github.com/Neo23x0/auditd/blob/master/audit.rules + - https://attack.mitre.org/techniques/T1054/ + - self experience +tags: + - attack.defense_evasion + - attack.t1054 +author: Mikhail Larin, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + key: + - 'etc_modify_auditconfig' + - 'etc_modify_libauditconfig' + - 'etc_modify_audispconfig' + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml new file mode 100644 index 000000000..bcc071bcb --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -0,0 +1,33 @@ +title: Logging configuration changes on linux host +description: Detect changes of syslog daemons configuration files + # Example config for this one (place it at the top of audit.rules) + # -w /etc/syslog.conf -p wa -k etc_modify_syslogconfig + # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig + # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig +references: + - https://attack.mitre.org/techniques/T1054/ + - self experience +tags: + - attack.defense_evasion + - attack.t1054 +author: Mikhail Larin, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + key: + - 'etc_modify_syslogconfig' + - 'etc_modify_rsyslogconfig' + - 'etc_modify_syslogngconfig' + condition: selection +fields: + - exe + - comm + - key +falsepositives: + - Legitimate administrative activity +level: high diff --git a/rules/unsupported/sysmon_process_reimaging.yml b/rules/unsupported/sysmon_process_reimaging.yml new file mode 100644 index 000000000..16a422199 --- /dev/null +++ b/rules/unsupported/sysmon_process_reimaging.yml @@ -0,0 +1,35 @@ +title: Defense evasion via process reimaging +description: Detects process reimaging defense evasion technique, where +# ImageFileName != OriginalFileName +# ProcessGuid = ParentProcessGuid +# Image = TargetFileName +# Image = ^.+\\$ +references: + - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ +tags: + - attack.defense_evasion +author: Alexey Balandin, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: windows + service: sysmon +detection: + condition: all of them + # Create Process Sysmon Event + selection1: + EventID: 1 + # Create File Sysmon Event + selection2: + EventID: 11 +fields: + - Image + - OriginalFileName + - ProcessGuid + - ParentProcessGuid + - TargetFileName +new_fields: + - ImageFileName +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml new file mode 100644 index 000000000..de139f461 --- /dev/null +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -0,0 +1,26 @@ +title: Narrator's Feedback-Hub Persistence +description: Detects abusing Windows 10 Narrator's Feedback-Hub +references: + - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html +tags: + - attack.persistence +author: Dmitriy Lifanov, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: windows + service: sysmon +detection: + condition: 1 of them + # Registry Object Delete + selection1: + EventID: 12 + EventType: DeleteValue + TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' + # Registry Object Value Set + selection2: + EventID: 13 + TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' +falsepositives: + - unknown +level: high diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml new file mode 100644 index 000000000..c987a1b2f --- /dev/null +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -0,0 +1,34 @@ +title: Regsvr32 network activity +description: Detects network connections and DNS queries initiated by Regsvr32.exe +references: + - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ + - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md +tags: + - attack.execution + - attack.defense_evasion + - attack.t1117 +author: Dmitriy Lifanov, oscd community +status: experimental +date: 2019/10/25 +logsource: + product: windows + service: sysmon +detection: + condition: 1 of them + selection1: + EventID: 3 + Image: '*\System32\regsvr32.exe' + selection2: + EventID: 22 + Image: '*\System32\regsvr32.exe' +# The 32-bit version of Regsvr32.exe on a 64-bit Windows version + selection3: + EventID: 3 + Image: '*\SysWoW64\regsvr32.exe' + selection4: + EventID: 22 + Image: '*\SysWoW64\regsvr32.exe' +falsepositives: + - unknown +level: high From 7aa804fe9076f912d71da453aa14f973b07d0385 Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Fri, 25 Oct 2019 18:01:36 +0300 Subject: [PATCH 051/269] added new rules Packet capture Windows command prompt, ODBCCONF execution dll, Windows Registry Persistence - COM key linking --- .../win_netsh_packet_capture.yml | 20 ++++++++++++++++ .../win_odbcconf_execution.yml | 23 +++++++++++++++++++ ...ysmon_registry_persistence_key_linking.yml | 21 +++++++++++++++++ 3 files changed, 64 insertions(+) create mode 100644 rules/windows/process_creation/win_netsh_packet_capture.yml create mode 100644 rules/windows/process_creation/win_odbcconf_execution.yml create mode 100644 rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml diff --git a/rules/windows/process_creation/win_netsh_packet_capture.yml b/rules/windows/process_creation/win_netsh_packet_capture.yml new file mode 100644 index 000000000..204a35f2b --- /dev/null +++ b/rules/windows/process_creation/win_netsh_packet_capture.yml @@ -0,0 +1,20 @@ +title: Packet capture Windows command prompt +status: experimental +description: Detects packet capture via netsh trace functionality +references: + - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ +author: Kutepov Anton, oscd.community +date: 2019/10/24 +tags: + - attack.network_sniffing + - attack.t1040 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: netsh* trace* start* + condition: selection +falsepositives: + - Legitimate administration +level: medium diff --git a/rules/windows/process_creation/win_odbcconf_execution.yml b/rules/windows/process_creation/win_odbcconf_execution.yml new file mode 100644 index 000000000..b2abd8078 --- /dev/null +++ b/rules/windows/process_creation/win_odbcconf_execution.yml @@ -0,0 +1,23 @@ +title: ODBCCONF execution dll +status: experimental +author: Kirill Kiryanov, oscd.community +description: Detect possible execution by odbcconf +date: 2019/10/23 +references: + - https://twitter.com/Hexacorn/status/1187143326673330176 +fields: + - CommandLine + - Details +falsepositives: Unknown +level: high +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage: '*\odbcconf.exe' + CommandLine: '*\rundll32*' + selection1: + Image: '*\rundll32.exe' + CommandLine: '*exe' + condition: selection and selection1 diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml new file mode 100644 index 000000000..e665ccec6 --- /dev/null +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -0,0 +1,21 @@ +title: Windows Registry Persistence - COM key linking +status: experimental +description: Detects COM object hijacking via TreatAs subkey +references: + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +author: Kutepov Anton, oscd.community +date: 2019/10/23 +tags: + - attack.persistence + - attack.t1122 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 12 + TargetObject: 'HKU\*_Classes\CLSID\*\TreatAs' + condition: selection +falsepositives: + - Maybe some system utilities in rare cases use linking keys for backward compability +level: medium From 8c2b7e9f851b1c2aefec33938558f4a0db5cbcde Mon Sep 17 00:00:00 2001 From: alexpetrov12 Date: Fri, 25 Oct 2019 18:30:40 +0300 Subject: [PATCH 052/269] fix --- rules/windows/process_creation/win_netsh_packet_capture.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_packet_capture.yml b/rules/windows/process_creation/win_netsh_packet_capture.yml index 204a35f2b..7592b97cd 100644 --- a/rules/windows/process_creation/win_netsh_packet_capture.yml +++ b/rules/windows/process_creation/win_netsh_packet_capture.yml @@ -1,12 +1,12 @@ -title: Packet capture Windows command prompt +title: Capture a Network Trace with netsh status: experimental -description: Detects packet capture via netsh trace functionality +description: Detects capture a network trace via netsh trace functionality references: - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ author: Kutepov Anton, oscd.community date: 2019/10/24 tags: - - attack.network_sniffing + - attack.discovery - attack.t1040 logsource: category: process_creation From aa9a22e662a1b6fdccbe64311f8dfa46e231740e Mon Sep 17 00:00:00 2001 From: root Date: Fri, 25 Oct 2019 19:02:17 +0200 Subject: [PATCH 053/269] add win_susp_odbcconf.yml --- .../process_creation/win_susp_odbcconf.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_odbcconf.yml diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml new file mode 100644 index 000000000..a1765b851 --- /dev/null +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -0,0 +1,22 @@ +title: Odbcconf.exe efensive counter measures evasion via odbcconf.exe +description: Defence evasion via odbcconf.exe loading DLL specified in target .RSP file +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml +author: Beyu Denis, oscd.community +date: 2019/10/25 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\odbcconf.exe' + CommandLine: '* -f *.rsp' + condition: selection +level: medium +falsepositives: + - Unknown \ No newline at end of file From 611c19382602a75f86eacbde6f75df2b2eb1e75f Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 07:45:53 +0200 Subject: [PATCH 054/269] modifed win_susp_odbcconf.yml --- rules/windows/process_creation/win_susp_odbcconf.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index a1765b851..49a206ca2 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -13,9 +13,9 @@ logsource: category: process_creation product: windows detection: - selection: - Image: '*\odbcconf.exe' - CommandLine: '* -f *.rsp' + selection: + Image: '*\odbcconf.exe' + CommandLine: '* -f *.rsp' condition: selection level: medium falsepositives: From fc7f8ecea3cf278911b657a9ccbd19c569a71c43 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 07:48:38 +0200 Subject: [PATCH 055/269] add win_susp_msoffice.yml --- .../process_creation/win_susp_msoffice.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_msoffice.yml diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml new file mode 100644 index 000000000..cba66eb42 --- /dev/null +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -0,0 +1,27 @@ +title: Malicious payload download via Office binaries +status: experimental +description: Downloads payload from remote server +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml + - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 + - Reegun J (OCBC Bank) +author: Beyu Denis +date: 2019/10/26 +tags: + - attack.persistence + - attack.T1105 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\powerpnt.exe' + - '*\winword.exe' + CommandLine: '* "http*' + condition: selection +level: medium +falsepositives: + - Unknown + From bea2daac4535939aaca95899d639af478c05bf6c Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 07:55:44 +0200 Subject: [PATCH 056/269] modifed win_susp_msoffice.yml --- rules/windows/process_creation/win_susp_msoffice.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index cba66eb42..5dd0581f0 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -19,7 +19,8 @@ detection: Image: - '*\powerpnt.exe' - '*\winword.exe' - CommandLine: '* "http*' + - '*\excel.exe' + CommandLine: '* http*' condition: selection level: medium falsepositives: From 01c4c7cdbd09dc599bae514e8ed428a77b34540f Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 08:11:09 +0200 Subject: [PATCH 057/269] modifed win_susp_msoffice.yml --- rules/windows/process_creation/win_susp_msoffice.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index 5dd0581f0..2e5388f09 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -22,7 +22,6 @@ detection: - '*\excel.exe' CommandLine: '* http*' condition: selection -level: medium falsepositives: - Unknown From 5bb5938e861d2484bdab7b87dcec4a4a4c0e5202 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 08:16:08 +0200 Subject: [PATCH 058/269] add win_susp_bginfo.yml --- .../process_creation/win_susp_bginfo.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_bginfo.yml diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml new file mode 100644 index 000000000..8fb1b0591 --- /dev/null +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -0,0 +1,23 @@ +title: BYPASSING APPLICATION WHITELISTING WITH BGINFO +status: experimental +description: Execute VBscript code that is referenced within the *.bgi file. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml + - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ +author: Beyu Denis +date: 2019/10/26 +tags: + - attack.persistence + - attack.T1218 +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\bginfo.exe' + CommandLine: '* /popup /nolicprompt' + condition: selection +falsepositives: + - Unknown + From 844d55c78127c4fc2ac1eb217dcfecb4b9faee06 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 08:18:37 +0200 Subject: [PATCH 059/269] add win_susp_bginfo.yml --- rules/windows/process_creation/win_susp_bginfo.yml | 1 - rules/windows/process_creation/win_susp_msoffice.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml index 8fb1b0591..e18d5955d 100644 --- a/rules/windows/process_creation/win_susp_bginfo.yml +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -8,7 +8,6 @@ author: Beyu Denis date: 2019/10/26 tags: - attack.persistence - - attack.T1218 level: medium logsource: category: process_creation diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index 2e5388f09..50be710ab 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -9,7 +9,6 @@ author: Beyu Denis date: 2019/10/26 tags: - attack.persistence - - attack.T1105 level: medium logsource: category: process_creation From ee21888e67a8dbbebbf81941b893e93f0c995ea5 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 19:49:45 +0200 Subject: [PATCH 060/269] add win_susp_cdb.yml --- .../windows/process_creation/win_susp_cdb.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_cdb.yml diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml new file mode 100644 index 000000000..c6a41d841 --- /dev/null +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -0,0 +1,21 @@ +title: Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner +status: experimental +description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml + - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html +author: Beyu Denis +date: 2019/10/26 +tags: + - attack.persistence +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\cdb.exe' + CommandLine: '* -cf *.wds -o *' + condition: selection +falsepositives: + - Unknown From 0616c2c39db4258ed4d8a6e654b8e93333f0343b Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 19:58:45 +0200 Subject: [PATCH 061/269] add win_susp_dnx.yml --- .../windows/process_creation/win_susp_dnx.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_dnx.yml diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml new file mode 100644 index 000000000..6f02f170d --- /dev/null +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -0,0 +1,21 @@ +title: Bypassing Application Whitelisting by using dnx.exe +status: experimental +description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml + - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ +author: Beyu Denis +date: 2019/10/26 +tags: + - attack.persistence +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\dnx.exe' + condition: selection +falsepositives: + - Unknown + From aaf63d2238137a30eeef6fc7199def6f66da4e96 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 20:02:25 +0200 Subject: [PATCH 062/269] add win_susp_dxcap.yml --- .../process_creation/win_susp_dxcap.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_dxcap.yml diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml new file mode 100644 index 000000000..3fb6272ad --- /dev/null +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -0,0 +1,22 @@ +title: Bypassing Application Whitelisting by using dxcap.exe +status: experimental +description: Local execution of a process as a subprocess of Dxcap.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml + - https://twitter.com/harr0ey/status/992008180904419328 +author: Beyu Denis +date: 2019/10/26 +tags: + - attack.persistence +level: medium +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\dxcap.exe' + CommandLine: '* -c *' + condition: selection +falsepositives: + - Unknown + From cbe0d73ce87fa89da6be90d9cd9801787bed8cbf Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 20:06:02 +0200 Subject: [PATCH 063/269] add win_susp_dxcap.yml --- rules/windows/process_creation/win_susp_dxcap.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 3fb6272ad..afd02da5c 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -1,6 +1,6 @@ title: Bypassing Application Whitelisting by using dxcap.exe status: experimental -description: Local execution of a process as a subprocess of Dxcap.exe +description: Local execution of a process as a subprocess of Dxcap.exe references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml - https://twitter.com/harr0ey/status/992008180904419328 From 1dca0456ee452221ba3ddd0257e2ba7daf5f8382 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 20:09:25 +0200 Subject: [PATCH 064/269] modified win_susp_dxcap.yml --- rules/windows/process_creation/win_susp_dxcap.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index afd02da5c..e1642f824 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -18,5 +18,4 @@ detection: CommandLine: '* -c *' condition: selection falsepositives: - - Unknown - + - Unknown \ No newline at end of file From 3528afeef7aa7173a82c1ebd922c8ffc59313075 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 20:13:53 +0200 Subject: [PATCH 065/269] modified win_susp_dnx.yml --- rules/windows/process_creation/win_susp_dnx.yml | 2 +- rules/windows/process_creation/win_susp_dxcap.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 6f02f170d..dffabcf1e 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -1,6 +1,6 @@ title: Bypassing Application Whitelisting by using dnx.exe status: experimental -description: Execute C# code located in the consoleapp folder via 'Program.cs' and 'Project.json' (Note - Requires dependencies) +description: Execute C# code located in the consoleapp folder references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index e1642f824..0664f5314 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -15,7 +15,7 @@ logsource: detection: selection: Image: '*\dxcap.exe' - CommandLine: '* -c *' + CommandLine: '* -c *.exe' condition: selection falsepositives: - Unknown \ No newline at end of file From 3b70f2edd6b2884ad2f2647b0d11a6ce2af4ad4d Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 20:16:40 +0200 Subject: [PATCH 066/269] modified win_susp_dnx.yml --- rules/windows/process_creation/win_susp_dnx.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index dffabcf1e..2bb23da99 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -18,4 +18,3 @@ detection: condition: selection falsepositives: - Unknown - From 9bf0150100585df3b67d9f54ae99be469bf6b8cf Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 20:20:21 +0200 Subject: [PATCH 067/269] modified win_susp_dnx.yml --- rules/windows/process_creation/win_susp_dnx.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 2bb23da99..fabdc0bc2 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -1,13 +1,12 @@ title: Bypassing Application Whitelisting by using dnx.exe status: experimental -description: Execute C# code located in the consoleapp folder +description: Execute C# code located in the consoleapp folder references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ author: Beyu Denis date: 2019/10/26 -tags: - - attack.persistence +tags: attack.persistence level: medium logsource: category: process_creation From 717e40e8ed27c7a1597b37d2242ce38e93bd1b9c Mon Sep 17 00:00:00 2001 From: root Date: Sat, 26 Oct 2019 20:27:32 +0200 Subject: [PATCH 068/269] modified win_susp_dxcap.yml --- rules/windows/process_creation/win_susp_dxcap.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 0664f5314..41092e92a 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -6,8 +6,7 @@ references: - https://twitter.com/harr0ey/status/992008180904419328 author: Beyu Denis date: 2019/10/26 -tags: - - attack.persistence +tags: attack.persistence level: medium logsource: category: process_creation From ca819d87070f291a9072fa409ec3be6e2fda72a5 Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Sun, 27 Oct 2019 14:06:52 +1100 Subject: [PATCH 069/269] Update win_susp_net_execution.yml Updated tags to pass Travis CI checks. --- rules/windows/process_creation/win_susp_net_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index ad5fcd6bc..dfa3e7307 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -15,7 +15,7 @@ tags: - attack.t1135 - attack.lateral_movement - attack.discovery - - attack.defense.evasion + - attack.defense_evasion logsource: category: process_creation product: windows From 1f6aec8060f540b8f33ea1df5f1ecefb58dcb939 Mon Sep 17 00:00:00 2001 From: Mikhail Larin Date: Sun, 27 Oct 2019 15:33:38 +0300 Subject: [PATCH 070/269] removed unsupported rule from oscd branch --- .../unsupported/sysmon_process_reimaging.yml | 35 ------------------- 1 file changed, 35 deletions(-) delete mode 100644 rules/unsupported/sysmon_process_reimaging.yml diff --git a/rules/unsupported/sysmon_process_reimaging.yml b/rules/unsupported/sysmon_process_reimaging.yml deleted file mode 100644 index 16a422199..000000000 --- a/rules/unsupported/sysmon_process_reimaging.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Defense evasion via process reimaging -description: Detects process reimaging defense evasion technique, where -# ImageFileName != OriginalFileName -# ProcessGuid = ParentProcessGuid -# Image = TargetFileName -# Image = ^.+\\$ -references: - - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/ -tags: - - attack.defense_evasion -author: Alexey Balandin, oscd community -status: experimental -date: 2019/10/25 -logsource: - product: windows - service: sysmon -detection: - condition: all of them - # Create Process Sysmon Event - selection1: - EventID: 1 - # Create File Sysmon Event - selection2: - EventID: 11 -fields: - - Image - - OriginalFileName - - ProcessGuid - - ParentProcessGuid - - TargetFileName -new_fields: - - ImageFileName -falsepositives: - - unknown -level: high From fde949174d13b9137ef03301d42eded2106e42ea Mon Sep 17 00:00:00 2001 From: Teimur Kheirkhabarov Date: Sun, 27 Oct 2019 20:54:07 +0300 Subject: [PATCH 071/269] OSCD Task 1 - Privilege Escalation --- ...tstrike_getsystem_service_installation.yml | 33 +++++++++++++++++++ ...r_cobaltstrike_getsystem_service_start.yml | 29 ++++++++++++++++ ...ivilege_escalation_using_rotten_potato.yml | 31 +++++++++++++++++ ..._change_sevice_image_path_by_non_admin.yml | 27 +++++++++++++++ .../process_creation/win_whoami_as_system.yml | 24 ++++++++++++++ ..._service_registry_permissions_weakness.yml | 30 +++++++++++++++++ 6 files changed, 174 insertions(+) create mode 100644 rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml create mode 100644 rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml create mode 100644 rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml create mode 100644 rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml create mode 100644 rules/windows/process_creation/win_whoami_as_system.yml create mode 100644 rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml new file mode 100644 index 000000000..3daad5999 --- /dev/null +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -0,0 +1,33 @@ +title: Meterpreter or Cobalt Strike getsystem service installation +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +author: Teymur Kheirkhabarov +date: 2019/10/26 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 +logsource: + product: windows + service: system +detection: + service_installation_event: + EventID: + - 7045 + - 4697 + cmd_or_comspec: + ServiceFileName: + - '*cmd*' + - '*COMSPEC*' + getsystem_technique_1: + ServiceFileName: '*/c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + getsystem_technique_2: + ServiceFileName: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + condition: service_installation_event and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2) +fields: + - ServiceFileName +falsepositives: + - Penetration Test + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml new file mode 100644 index 000000000..5baa1fc05 --- /dev/null +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -0,0 +1,29 @@ +title: Meterpreter or Cobalt Strike getsystem service start +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting +author: Teymur Kheirkhabarov +date: 2019/10/26 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +tags: + - attack.privilege_escalation + - attack.t1134 +logsource: + category: process_creation + product: windows +detection: + service_start: + ParentImage: '*\services.exe' + cmd_or_comspec: + CommandLine: + - '*cmd*' + - '*COMSPEC*' + getsystem_technique_1: + CommandLine: '*/c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + getsystem_technique_2: + CommandLine: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + condition: service_start and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2) +falsepositives: + - Penetration Test + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml new file mode 100644 index 000000000..822ad0596 --- /dev/null +++ b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml @@ -0,0 +1,31 @@ +title: Possible Rotten Potato detection - privilege escalation fro Service accounts to SYSTEM +description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ +tags: + - attack.privilege_escalation + - attack.t11134 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentUser: + - 'NT AUTHORITY\NETWORK SERVICE' + - 'NT AUTHORITY\LOCAL SERVICE' + User: 'NT AUTHORITY\SYSTEM' + rundllexception: + Image: '*\rundll32.exe' + CommandLine: '*DavSetCookie*' + condition: selection and not rundllexception +falsepositives: + - Unknown + - Penetration Test +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l diff --git a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml new file mode 100644 index 000000000..6d84e3798 --- /dev/null +++ b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -0,0 +1,27 @@ +title: Possible privilege escalation via weak service permissions +description: Detection of sc utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://pentestlab.blog/2017/03/30/weak-service-permissions/ +tags: + - attack.privilege_escalation + - attack.t11134 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +logsource: + category: process_creation + product: windows +detection: + scbynonadmin: + Image: '*\sc.exe' + IntegrityLevel: 'Medium' + binpath: + CommandLine: '*config*binPath*' + failurecommand: + CommandLine: '*failure*command*' + condition: scbynonadmin and (binpath or failurecommand) +falsepositives: + - Unknown + - Penetration Test +level: high diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml new file mode 100644 index 000000000..7ded24ef3 --- /dev/null +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -0,0 +1,24 @@ + +title: Run whoami as SYSTEM +status: experimental +description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment +author: Teymur Kheirkhabarov +date: 2019/10/23 +tags: + - attack.discovery + - attack.privilege_escalation + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + User: 'NT AUTHORITY\SYSTEM' + Image: '*\whoami.exe' + condition: selection +falsepositives: + - Unknown + - Penetration Test +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml new file mode 100644 index 000000000..e62f91440 --- /dev/null +++ b/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml @@ -0,0 +1,30 @@ +title: Possible privilege escalation via service registry permissions weakness +description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ +tags: + - attack.privilege_escalation + - attack.t1058 +status: experimental +author: Teymur Kheirkhabarov +date: 2019/10/26 +logsource: + category: process_creation + product: windows +detection: + selection: + EventID: 13 + IntegrityLevel: 'Medium' + TargetObject": + - '*\services\*\ImagePath' + - '*\services\*\FailureCommand' + - '*\services\*\Parameters\ServiceDll' + condition: selection +falsepositives: + - Unknown + - Penetration Test +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0003_enrich_other_sysmon_events_with_event_id_1_data # http://bit.ly/2ojW7fw From 93b867024c11dec69d48b8e0051f57016eb826d3 Mon Sep 17 00:00:00 2001 From: zinint Date: Sun, 27 Oct 2019 23:13:03 +0300 Subject: [PATCH 072/269] T1012 --- .../process_creation/win_query_registry.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/windows/process_creation/win_query_registry.yml diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml new file mode 100644 index 000000000..9f5678cdf --- /dev/null +++ b/rules/windows/process_creation/win_query_registry.yml @@ -0,0 +1,39 @@ +title: Query Registry +status: experimental +description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1012/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*reg query*currentVersion\windows*' + - '*reg query*currentVersion\runServicesOnce*' + - '*reg query*currentVersion\runServices*' + - '*reg query*winlogon\*' + - '*reg query*currentVersion\shellServiceObjectDelayLoad*' + - '*reg query*currentVersion\runOnce*' + - '*reg query*currentVersion\runOnceEx*' + - '*reg query*currentVersion\run*' + - '*reg query*currentVersion\policies\explorer\run*' + - '*reg query*currentcontrolset\services*' + - '*reg save hklm\security*' + - '*reg save hklm\system*' + - '*reg save hklm\sam*' + condition: selection +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +level: low +tags: + - attack.discovery + - attack.t1012 From 55eaae1ceabba78983dfeb14ce5ca271266d16e7 Mon Sep 17 00:00:00 2001 From: zinint Date: Sun, 27 Oct 2019 23:15:10 +0300 Subject: [PATCH 073/269] Rename win_app_windows_descovery.yml to win_app_windows_discovery.yml --- ...in_app_windows_descovery.yml => win_app_windows_discovery.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_app_windows_descovery.yml => win_app_windows_discovery.yml} (100%) diff --git a/rules/windows/process_creation/win_app_windows_descovery.yml b/rules/windows/process_creation/win_app_windows_discovery.yml similarity index 100% rename from rules/windows/process_creation/win_app_windows_descovery.yml rename to rules/windows/process_creation/win_app_windows_discovery.yml From 87c83261334a9b1d98a856bba2b0598ae68e5344 Mon Sep 17 00:00:00 2001 From: zinint Date: Sun, 27 Oct 2019 23:49:07 +0300 Subject: [PATCH 074/269] T1033 --- .../win_system_owner_user_discovery.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_system_owner_user_discovery.yml diff --git a/rules/windows/process_creation/win_system_owner_user_discovery.yml b/rules/windows/process_creation/win_system_owner_user_discovery.yml new file mode 100644 index 000000000..9936bb6de --- /dev/null +++ b/rules/windows/process_creation/win_system_owner_user_discovery.yml @@ -0,0 +1,30 @@ +title: System Owner/User Discovery +status: experimental +description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1033/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*cmd.exe*/c*whoami*' + - '*wmic*useraccount*get*' + - '*quser*' + - '*qwinsta*' + condition: selection +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +level: low +tags: + - attack.discovery + - attack.t1033 From 68b454127423c7ef12bcac93664ece09eb37bb50 Mon Sep 17 00:00:00 2001 From: zinint Date: Sun, 27 Oct 2019 23:59:16 +0300 Subject: [PATCH 075/269] t1033 --- .../auditd/lnx_auditd_user_discovery.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_user_discovery.yml diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml new file mode 100644 index 000000000..82917b13f --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -0,0 +1,27 @@ +title: System Owner/User Discovery +status: experimental +description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1033/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + a0: 'users' + selection2: + type: 'EXECVE' + a0: 'u' + selection2: + type: 'EXECVE' + a0: 'who' + condition: 1 of them +falsepositives: + - Admin activity +level: low +tags: + - attack.discovery + - attack.t1033 From d1cf80d9b6f2cc113a55f195cfb1e784557e0e9f Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 28 Oct 2019 00:00:06 +0300 Subject: [PATCH 076/269] Update lnx_auditd_user_discovery.yml --- rules/linux/auditd/lnx_auditd_user_discovery.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 82917b13f..0fcfd9314 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -15,7 +15,7 @@ detection: selection2: type: 'EXECVE' a0: 'u' - selection2: + selection3: type: 'EXECVE' a0: 'who' condition: 1 of them From 3125b3923913d205121205c386c9638e45764523 Mon Sep 17 00:00:00 2001 From: Teimur Kheirkhabarov Date: Mon, 28 Oct 2019 07:56:15 +0300 Subject: [PATCH 077/269] Change incorrect MITRE Tags for some rules --- .../win_possible_privilege_escalation_using_rotten_potato.yml | 2 +- .../win_using_sc_to_change_sevice_image_path_by_non_admin.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml index 822ad0596..501afbbd2 100644 --- a/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml +++ b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml @@ -5,7 +5,7 @@ references: - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ tags: - attack.privilege_escalation - - attack.t11134 + - attack.t1134 status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 diff --git a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml index 6d84e3798..ea5421dc2 100644 --- a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -5,7 +5,7 @@ references: - https://pentestlab.blog/2017/03/30/weak-service-permissions/ tags: - attack.privilege_escalation - - attack.t11134 + - attack.t1134 status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 From 32b0a3987eabedb0b4d352d54031a04be332a7ab Mon Sep 17 00:00:00 2001 From: Teimur Kheirkhabarov Date: Mon, 28 Oct 2019 08:43:58 +0300 Subject: [PATCH 078/269] Several mistakes were fixed --- ...reter_or_cobaltstrike_getsystem_service_installation.yml | 6 ++++-- ..._meterpreter_or_cobaltstrike_getsystem_service_start.yml | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 3daad5999..beb90d7c3 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -21,10 +21,12 @@ detection: - '*cmd*' - '*COMSPEC*' getsystem_technique_1: - ServiceFileName: '*/c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + ServiceFileName: '*cmd* /c echo * > \\.\pipe\*' #cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a cmd /c echo 559891bb017 > \\.\pipe\5e120a + getsystem_cobaltstrike_technique_1: + ServiceFileName: '%COMSPEC% /c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a getsystem_technique_2: ServiceFileName: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - condition: service_installation_event and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2) + condition: service_installation_event and (getsystem_technique_1 or getsystem_cobaltstrike_technique_1 or getsystem_technique_2) fields: - ServiceFileName falsepositives: diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index 5baa1fc05..2da2b5b03 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -19,10 +19,12 @@ detection: - '*cmd*' - '*COMSPEC*' getsystem_technique_1: - CommandLine: '*/c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + CommandLine: '*cmd* /c echo * > \\.\pipe\*' #cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a cmd /c echo 559891bb017 > \\.\pipe\5e120a + getsystem_cobaltstrike_technique_1: + CommandLine: '%COMSPEC% /c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a getsystem_technique_2: CommandLine: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - condition: service_start and ((cmd_or_comspec and getsystem_technique_1) or getsystem_technique_2) + condition: service_start and (getsystem_technique_1 or getsystem_cobaltstrike_technique_1 or getsystem_technique_2) falsepositives: - Penetration Test - Unknown From 2fb40acfe666f071f1810cea0c20c8fc7e387149 Mon Sep 17 00:00:00 2001 From: Teimur Kheirkhabarov Date: Mon, 28 Oct 2019 09:30:26 +0300 Subject: [PATCH 079/269] Fix mistake in possible_privilege_escalation_via_service_registry_permissions_weakness --- rules/windows/.DS_Store | Bin 0 -> 12292 bytes ...a_service_registry_permissions_weakness.yml} | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 rules/windows/.DS_Store rename rules/windows/sysmon/{win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml => sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml} (97%) diff --git a/rules/windows/.DS_Store b/rules/windows/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..d5eabf0e2a561fb81b17bf797d44d4d54c5ee69a GIT binary patch literal 12292 zcmeHN3v?7$8UFtzkC`x#NeGZ#vSi7U5JG??gpdG%&4WjH6eIx>USS`Tu(Fv6yPE`> z(vw!J_DI#*s+D?Lm7}($R;#UTPi;L%Y_0g#^dMk;9eX$)wboZ#^;rGyy|bI$*@d8| zM|)sr&&<7Z|NGDEz4P7w|Negl0I+o^Pzz8A021x2R22Z54B(ndCkY#qvpr>-LM=%9 z4BDx#0vO;24I=dGP3fI!c)QJjjs6gOep$4uFbLtK=jW$$4ZIMAAhqkhk;tGgWcaA> zS>IqN7>U-@oI~4`tn8dzNy?M*rseJLJYzi@jFDDjNDoB#bvlJWl4MElRqdmr^>q!^uG;#h zgc8bo}O%^lxcHHcGbTiz0r!*Q}*$&jlY0 z(bz+L2J}#5xJ``T_OaObe-azNEKjv}Y}&k~S5=21+72z`jRuFcc5hUR^s4z0nurd+ zp>Gds!!+pKej_wApp&G)?+y8fsI%4*3Uvl=)FRzc?P!$M_C$s1Sx z{G`T$C>QM>4n~5$khXIq7>FL~@kacb z9ti6FduSr{Xs|CBpMy*#GXt3!xE^P~w2G3&-(QbYkr{Jl1~M~XnE_@WT(q;&W0qs0 ziCJ&1IGzvm6s8S0x>;N~KUmGsHllPVFw%ol1{cj)_vJ0}6FO z^Ui2SD9G50cdDWdL#$S7^Nl_o}VduqhU<D~ctyihI3FSa`z-9x_Mk)dGpnCg}!-s+s|Q1%5Vn%imw zD8kYL>f@5kC1rCRj=fCM7S`w(Fcm5mIFzmkMRuy!?6{~}QMwLO^s7c>p;}X`ICh4- zJ}smMWO1M64T@v;un7Ou&1U1uRf?nAZww4jco!+aYO{H*$Kg1@?!3htiEbOzboy5> zn741If7QceEr9_0PmZ4(v`0s+gC*P58(p*23|uO=HfI$w1d!GNl0!$4@dGQ+>Bds z7ooWa_uxL%un!Lrq8Xlta2Su`EqE)w8*d|2e~3_h7v7B@#ryG-_-Q;v=zavhfREyr z@G*P_zeX58!%_Y{Jcqx)-&=6KH5u3V%GKa{xHGJW485QFvh|TesoG<-53m$pN67G- zDL!IRHZRF5|HU_|S^8eH>A<8J3HoDJ0H2LnfuE~tlIs)8tDvZ0CatjIndBKtdes>| zum5m=m?bbNiD!gcLql5JQY1LHLQB6LTHwG$Q`fOUO8ON|H1KO}2y2?Yw?7;VZ0qZb zXwmM3dQXbK?AgcDk5O%)L+>-vrVvwfx_i9guvhQbT957Lu4kLxYDA;P0PC5Y%;fj( z9Q67rx9DE`DhCRaxgtl;I+*$7WoM8}S{u1H1T2+bi_rHs5Jp&nz%Nm82&-Ii)EU zl;*NCmOKwvO6sP}?|)Bk;uumfmCMX1Qj~apR|{KHzcKU7jW#!mCYLFmBN2y*^BLZ% z%q?~?lbqxdME|+P^Cc8o{0N!E1bEj)|k z_#*xcFX5~BPkd7hB@XX&l*S70N$5-I2Ew;OZ!FUA<Ve}H!qZ&|pwZpG@BI2aHqCg;yt2|#l|fMOmZ=q`3g`GtR#ibVn<-hclq6F)t!J`j z^-8Il%?Ug^ZEPZ5lEo=LJ8fP=(j3m@8EaA6lyyAbP=Q#>TZ&>v%zs4)W`sNkr{WAk z?mS$8i*W@R)D~>#gnSzr)=o04I|;W3(MzQKFvqSz^kssS-;VDm{N6$My@&97FDK`p zQ#;+1dXY}RQ__77V>F7%mhAmV@sArCE?F_K^-}0t2nFhit>XAqT zExoTEvWc89$rMiH#GFqt3lcg&^sd8zz>N$jQeatlA;3YGS% z34Xv^7RyT~_yJd~lj{@s0dHC%Hzn}{-nd#`W8nw9xy9a=jvw&RmD)F0_<>1HIUS0V z0G`>fLp7{{^{|INXVHm=o**i~xacXO1CPSf@H~8zava}=AHaFaa$JHx!k>r~{1x7$ zs8GT@GOWz3mZ6)n9F3IaScR*}xQf{D1~RSta6b`(gA^MYLHKm! zwUK|9__Y>RIc3wOGwG70veR_w>~vYZOi2jt(%ETa6G??jXQ$0;NGcK${93K$bSoh08HGee(_`>c@DMyj@z7bq-it&>nKOTbaF>PCDK;wRB-Du&l#{5UIH?+!lVfkf zm4v`{%1>;rR)cbGw@;>V0_1g1ruL9y{X0 zso1l)?_A0;ctx%nTgU$_WpkzBgda S=A|?KKjZ(!$IjP*|Nl4pg;b9K literal 0 HcmV?d00001 diff --git a/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml similarity index 97% rename from rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml rename to rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml index e62f91440..67d72f56c 100644 --- a/rules/windows/sysmon/win_possible_privilege_escalation_via_service_registry_permissions_weakness.yml +++ b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml @@ -16,7 +16,7 @@ detection: selection: EventID: 13 IntegrityLevel: 'Medium' - TargetObject": + TargetObject: - '*\services\*\ImagePath' - '*\services\*\FailureCommand' - '*\services\*\Parameters\ServiceDll' From 59c625028223ef814dbd37f55c66c23ad125e93b Mon Sep 17 00:00:00 2001 From: Teimur Kheirkhabarov Date: Mon, 28 Oct 2019 09:38:17 +0300 Subject: [PATCH 080/269] Delete rules/windows/.DS_Store --- rules/windows/.DS_Store | Bin 12292 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 rules/windows/.DS_Store diff --git a/rules/windows/.DS_Store b/rules/windows/.DS_Store deleted file mode 100644 index d5eabf0e2a561fb81b17bf797d44d4d54c5ee69a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12292 zcmeHN3v?7$8UFtzkC`x#NeGZ#vSi7U5JG??gpdG%&4WjH6eIx>USS`Tu(Fv6yPE`> z(vw!J_DI#*s+D?Lm7}($R;#UTPi;L%Y_0g#^dMk;9eX$)wboZ#^;rGyy|bI$*@d8| zM|)sr&&<7Z|NGDEz4P7w|Negl0I+o^Pzz8A021x2R22Z54B(ndCkY#qvpr>-LM=%9 z4BDx#0vO;24I=dGP3fI!c)QJjjs6gOep$4uFbLtK=jW$$4ZIMAAhqkhk;tGgWcaA> zS>IqN7>U-@oI~4`tn8dzNy?M*rseJLJYzi@jFDDjNDoB#bvlJWl4MElRqdmr^>q!^uG;#h zgc8bo}O%^lxcHHcGbTiz0r!*Q}*$&jlY0 z(bz+L2J}#5xJ``T_OaObe-azNEKjv}Y}&k~S5=21+72z`jRuFcc5hUR^s4z0nurd+ zp>Gds!!+pKej_wApp&G)?+y8fsI%4*3Uvl=)FRzc?P!$M_C$s1Sx z{G`T$C>QM>4n~5$khXIq7>FL~@kacb z9ti6FduSr{Xs|CBpMy*#GXt3!xE^P~w2G3&-(QbYkr{Jl1~M~XnE_@WT(q;&W0qs0 ziCJ&1IGzvm6s8S0x>;N~KUmGsHllPVFw%ol1{cj)_vJ0}6FO z^Ui2SD9G50cdDWdL#$S7^Nl_o}VduqhU<D~ctyihI3FSa`z-9x_Mk)dGpnCg}!-s+s|Q1%5Vn%imw zD8kYL>f@5kC1rCRj=fCM7S`w(Fcm5mIFzmkMRuy!?6{~}QMwLO^s7c>p;}X`ICh4- zJ}smMWO1M64T@v;un7Ou&1U1uRf?nAZww4jco!+aYO{H*$Kg1@?!3htiEbOzboy5> zn741If7QceEr9_0PmZ4(v`0s+gC*P58(p*23|uO=HfI$w1d!GNl0!$4@dGQ+>Bds z7ooWa_uxL%un!Lrq8Xlta2Su`EqE)w8*d|2e~3_h7v7B@#ryG-_-Q;v=zavhfREyr z@G*P_zeX58!%_Y{Jcqx)-&=6KH5u3V%GKa{xHGJW485QFvh|TesoG<-53m$pN67G- zDL!IRHZRF5|HU_|S^8eH>A<8J3HoDJ0H2LnfuE~tlIs)8tDvZ0CatjIndBKtdes>| zum5m=m?bbNiD!gcLql5JQY1LHLQB6LTHwG$Q`fOUO8ON|H1KO}2y2?Yw?7;VZ0qZb zXwmM3dQXbK?AgcDk5O%)L+>-vrVvwfx_i9guvhQbT957Lu4kLxYDA;P0PC5Y%;fj( z9Q67rx9DE`DhCRaxgtl;I+*$7WoM8}S{u1H1T2+bi_rHs5Jp&nz%Nm82&-Ii)EU zl;*NCmOKwvO6sP}?|)Bk;uumfmCMX1Qj~apR|{KHzcKU7jW#!mCYLFmBN2y*^BLZ% z%q?~?lbqxdME|+P^Cc8o{0N!E1bEj)|k z_#*xcFX5~BPkd7hB@XX&l*S70N$5-I2Ew;OZ!FUA<Ve}H!qZ&|pwZpG@BI2aHqCg;yt2|#l|fMOmZ=q`3g`GtR#ibVn<-hclq6F)t!J`j z^-8Il%?Ug^ZEPZ5lEo=LJ8fP=(j3m@8EaA6lyyAbP=Q#>TZ&>v%zs4)W`sNkr{WAk z?mS$8i*W@R)D~>#gnSzr)=o04I|;W3(MzQKFvqSz^kssS-;VDm{N6$My@&97FDK`p zQ#;+1dXY}RQ__77V>F7%mhAmV@sArCE?F_K^-}0t2nFhit>XAqT zExoTEvWc89$rMiH#GFqt3lcg&^sd8zz>N$jQeatlA;3YGS% z34Xv^7RyT~_yJd~lj{@s0dHC%Hzn}{-nd#`W8nw9xy9a=jvw&RmD)F0_<>1HIUS0V z0G`>fLp7{{^{|INXVHm=o**i~xacXO1CPSf@H~8zava}=AHaFaa$JHx!k>r~{1x7$ zs8GT@GOWz3mZ6)n9F3IaScR*}xQf{D1~RSta6b`(gA^MYLHKm! zwUK|9__Y>RIc3wOGwG70veR_w>~vYZOi2jt(%ETa6G??jXQ$0;NGcK${93K$bSoh08HGee(_`>c@DMyj@z7bq-it&>nKOTbaF>PCDK;wRB-Du&l#{5UIH?+!lVfkf zm4v`{%1>;rR)cbGw@;>V0_1g1ruL9y{X0 zso1l)?_A0;ctx%nTgU$_WpkzBgda S=A|?KKjZ(!$IjP*|Nl4pg;b9K From becfca6b41aa8900b444395120b9fd8a40ab952e Mon Sep 17 00:00:00 2001 From: RRRabbit Date: Mon, 28 Oct 2019 11:59:49 +0100 Subject: [PATCH 081/269] Added Atomic Blue Detections Repo --- .../auditd/lnx_auditd_ld_so_preload_mod.yml | 21 ++++++++++++ .../process_creation/win_bootconf_mod.yml | 26 +++++++++++++++ .../windows/process_creation/win_cmd_rar.yml | 21 ++++++++++++ .../process_creation/win_eventlog_cleared.yml | 21 ++++++++++++ .../win_fsutil_usn_delete.yml | 24 ++++++++++++++ rules/windows/process_creation/win_hh_chm.yml | 22 +++++++++++++ .../process_creation/win_indirect_cmd.yml | 20 ++++++++++++ .../process_creation/win_interactive_at.yml | 21 ++++++++++++ .../process_creation/win_lsass_dump.yml | 28 ++++++++++++++++ .../process_creation/win_mshta_javascript.yml | 22 +++++++++++++ .../windows/process_creation/win_net_enum.yml | 23 +++++++++++++ .../process_creation/win_net_user_add.yml | 21 ++++++++++++ .../win_powershell_audio_capture.yml | 19 +++++++++++ .../win_powershell_bitsjob.yaml | 21 ++++++++++++ .../process_creation/win_reg_sam_dumping.yml | 32 +++++++++++++++++++ .../win_remote_time_discovery.yml | 24 ++++++++++++++ .../win_soundrec_audio_capture.yml | 21 ++++++++++++ .../process_creation/win_trust_discovery.yml | 21 ++++++++++++ .../process_creation/win_uac_cmstp.yml | 24 ++++++++++++++ .../process_creation/win_uac_fodhelper.yml | 19 +++++++++++ .../process_creation/win_uac_wsreset.yml | 22 +++++++++++++ 21 files changed, 473 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml create mode 100644 rules/windows/process_creation/win_bootconf_mod.yml create mode 100644 rules/windows/process_creation/win_cmd_rar.yml create mode 100644 rules/windows/process_creation/win_eventlog_cleared.yml create mode 100644 rules/windows/process_creation/win_fsutil_usn_delete.yml create mode 100644 rules/windows/process_creation/win_hh_chm.yml create mode 100644 rules/windows/process_creation/win_indirect_cmd.yml create mode 100644 rules/windows/process_creation/win_interactive_at.yml create mode 100644 rules/windows/process_creation/win_lsass_dump.yml create mode 100644 rules/windows/process_creation/win_mshta_javascript.yml create mode 100644 rules/windows/process_creation/win_net_enum.yml create mode 100644 rules/windows/process_creation/win_net_user_add.yml create mode 100644 rules/windows/process_creation/win_powershell_audio_capture.yml create mode 100644 rules/windows/process_creation/win_powershell_bitsjob.yaml create mode 100644 rules/windows/process_creation/win_reg_sam_dumping.yml create mode 100644 rules/windows/process_creation/win_remote_time_discovery.yml create mode 100644 rules/windows/process_creation/win_soundrec_audio_capture.yml create mode 100644 rules/windows/process_creation/win_trust_discovery.yml create mode 100644 rules/windows/process_creation/win_uac_cmstp.yml create mode 100644 rules/windows/process_creation/win_uac_fodhelper.yml create mode 100644 rules/windows/process_creation/win_uac_wsreset.yml diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml new file mode 100644 index 000000000..97643378a --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -0,0 +1,21 @@ +title: Modification of ld.so.preload +description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/etc/ld.so.preload' + condition: selection + condition: selection +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml new file mode 100644 index 000000000..c6834ebe3 --- /dev/null +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -0,0 +1,26 @@ +title: Modification of Boot Configuration +description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.impact + - attack.t1490 +detection: + selection1: + Image: + - '*bcdedit.exe' + selection2: + CommandLine: + - '* set*' + selection3: + CommandLine: + - '* bootstatuspolicy *ignoreallfailures*' + - '* recoveryenabled* no*' + condition: selection1 and selection2 and selection3 +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_cmd_rar.yml b/rules/windows/process_creation/win_cmd_rar.yml new file mode 100644 index 000000000..098378a27 --- /dev/null +++ b/rules/windows/process_creation/win_cmd_rar.yml @@ -0,0 +1,21 @@ +title: Command-Line Creation of a RAR file +description: Detect compression of data into a RAR file using the rar.exe utility. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1002 +detection: + selection: + Image: + - '*rar.exe' + CommandLine: + - '* a *' + condition: selection +falsepositives: + - legit creation of a rar file using cmd +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_eventlog_cleared.yml b/rules/windows/process_creation/win_eventlog_cleared.yml new file mode 100644 index 000000000..3806ec5fd --- /dev/null +++ b/rules/windows/process_creation/win_eventlog_cleared.yml @@ -0,0 +1,21 @@ +title: Clearing Windows Event Logs with wevtutil +description: Identifies attempts to clear Windows event logs with the command wevtutil. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1070 +detection: + selection: + Image: + - '*wevtutil.exe' + CommandLine: + - '* cl *' + condition: selection +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_fsutil_usn_delete.yml b/rules/windows/process_creation/win_fsutil_usn_delete.yml new file mode 100644 index 000000000..bd955931b --- /dev/null +++ b/rules/windows/process_creation/win_fsutil_usn_delete.yml @@ -0,0 +1,24 @@ +title: Delete Volume USN Journal with fsutil +description: Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1070 +detection: + selection1: + Image: + - '*fsutil.exe' + CommandLine: + - '*usn*' + selection2: + CommandLine: + - '* deletejournal*' + condition: selection1 and selection2 +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml new file mode 100644 index 000000000..50e3988d3 --- /dev/null +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -0,0 +1,22 @@ +title: HH.exe execution +description: Identifies usage of hh.exe executing recently modified .chm files. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1223 +detection: + selection: + Image: + - '*hh.exe' + CommandLine: + - '* .chm*' + condition: selection +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml new file mode 100644 index 000000000..316a276ea --- /dev/null +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -0,0 +1,20 @@ +title: Indirect Command Execution +description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1202 +detection: + selection: + ParentImage: + - '*pcalua.exe' + - '*forfiles.exe' + condition: selection | count(CommandLine) > 10 +falsepositives: + - legit usage of scripts +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml new file mode 100644 index 000000000..3333f2ef0 --- /dev/null +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -0,0 +1,21 @@ +title: Interactive AT Job +description: Detect an interactive AT job, which may be used as a form of privilege escalation. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.privilege_escalation + - attack.t1053 +detection: + selection: + Image: + - '*at.exe' + CommandLine: + - '* interactive*' + condition: selection +falsepositives: + - unlike (at.exe deprecated as of Windows 8) +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml new file mode 100644 index 000000000..c0f7f9e74 --- /dev/null +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -0,0 +1,28 @@ +title: LSASS Memory Dumping +description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.credential_access + - attack.t1003 +detection: + selection1: + CommandLine: + - '* lsass*.dmp*' + selection2: + Image: + - '*werfault.exe' + selection3: + Image: + - '*procdump*.exe' + selection4: + CommandLine: + - '* lsass*' + condition: selection1 and not selection2 or selection3 and selection4 +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml new file mode 100644 index 000000000..678efff6c --- /dev/null +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -0,0 +1,22 @@ +title: Mshta Network Connections +description: Identifies suspicious mshta.exe commands. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1170 +detection: + selection: + Image: + - '*mshta.exe' + CommandLine: + - '* javascript*' + condition: selection +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml new file mode 100644 index 000000000..947b48121 --- /dev/null +++ b/rules/windows/process_creation/win_net_enum.yml @@ -0,0 +1,23 @@ +title: Windows Network Enumeration +status: stable +description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html +author: Endgame, JHasenbusch (ported for oscd.community) +date: 2018/11/30 +tags: + - attack.discovery + - attack.t1018 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\net.exe' + CommandLine: '* view*' + filter: + CommandLine: '*\\\\*' + condition: selection and not filter +falsepositives: + - unknown +level: low diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml new file mode 100644 index 000000000..477b35903 --- /dev/null +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -0,0 +1,21 @@ +title: Net.exe User Account Creation +status: experimental +description: Identifies creation of local users via the net[1].exe command. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html +author: Endgame, JHasenbusch (adapted to sigma for oscd.community) +date: 2018/30/11 +tags: + - attack.persistance + - attack.credential_access + - attack.1136 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*\net*.exe * user */ad*' + condition: selection +falsepositives: + - Legit user creation +level: low diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml new file mode 100644 index 000000000..4865300e1 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -0,0 +1,19 @@ +title: Audio Capture via PowerShell +description: Detect attacker collecting audio via PowerShell Cmdlet. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.collection + - attack.t1123 +detection: + selection: + CommandLine: + - '* WindowsAudioDevice-Powershell-Cmdlet *' + condition: selection +falsepositives: + - legit audio capture +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yaml b/rules/windows/process_creation/win_powershell_bitsjob.yaml new file mode 100644 index 000000000..2eb6db523 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_bitsjob.yaml @@ -0,0 +1,21 @@ +title: Suspicious Bitsadmin Job via PowerShell +status: experimental +description: Detect download of BITS jobs via PowerShell. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html +author: Endgame, JHasenbusch (ported to sigma for oscd.community) +date: 2018/30/11 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*powershell.exe *Start-BitsTransfer*' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_reg_sam_dumping.yml b/rules/windows/process_creation/win_reg_sam_dumping.yml new file mode 100644 index 000000000..6e01cb270 --- /dev/null +++ b/rules/windows/process_creation/win_reg_sam_dumping.yml @@ -0,0 +1,32 @@ +title: SAM Dumping via Reg.exe +status: experimental +description: Identifies usage of reg.exe to export registry hives which contain the SAM and LSA secrets. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html +author: Endgame, JHasenbusch (ported to sigma for oscd.community) +date: 2018/30/11 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: '*\reg.exe' + CommandLine: + - '* save *' + - '* export *' + selection2: + CommandLine: + - '*hklm*' + - '*hkey_local_machine*' + selection3: + CommandLine: + - '*\\sam *' + - '*\\security *' + - '*\\system *' + condition: selection1 and selection2 and selection3 +falsepositives: + - Unknown +level: low diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml new file mode 100644 index 000000000..20813ab4b --- /dev/null +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -0,0 +1,24 @@ +title: Command-Line Creation of a RAR file +description: Identifies use of various commands to query a remote system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.discovery + - attack.t1124 +detection: + selection1: + Image: + - '*net.exe' + CommandLine: + - '* time *' + selection2: + CommandLine: + - '*\\\*' + condition: selection1 and selection2 +falsepositives: + - legit admin usage +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml new file mode 100644 index 000000000..dd8798cd1 --- /dev/null +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -0,0 +1,21 @@ +title: Audio Capture via SoundRecorder +description: Detect attacker collecting audio via SoundRecorder application. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.collection + - attack.t1123 +detection: + selection: + Image: + - "*\SoundRecorder.exe" + CommandLine: + - "* /FILE *" + condition: selection +falsepositives: + - legit audio capture +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml new file mode 100644 index 000000000..2929f545d --- /dev/null +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -0,0 +1,21 @@ +title: Domain Trust Discovery via Nltest.exe +description: Identifies execution of nltest.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.discovery + - attack.t1482 +detection: + selection: + Image: + - '*nltest.exe' + CommandLine: + - '* domain_trusts*' + condition: selection +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml new file mode 100644 index 000000000..915b9b2e9 --- /dev/null +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -0,0 +1,24 @@ +title: Bypass UAC via CMSTP +description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1191 + - attack.t1088 +detection: + selection: + Image: + - "*\\cmstp.exe" + CommandLine: + - "* /s *" + - "* /au *" + condition: selection +falsepositives: + - unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml new file mode 100644 index 000000000..d811ca637 --- /dev/null +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -0,0 +1,19 @@ +title: Bypass UAC via Fodhelper.exe +description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage: + - "*\fodhelper.exe" + condition: selection +falsepositives: + - unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml new file mode 100644 index 000000000..a4314c5ce --- /dev/null +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -0,0 +1,22 @@ +title: Bypass UAC via WSReset.exe +description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage: + - '*wsreset.exe' + filter: + Image: + - '*conhost.exe' + condition: selection and not filter +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows From 3376cf4dd800fd69864d772a8694379f6699a02b Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 01:40:06 +0300 Subject: [PATCH 082/269] fix some typos and remove redundand references --- rules/generic/generic_brute_force.yml | 2 +- rules/linux/auditd/lnx_auditd_auditing_config_change.yml | 3 +-- rules/linux/auditd/lnx_auditd_logging_config_change.yml | 3 +-- rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml | 2 +- rules/windows/sysmon/sysmon_regsvr32_network_activity.yml | 2 +- 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/generic/generic_brute_force.yml b/rules/generic/generic_brute_force.yml index b540449da..5e42646de 100644 --- a/rules/generic/generic_brute_force.yml +++ b/rules/generic/generic_brute_force.yml @@ -1,7 +1,7 @@ title: Brute Force description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity references: - - https://attack.mitre.org/techniques/T1110/ + - None tags: - attack.t1110 author: Aleksandr Akhremchik, oscd.community diff --git a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml index 2e0594bd8..cd02b1595 100644 --- a/rules/linux/auditd/lnx_auditd_auditing_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_auditing_config_change.yml @@ -6,12 +6,11 @@ description: Detect changes if auditd configuration files # -w /etc/audisp/ -p wa -k etc_modify_audispconfig references: - https://github.com/Neo23x0/auditd/blob/master/audit.rules - - https://attack.mitre.org/techniques/T1054/ - self experience tags: - attack.defense_evasion - attack.t1054 -author: Mikhail Larin, oscd community +author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 logsource: diff --git a/rules/linux/auditd/lnx_auditd_logging_config_change.yml b/rules/linux/auditd/lnx_auditd_logging_config_change.yml index bcc071bcb..c9977f619 100644 --- a/rules/linux/auditd/lnx_auditd_logging_config_change.yml +++ b/rules/linux/auditd/lnx_auditd_logging_config_change.yml @@ -5,12 +5,11 @@ description: Detect changes of syslog daemons configuration files # -w /etc/rsyslog.conf -p wa -k etc_modify_rsyslogconfig # -w /etc/syslog-ng/syslog-ng.conf -p wa -k etc_modify_syslogngconfig references: - - https://attack.mitre.org/techniques/T1054/ - self experience tags: - attack.defense_evasion - attack.t1054 -author: Mikhail Larin, oscd community +author: Mikhail Larin, oscd.community status: experimental date: 2019/10/25 logsource: diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml index de139f461..ff59f881d 100644 --- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -4,7 +4,7 @@ references: - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html tags: - attack.persistence -author: Dmitriy Lifanov, oscd community +author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 logsource: diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml index c987a1b2f..dd9f0b7b6 100644 --- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -8,7 +8,7 @@ tags: - attack.execution - attack.defense_evasion - attack.t1117 -author: Dmitriy Lifanov, oscd community +author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 logsource: From 4251d9f490cb566cfe37781fc61d1d8066f1fcd4 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 03:44:22 +0300 Subject: [PATCH 083/269] ilyas ochkov contribution --- rules/network/net_possible_dns_rebinding.yml | 22 +++++++++ ...picious_reverse_connect_via_http_proxy.yml | 18 +++++++ ..._renamed_user_account_with_dollar_sign.yml | 33 +++++++++++++ .../windows/builtin/win_possible_dc_sync.yml | 24 ++++++++++ ...n_register_new_logon_process_by_rubeus.yml | 23 +++++++++ ...uspicious_outbound_kerberos_connection.yml | 27 +++++++++++ ...ileged_service_lsaregisterlogonprocess.yml | 23 +++++++++ .../powershell_clear_powershell_history.yml | 23 +++++++++ ...y_events_logging_adding_reg_key_minint.yml | 38 +++++++++++++++ ..._dll_added_to_appcertdlls_registry_key.yml | 48 +++++++++++++++++++ ...dll_added_to_appinit_dlls_registry_key.yml | 47 ++++++++++++++++++ .../sysmon/sysmon_possible_dns_rebinding.yml | 42 ++++++++++++++++ ...uspicious_outbound_kerberos_connection.yml | 28 +++++++++++ 13 files changed, 396 insertions(+) create mode 100644 rules/network/net_possible_dns_rebinding.yml create mode 100644 rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml create mode 100644 rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml create mode 100644 rules/windows/builtin/win_possible_dc_sync.yml create mode 100644 rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml create mode 100644 rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml create mode 100644 rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml create mode 100644 rules/windows/powershell/powershell_clear_powershell_history.yml create mode 100644 rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml create mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml create mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml create mode 100644 rules/windows/sysmon/sysmon_possible_dns_rebinding.yml create mode 100644 rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml diff --git a/rules/network/net_possible_dns_rebinding.yml b/rules/network/net_possible_dns_rebinding.yml new file mode 100644 index 000000000..cc8f2a234 --- /dev/null +++ b/rules/network/net_possible_dns_rebinding.yml @@ -0,0 +1,22 @@ +title: Possible DNS Rebinding +status: experimental +description: 'Detects DNS-answer with TTL <10.' +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: dns +detection: + selection: + answer: '*' + filter1: + ttl: '>0' + filter2: + ttl: '<10' + timeframe: 30s + condition: selection and filter1 and filter2 | count(answer) by src_ip > 3 +level: medium diff --git a/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml new file mode 100644 index 000000000..68a629cda --- /dev/null +++ b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml @@ -0,0 +1,18 @@ +title: Suspicious reverse connect via HTTP proxy +status: experimental +description: Detects auth on proxy-server by machine account (aka SYSTEM) +author: Ilyas Ochkov, oscd.community +references: + - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html +tags: + - attack.command_and_control + - attack.t1043 +logsource: + category: proxy +detection: + selection: + username|re: '\S+\$$' + condition: selection +falsepositives: + - Update OS or other softs which start by SYSTEM + - User account with $ in attribute "SamAccountName" diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml new file mode 100644 index 000000000..420b71027 --- /dev/null +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -0,0 +1,33 @@ +title: New (or renamed) user account with '$' in attribute 'SamAccountName'. +status: experimental +description: Detects possible bypass EDR and SIEM via abnormal user account name. +tags: + - attack.defense_evasion + - attack.t1036 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - UserName + - SubjectAccountName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: security +detection: + create_user: + EventID: 4720 + UserName: '*$*' #SamAccountName +--- +logsource: + product: windows + service: security +detection: + rename_user: + EventID: 4781 + UserName: '*$*' #NewTargetUserName diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml new file mode 100644 index 000000000..73b44994d --- /dev/null +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -0,0 +1,24 @@ +title: Possible DC Sync +description: Detects DC sync via create new SPN +status: experimental +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +references: + - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml + - https://twitter.com/gentilkiwi/status/1003236624925413376 + - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 + - https://jsecurity101.com/2019/Syncing-into-the-Shadows/ +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + ServicePrincipalNames: '*GC/*' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml new file mode 100644 index 000000000..dd1635351 --- /dev/null +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -0,0 +1,23 @@ +title: Register new logon process by Rubeus +description: Detects potential use of Rubeus via registered new trusted logon process +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security + definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end +detection: + selection: + - EventID: 4611 + LogonProcessName: 'User32LogonProcesss' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..10d08ce14 --- /dev/null +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,27 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestinationPort: 88 + filter: + Image: + - '*\lsass.exe' + - '*\opera.exe' + - '*\chrome.exe' + - '*\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml new file mode 100644 index 000000000..0a7a760b8 --- /dev/null +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -0,0 +1,23 @@ +title: User couldn't call a privileged service 'LsaRegisterLogonProcess' +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security +detection: + selection: + - EventID: 4673 + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure + condition: selection +falsepositives: + - Unkown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml new file mode 100644 index 000000000..6f5eeed2c --- /dev/null +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -0,0 +1,23 @@ +title: Clear PowerShell History +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +tags: + - attack.defense_evasion + - attack.t1146 +logsource: + product: windows + service: powershell +detection: + keywords: + - 'del (Get-PSReadlineOption).HistorySavePath' + - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' + - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' + - 'rm (Get-PSReadlineOption).HistorySavePath' + condition: keywords +falsepositives: + - some PS-scripts +level: medium diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml new file mode 100644 index 000000000..0e3e926c2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -0,0 +1,38 @@ +title: Disable security events logging adding reg key MiniNt +status: experimental +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +references: + - https://twitter.com/0gtweet/status/1182516740955226112 +tags: + - attack.defense_evasion + - attack.t1089 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: high +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SYSTEM\*\Control\MiniNt' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SYSTEM\*\Control\MiniNt' diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml new file mode 100644 index 000000000..ae970f27a --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -0,0 +1,48 @@ +title: New DLL added to AppCertDlls registry key +status: experimental +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +references: + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +tags: + - attack.persistence + - attack.t1182 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' +--- +logsource: + product: windows + service: sysmon +detection: + value_set: + EventID: 13 + TargetObject: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml new file mode 100644 index 000000000..403ceeadc --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -0,0 +1,47 @@ +title: New DLL added to AppInit_DLLs registry key +status: experimental +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll +references: + - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html +tags: + - attack.persistence + - attack.t1103 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' +--- +logsource: + product: windows + service: sysmon +detection: + value_set: + EventID: 13 + TargetObject: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml new file mode 100644 index 000000000..015acde37 --- /dev/null +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -0,0 +1,42 @@ +title: Possible DNS Rebinding +status: experimental +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: windows + service: sysmon +detection: + dns_answer: + EventID: 22 + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults: + - '(::ffff:)?10.*' + - '(::ffff:)?192.168.*' + - '(::ffff:)?172.16.*' + - '(::ffff:)?172.17.*' + - '(::ffff:)?172.18.*' + - '(::ffff:)?172.19.*' + - '(::ffff:)?172.20.*' + - '(::ffff:)?172.21.*' + - '(::ffff:)?172.22.*' + - '(::ffff:)?172.23.*' + - '(::ffff:)?172.24.*' + - '(::ffff:)?172.25.*' + - '(::ffff:)?172.26.*' + - '(::ffff:)?172.27.*' + - '(::ffff:)?172.28.*' + - '(::ffff:)?172.29.*' + - '(::ffff:)?172.30.*' + - '(::ffff:)?172.31.*' + - '(::ffff:)?127.*' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 +level: medium diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..c644fda97 --- /dev/null +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,28 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: 88 + Initiated: 'true' + filter: + Image: + - '*\lsass.exe' + - '*\opera.exe' + - '*\chrome.exe' + - '*\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high From fd606cb3760c3003bc963465679617847c8e6e86 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 03:59:07 +0300 Subject: [PATCH 084/269] spaces fix --- .../win_new_or_renamed_user_account_with_dollar_sign.yml | 2 +- rules/windows/builtin/win_possible_dc_sync.yml | 2 +- .../builtin/win_register_new_logon_process_by_rubeus.yml | 2 +- .../builtin/win_suspicious_outbound_kerberos_connection.yml | 2 +- ..._couldnt_call_privileged_service_lsaregisterlogonprocess.yml | 2 +- ...on_disable_security_events_logging_adding_reg_key_minint.yml | 2 +- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 2 +- .../sysmon_new_dll_added_to_appinit_dlls_registry_key.yml | 2 +- .../sysmon/sysmon_suspicious_outbound_kerberos_connection.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 420b71027..4f55fd485 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -5,7 +5,7 @@ tags: - attack.defense_evasion - attack.t1036 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml index 73b44994d..b73091fd4 100644 --- a/rules/windows/builtin/win_possible_dc_sync.yml +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -2,7 +2,7 @@ title: Possible DC Sync description: Detects DC sync via create new SPN status: experimental author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 references: - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml - https://twitter.com/gentilkiwi/status/1003236624925413376 diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml index dd1635351..7be412525 100644 --- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -7,7 +7,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: product: windows diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 10d08ce14..4167b05c3 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -4,7 +4,7 @@ description: Detects suspicious outbound network activity via kerberos default p references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community -date: 2019/10/24 +date: 2019/10/24 tags: - attack.lateral_movement - attack.t1208 diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 0a7a760b8..90a55c0f1 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -7,7 +7,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 0e3e926c2..12afd3d55 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -7,7 +7,7 @@ tags: - attack.defense_evasion - attack.t1089 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index ae970f27a..1deb58c74 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -8,7 +8,7 @@ tags: - attack.persistence - attack.t1182 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 403ceeadc..77304269a 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -7,7 +7,7 @@ tags: - attack.persistence - attack.t1103 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index c644fda97..2bc9e19f9 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -4,7 +4,7 @@ description: Detects suspicious outbound network activity via kerberos default p references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community -date: 2019/10/24 +date: 2019/10/24 tags: - attack.lateral_movement - attack.t1208 From c243c4e210bf2ac81110502831492b2aa415325b Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 29 Oct 2019 20:58:52 +0300 Subject: [PATCH 085/269] T1035 --- .../win_service_execution.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/win_service_execution.yml diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml new file mode 100644 index 000000000..0b3c3d356 --- /dev/null +++ b/rules/windows/process_creation/win_service_execution.yml @@ -0,0 +1,34 @@ +title: Service Execution +status: experimental +description: Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1035/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\sc.exe' + CommandLine: + - '*create*binPath=*' + - '*start*' + - '*delete*' + condition: selection +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentImage + - ParentCommandLine +falsepositives: + - Admin activity +level: low +tags: + - attack.execution + - attack.t1035 From cd20e4a3fc6b8a2cc187c49f84de341a485be5c1 Mon Sep 17 00:00:00 2001 From: Karneades Date: Tue, 29 Oct 2019 19:22:41 +0100 Subject: [PATCH 086/269] fix: bound keywords to field in WMI persistence rule See #501. --- rules/windows/other/win_wmi_persistence.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index 58bf3033d..f978565a5 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -16,9 +16,10 @@ detection: selection: EventID: 5861 keywords: - - 'ActiveScriptEventConsumer' - - 'CommandLineEventConsumer' - - 'CommandLineTemplate' + Message: + - '*ActiveScriptEventConsumer*' + - '*CommandLineEventConsumer*' + - '*CommandLineTemplate*' # - 'Binding EventFilter' # too many false positive with HP Health Driver selection2: EventID: 5859 From f31750e567b9ae1773867fa61248916b7d2b2332 Mon Sep 17 00:00:00 2001 From: Karneades Date: Tue, 29 Oct 2019 19:43:04 +0100 Subject: [PATCH 087/269] fix: bound keywords to field in PS cred prompt rule --- rules/windows/powershell/powershell_prompt_credentials.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index 6203a5d23..ea97c4a5c 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -17,7 +17,8 @@ detection: selection: EventID: 4104 keyword: - - 'PromptForCredential' + Message: + - '*PromptForCredential*' condition: all of them falsepositives: - Unknown From aafab2e936a55d4bf12a1fbe65892695d0a8ea08 Mon Sep 17 00:00:00 2001 From: Karneades Date: Tue, 29 Oct 2019 19:53:18 +0100 Subject: [PATCH 088/269] fix: bound keywords to field in multiple PS rules Rules changed: - rules/windows/powershell/powershell_malicious_commandlets.yml - rules/windows/powershell/powershell_malicious_keywords.yml - rules/windows/powershell/powershell_suspicious_download.yml - rules/windows/powershell/powershell_suspicious_invocation_specific.yml --- .../powershell_malicious_commandlets.yml | 189 +++++++++--------- .../powershell_malicious_keywords.yml | 41 ++-- .../powershell_suspicious_download.yml | 5 +- ...ershell_suspicious_invocation_specific.yml | 13 +- 4 files changed, 126 insertions(+), 122 deletions(-) diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index fcc15429f..c01420607 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -14,100 +14,101 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - - Invoke-DllInjection - - Invoke-Shellcode - - Invoke-WmiCommand - - Get-GPPPassword - - Get-Keystrokes - - Get-TimedScreenshot - - Get-VaultCredential - - Invoke-CredentialInjection - - Invoke-Mimikatz - - Invoke-NinjaCopy - - Invoke-TokenManipulation - - Out-Minidump - - VolumeShadowCopyTools - - Invoke-ReflectivePEInjection - - Invoke-UserHunter - - Find-GPOLocation - - Invoke-ACLScanner - - Invoke-DowngradeAccount - - Get-ServiceUnquoted - - Get-ServiceFilePermission - - Get-ServicePermission - - Invoke-ServiceAbuse - - Install-ServiceBinary - - Get-RegAutoLogon - - Get-VulnAutoRun - - Get-VulnSchTask - - Get-UnattendedInstallFile - - Get-ApplicationHost - - Get-RegAlwaysInstallElevated - - Get-Unconstrained - - Add-RegBackdoor - - Add-ScrnSaveBackdoor - - Gupt-Backdoor - - Invoke-ADSBackdoor - - Enabled-DuplicateToken - - Invoke-PsUaCme - - Remove-Update - - Check-VM - - Get-LSASecret - - Get-PassHashes - - Show-TargetScreen - - Port-Scan - - Invoke-PoshRatHttp - - Invoke-PowerShellTCP - - Invoke-PowerShellWMI - - Add-Exfiltration - - Add-Persistence - - Do-Exfiltration - - Start-CaptureServer - - Get-ChromeDump - - Get-ClipboardContents - - Get-FoxDump - - Get-IndexedItem - - Get-Screenshot - - Invoke-Inveigh - - Invoke-NetRipper - - Invoke-EgressCheck - - Invoke-PostExfil - - Invoke-PSInject - - Invoke-RunAs - - MailRaider - - New-HoneyHash - - Set-MacAttribute - - Invoke-DCSync - - Invoke-PowerDump - - Exploit-Jboss - - Invoke-ThunderStruck - - Invoke-VoiceTroll - - Set-Wallpaper - - Invoke-InveighRelay - - Invoke-PsExec - - Invoke-SSHCommand - - Get-SecurityPackages - - Install-SSP - - Invoke-BackdoorLNK - - PowerBreach - - Get-SiteListPassword - - Get-System - - Invoke-BypassUAC - - Invoke-Tater - - Invoke-WScriptBypassUAC - - PowerUp - - PowerView - - Get-RickAstley - - Find-Fruit - - HTTP-Login - - Find-TrustedDocuments - - Invoke-Paranoia - - Invoke-WinEnum - - Invoke-ARPScan - - Invoke-PortScan - - Invoke-ReverseDNSLookup - - Invoke-SMBScanner - - Invoke-Mimikittenz + Message: + - "*Invoke-DllInjection*" + - "*Invoke-Shellcode*" + - "*Invoke-WmiCommand*" + - "*Get-GPPPassword*" + - "*Get-Keystrokes*" + - "*Get-TimedScreenshot*" + - "*Get-VaultCredential*" + - "*Invoke-CredentialInjection*" + - "*Invoke-Mimikatz*" + - "*Invoke-NinjaCopy*" + - "*Invoke-TokenManipulation*" + - "*Out-Minidump*" + - "*VolumeShadowCopyTools*" + - "*Invoke-ReflectivePEInjection*" + - "*Invoke-UserHunter*" + - "*Find-GPOLocation*" + - "*Invoke-ACLScanner*" + - "*Invoke-DowngradeAccount*" + - "*Get-ServiceUnquoted*" + - "*Get-ServiceFilePermission*" + - "*Get-ServicePermission*" + - "*Invoke-ServiceAbuse*" + - "*Install-ServiceBinary*" + - "*Get-RegAutoLogon*" + - "*Get-VulnAutoRun*" + - "*Get-VulnSchTask*" + - "*Get-UnattendedInstallFile*" + - "*Get-ApplicationHost*" + - "*Get-RegAlwaysInstallElevated*" + - "*Get-Unconstrained*" + - "*Add-RegBackdoor*" + - "*Add-ScrnSaveBackdoor*" + - "*Gupt-Backdoor*" + - "*Invoke-ADSBackdoor*" + - "*Enabled-DuplicateToken*" + - "*Invoke-PsUaCme*" + - "*Remove-Update*" + - "*Check-VM*" + - "*Get-LSASecret*" + - "*Get-PassHashes*" + - "*Show-TargetScreen*" + - "*Port-Scan*" + - "*Invoke-PoshRatHttp*" + - "*Invoke-PowerShellTCP*" + - "*Invoke-PowerShellWMI*" + - "*Add-Exfiltration*" + - "*Add-Persistence*" + - "*Do-Exfiltration*" + - "*Start-CaptureServer*" + - "*Get-ChromeDump*" + - "*Get-ClipboardContents*" + - "*Get-FoxDump*" + - "*Get-IndexedItem*" + - "*Get-Screenshot*" + - "*Invoke-Inveigh*" + - "*Invoke-NetRipper*" + - "*Invoke-EgressCheck*" + - "*Invoke-PostExfil*" + - "*Invoke-PSInject*" + - "*Invoke-RunAs*" + - "*MailRaider*" + - "*New-HoneyHash*" + - "*Set-MacAttribute*" + - "*Invoke-DCSync*" + - "*Invoke-PowerDump*" + - "*Exploit-Jboss*" + - "*Invoke-ThunderStruck*" + - "*Invoke-VoiceTroll*" + - "*Set-Wallpaper*" + - "*Invoke-InveighRelay*" + - "*Invoke-PsExec*" + - "*Invoke-SSHCommand*" + - "*Get-SecurityPackages*" + - "*Install-SSP*" + - "*Invoke-BackdoorLNK*" + - "*PowerBreach*" + - "*Get-SiteListPassword*" + - "*Get-System*" + - "*Invoke-BypassUAC*" + - "*Invoke-Tater*" + - "*Invoke-WScriptBypassUAC*" + - "*PowerUp*" + - "*PowerView*" + - "*Get-RickAstley*" + - "*Find-Fruit*" + - "*HTTP-Login*" + - "*Find-TrustedDocuments*" + - "*Invoke-Paranoia*" + - "*Invoke-WinEnum*" + - "*Invoke-ARPScan*" + - "*Invoke-PortScan*" + - "*Invoke-ReverseDNSLookup*" + - "*Invoke-SMBScanner*" + - "*Invoke-Mimikittenz*" false_positives: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 condition: keywords and not false_positives diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index d2ec581e6..d553efe23 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -14,26 +14,27 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - - AdjustTokenPrivileges - - IMAGE_NT_OPTIONAL_HDR64_MAGIC - - Microsoft.Win32.UnsafeNativeMethods - - ReadProcessMemory.Invoke - - SE_PRIVILEGE_ENABLED - - LSA_UNICODE_STRING - - MiniDumpWriteDump - - PAGE_EXECUTE_READ - - SECURITY_DELEGATION - - TOKEN_ADJUST_PRIVILEGES - - TOKEN_ALL_ACCESS - - TOKEN_ASSIGN_PRIMARY - - TOKEN_DUPLICATE - - TOKEN_ELEVATION - - TOKEN_IMPERSONATE - - TOKEN_INFORMATION_CLASS - - TOKEN_PRIVILEGES - - TOKEN_QUERY - - Metasploit - - Mimikatz + Message: + - "*AdjustTokenPrivileges*" + - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*" + - "*Microsoft.Win32.UnsafeNativeMethods*" + - "*ReadProcessMemory.Invoke*" + - "*SE_PRIVILEGE_ENABLED*" + - "*LSA_UNICODE_STRING*" + - "*MiniDumpWriteDump*" + - "*PAGE_EXECUTE_READ*" + - "*SECURITY_DELEGATION*" + - "*TOKEN_ADJUST_PRIVILEGES*" + - "*TOKEN_ALL_ACCESS*" + - "*TOKEN_ASSIGN_PRIMARY*" + - "*TOKEN_DUPLICATE*" + - "*TOKEN_ELEVATION*" + - "*TOKEN_IMPERSONATE*" + - "*TOKEN_INFORMATION_CLASS*" + - "*TOKEN_PRIVILEGES*" + - "*TOKEN_QUERY*" + - "*Metasploit*" + - "*Mimikatz*" condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_suspicious_download.yml b/rules/windows/powershell/powershell_suspicious_download.yml index ad8ff90b6..a56980438 100644 --- a/rules/windows/powershell/powershell_suspicious_download.yml +++ b/rules/windows/powershell/powershell_suspicious_download.yml @@ -10,8 +10,9 @@ logsource: service: powershell detection: keywords: - - 'System.Net.WebClient).DownloadString(' - - 'system.net.webclient).downloadfile(' + Message: + - '*System.Net.WebClient).DownloadString(*' + - '*system.net.webclient).downloadfile(*' condition: keywords falsepositives: - PowerShell scripts that download content from the Internet diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 84ddfe55c..5e7aae6c3 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -10,12 +10,13 @@ logsource: service: powershell detection: keywords: - - ' -nop -w hidden -c * [Convert]::FromBase64String' - - ' -w hidden -noni -nop -c "iex(New-Object' - - ' -w hidden -ep bypass -Enc' - - 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run' - - 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download' - - 'iex(New-Object Net.WebClient).Download' + Message: + - '* -nop -w hidden -c * [Convert]::FromBase64String*' + - '* -w hidden -noni -nop -c "iex(New-Object*' + - '* -w hidden -ep bypass -Enc*' + - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*' + - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*' + - '*iex(New-Object Net.WebClient).Download*' condition: keywords falsepositives: - Penetration tests From ab5556ae8caaef4e446cbd01324c0525cbb2b38f Mon Sep 17 00:00:00 2001 From: Karneades Date: Tue, 29 Oct 2019 19:59:43 +0100 Subject: [PATCH 089/269] fix: change keyword and bound it to a field --- rules/windows/powershell/powershell_suspicious_keywords.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 42acef2ad..bbfbe5a2c 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -14,7 +14,8 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - - System.Reflection.Assembly.Load + Message: + - "*[System.Reflection.Assembly]::Load*" condition: keywords falsepositives: - Penetration tests From 47f7d648a3aa17c4d3a4c2eee68458f191718dde Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 29 Oct 2019 22:33:03 +0300 Subject: [PATCH 090/269] T1036 --- .../auditd/lnx_auditd_masquerading_crond.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_masquerading_crond.yml diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml new file mode 100644 index 000000000..a603be64b --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -0,0 +1,24 @@ +title: Masquerading as Linux crond process +status: experimental +description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1036/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml +logsource: + product: linux + service: auditd +detection: + selection: + type: 'execve' + a0: 'cp' + a1: '-i' + a2: '/bin/sh' + a3: '*/crond' + condition: selection +falsepositives: + - Admin activity +level: low +tags: + - attack.defense_evasion + - attack.t1036 From c5599399b50872a6da52e02fa318ffa4a26e2232 Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 29 Oct 2019 22:48:00 +0300 Subject: [PATCH 091/269] Update lnx_auditd_masquerading_crond.yml --- rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index a603be64b..ef5ba8cb3 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -16,8 +16,6 @@ detection: a2: '/bin/sh' a3: '*/crond' condition: selection -falsepositives: - - Admin activity level: low tags: - attack.defense_evasion From 950796f71f0ff1a984b7c3bed1a2cb05ec41b9df Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 29 Oct 2019 22:48:39 +0300 Subject: [PATCH 092/269] Update lnx_auditd_masquerading_crond.yml --- rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index ef5ba8cb3..6849ee989 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -16,7 +16,7 @@ detection: a2: '/bin/sh' a3: '*/crond' condition: selection -level: low +level: medium tags: - attack.defense_evasion - attack.t1036 From 4eb7965662a3eaf1a319c42c35f5cfd5b55ec214 Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 29 Oct 2019 22:54:42 +0300 Subject: [PATCH 093/269] T1002 --- rules/linux/auditd/win_data_compressed.yml | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/linux/auditd/win_data_compressed.yml diff --git a/rules/linux/auditd/win_data_compressed.yml b/rules/linux/auditd/win_data_compressed.yml new file mode 100644 index 000000000..469a946a2 --- /dev/null +++ b/rules/linux/auditd/win_data_compressed.yml @@ -0,0 +1,31 @@ +title: Data Compressed +status: experimental +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\rar.exe' + CommandLine: + - '* a -r *' + condition: selection1 +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - highly likely if default archivator in the monitored environment is rar, and even if not +level: low +tags: + - attack.exfiltration + - attack.t1002 From 583980f8ec16eb7e9010c1dbbf1d8e37727d612a Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 29 Oct 2019 22:56:30 +0300 Subject: [PATCH 094/269] Delete win_data_compressed.yml --- rules/linux/auditd/win_data_compressed.yml | 31 ---------------------- 1 file changed, 31 deletions(-) delete mode 100644 rules/linux/auditd/win_data_compressed.yml diff --git a/rules/linux/auditd/win_data_compressed.yml b/rules/linux/auditd/win_data_compressed.yml deleted file mode 100644 index 469a946a2..000000000 --- a/rules/linux/auditd/win_data_compressed.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Data Compressed -status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network -author: Timur Zinniatullin, oscd.community -references: - - https://attack.mitre.org/techniques/T1002/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml -logsource: - category: process_creation - product: windows -detection: - selection1: - Image: - - '*\rar.exe' - CommandLine: - - '* a -r *' - condition: selection1 -fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine -falsepositives: - - highly likely if default archivator in the monitored environment is rar, and even if not -level: low -tags: - - attack.exfiltration - - attack.t1002 From 4a560e93751b56f76f5370b8b6d63742549ebc7d Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 29 Oct 2019 22:56:45 +0300 Subject: [PATCH 095/269] T1002 --- rules/linux/auditd/lnx_data_compressed.yml | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/linux/auditd/lnx_data_compressed.yml diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml new file mode 100644 index 000000000..59e775e0c --- /dev/null +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -0,0 +1,29 @@ +title: Data Compressed +status: experimental +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1002/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'execve' + a0: 'zip' + selection2: + type: 'execve' + a0: 'gzip' + a1: '-f' + selection3: + type: 'execve' + a0: 'tar' + a1: '-cvzf' + condition: 1 of them +falsepositives: + - highly likely +level: low +tags: + - attack.exfiltration + - attack.t1002 From b6403793c1579fcd9288183fb38cd9e939e7b8c9 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 29 Oct 2019 22:06:23 +0100 Subject: [PATCH 096/269] Fixed escaping in rule --- rules/windows/process_creation/win_susp_msiexec_web_install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml index 6611b8e11..c1d8167bf 100644 --- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -14,7 +14,7 @@ logsource: detection: selection: CommandLine: - - '* msiexec*:\/\/*' + - '* msiexec*://*' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 2eeccf48e0fd7e7d6585d11d915803b5049c7a13 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 29 Oct 2019 22:45:05 +0100 Subject: [PATCH 097/269] Removed line breaks in Elastalert YAML output Fixes #453 --- tools/sigma/backends/elasticsearch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index c61421a3f..db94d23bb 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -888,7 +888,7 @@ class ElastalertBackend(MultiRuleOutputMixin): def finalize(self): result = "" for rulename, rule in self.elastalert_alerts.items(): - result += yaml.dump(rule, default_flow_style=False) + result += yaml.dump(rule, default_flow_style=False, width=10000) result += '\n' return result From 219f00e3fbd967b862eb01ab0669598e81194686 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 29 Oct 2019 23:04:28 +0100 Subject: [PATCH 098/269] Added command line parameter Implements #418 --- rules/windows/process_creation/win_susp_squirrel_lolbin.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index 1e4ddc89d..478dc155d 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -3,6 +3,7 @@ status: experimental description: Detects Possible Squirrel Packages Manager as Lolbin references: - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/ + - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ tags: - attack.execution author: Karneades / Markus Neis @@ -49,7 +50,8 @@ detection: - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) CommandLine: - '*--processStart*.exe*' + - '*--processStartAndWait*.exe*' - '*–createShortcut*.exe*' condition: selection - \ No newline at end of file + From 3ac28f3eedfabbafcf5ef6d47c725cf694bf37be Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 30 Oct 2019 15:15:57 +0100 Subject: [PATCH 099/269] rule: DTRACK process creation --- .../process_creation/win_malware_dtrack.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/process_creation/win_malware_dtrack.yml diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml new file mode 100644 index 000000000..3b532a1d2 --- /dev/null +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -0,0 +1,21 @@ +title: DTRACK Process Creation +status: experimental +description: Detects specific process parameters as seen in DTRACK infections +author: Florian Roth +date: 2019/10/30 +references: + - https://securelist.com/my-name-is-dtrack/93338/ + - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '* echo EEEE > *' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: critical From 7e3d8ccaf3958e84c7ee4f8abcc6a79b2cbbb588 Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 19:05:50 +0300 Subject: [PATCH 100/269] T1040 --- rules/linux/auditd/lnx_network_sniffing.yml | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/linux/auditd/lnx_network_sniffing.yml diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml new file mode 100644 index 000000000..373926e6b --- /dev/null +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -0,0 +1,29 @@ +title: Network Sniffing +status: experimental +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1040/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'execve' + a0: 'tcpdump' + a1: '-c' + a3: '-nnni' # you don't need "n" three times, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ + selection2: + type: 'execve' + a0: 'tshark' + a1: '-c' + a3: '-i' + condition: 1 of them +falsepositives: + - Admin activity +level: low +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 From cc4a8df5e3dabda2f23a656870facc8f24c83e71 Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 19:06:53 +0300 Subject: [PATCH 101/269] Update lnx_network_sniffing.yml --- rules/linux/auditd/lnx_network_sniffing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index 373926e6b..ff2a3772c 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -13,7 +13,7 @@ detection: type: 'execve' a0: 'tcpdump' a1: '-c' - a3: '-nnni' # you don't need "n" three times, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ + a3: '-?n?i' # you don't need "n" three times, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ selection2: type: 'execve' a0: 'tshark' From b5b40f28613d16ed5d92fff4394fb9e52b98a2df Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 19:07:05 +0300 Subject: [PATCH 102/269] Update lnx_network_sniffing.yml --- rules/linux/auditd/lnx_network_sniffing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index ff2a3772c..adc3fcfb3 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -13,7 +13,7 @@ detection: type: 'execve' a0: 'tcpdump' a1: '-c' - a3: '-?n?i' # you don't need "n" three times, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ + a3: '-?n?i' # you don't need "n" three times here, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ selection2: type: 'execve' a0: 'tshark' From e0c5479f0a6077e455745a79a8594075a166ef3d Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 19:10:48 +0300 Subject: [PATCH 103/269] Update lnx_network_sniffing.yml --- rules/linux/auditd/lnx_network_sniffing.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index adc3fcfb3..be23fa30b 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -13,7 +13,9 @@ detection: type: 'execve' a0: 'tcpdump' a1: '-c' - a3: '-?n?i' # you don't need "n" three times here, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ + a3: + - '-ni' + - '-nnni' # you don't need "n" three times here, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ selection2: type: 'execve' a0: 'tshark' From 3d106d8e7f28835026aab8fe1ed0928005bc151d Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 19:11:51 +0300 Subject: [PATCH 104/269] Update lnx_network_sniffing.yml --- rules/linux/auditd/lnx_network_sniffing.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index be23fa30b..c364cac91 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -16,6 +16,7 @@ detection: a3: - '-ni' - '-nnni' # you don't need "n" three times here, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ + - '-i' selection2: type: 'execve' a0: 'tshark' From d6617716086bc3d9c031dd287080ea5244dbe931 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 30 Oct 2019 18:22:25 +0100 Subject: [PATCH 105/269] rule: another DTRACK reference --- rules/windows/process_creation/win_malware_dtrack.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml index 3b532a1d2..75e4e3ed3 100644 --- a/rules/windows/process_creation/win_malware_dtrack.yml +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -6,6 +6,7 @@ date: 2019/10/30 references: - https://securelist.com/my-name-is-dtrack/93338/ - https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/ + - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ logsource: category: process_creation product: windows From 4741b6a4d649c6b12d5addc67ad8f582a111a729 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 30 Oct 2019 18:22:40 +0100 Subject: [PATCH 106/269] rule: Mustang Panda dropper --- .../process_creation/win_apt_mustangpanda.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/win_apt_mustangpanda.yml diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml new file mode 100644 index 000000000..34a58ba53 --- /dev/null +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -0,0 +1,30 @@ +title: Mustang Panda Dropper +status: experimental +description: Detects specific process parameters as used by Mustang Panda droppers +author: Florian Roth +date: 2019/10/30 +references: + - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ + - https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/ + - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*Temp\wtask.exe /create*' + - '*%windir:~-3,1%%PUBLIC:~-9,1%*' + - '*/E:vbscript * C:\Users\*.txt" /F' + - '*/tn "Security Script *' + - '*%windir:~-1,1%*' + selection2: + Image: + - '*Temp\winwsh.exe' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unlikely +level: high From fd09c00b3548436fc86a782d36b76770168b44e2 Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 20:59:07 +0300 Subject: [PATCH 107/269] Update lnx_network_sniffing.yml --- rules/linux/auditd/lnx_network_sniffing.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index c364cac91..31879c528 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -15,7 +15,8 @@ detection: a1: '-c' a3: - '-ni' - - '-nnni' # you don't need "n" three times here, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" ¯\_(ツ)_/¯ + - '-nni' + - '-nnni' # you don't need "n" three times here, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" - '-i' selection2: type: 'execve' From 11e7bdc7270e7cae1be6f464bd8f8087f93f5d97 Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 22:59:46 +0300 Subject: [PATCH 108/269] Update lnx_network_sniffing.yml --- rules/linux/auditd/lnx_network_sniffing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index 31879c528..70cae6654 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -23,7 +23,7 @@ detection: a0: 'tshark' a1: '-c' a3: '-i' - condition: 1 of them + condition: selection1 or selection2 falsepositives: - Admin activity level: low From b3b203e5b19046ef916c55f88082a4ae0c34f8a0 Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 23:15:19 +0300 Subject: [PATCH 109/269] t1040 --- .../process_creation/win_network_sniffing.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/win_network_sniffing.yml diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml new file mode 100644 index 000000000..f4a3a2d22 --- /dev/null +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -0,0 +1,32 @@ +title: Network Sniffing +status: experimental +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1040/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*tshark*-i*' + - '*windump*' + condition: selection +falsepositives: + - Admin activity +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +level: low +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 + \ No newline at end of file From 12ef86fcbed2fb0cf63f9ac8627706f9a36e8b52 Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 23:18:37 +0300 Subject: [PATCH 110/269] t1040 --- .../powershell_network_sniffing.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/powershell/powershell_network_sniffing.yml diff --git a/rules/windows/powershell/powershell_network_sniffing.yml b/rules/windows/powershell/powershell_network_sniffing.yml new file mode 100644 index 000000000..75fa436a0 --- /dev/null +++ b/rules/windows/powershell/powershell_network_sniffing.yml @@ -0,0 +1,27 @@ +title: Network Sniffing +status: experimental +description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1040/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml +logsource: + product: windows + service: powershell + description: 'Script block logging must be enabled' +detection: + selection: + EventID: 4104 + keyword1: + - '*tshark*-i*' + keyword2: + - '*windump*' + condition: selection and (keyword1 or keyword2) +falsepositives: + - Admin activity +level: low +tags: + - attack.credential_access + - attack.discovery + - attack.t1040 + \ No newline at end of file From 60bf34e220e5e84e7c3bc704824a2765dedc511d Mon Sep 17 00:00:00 2001 From: zinint Date: Wed, 30 Oct 2019 23:30:56 +0300 Subject: [PATCH 111/269] T1042 --- .../win_change_default_file_association.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/win_change_default_file_association.yml diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml new file mode 100644 index 000000000..e7cd16d34 --- /dev/null +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -0,0 +1,29 @@ +title: Change Default File Association +status: experimental +description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1042/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*cmd.exe*/c*assoc*' + condition: selection +falsepositives: + - Admin activity +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +level: low +tags: + - attack.persistence + - attack.t1042 From 3107c0c2680d73ff294852434a52e3d12b8ea101 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 31 Oct 2019 09:32:18 +0100 Subject: [PATCH 112/269] rule: Formbook rule improved --- .../windows/process_creation/win_malware_formbook.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index 2ae667dc4..99cd1e664 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -3,10 +3,12 @@ status: experimental description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. author: Florian Roth date: 2019/09/30 +modified: 2019/10/31 references: - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ + - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ logsource: category: process_creation product: windows @@ -15,10 +17,13 @@ detection: # Parent command line should not contain a space value # This avoids false positives not caused by process injection # e.g. wscript.exe /B sysmon-install.vbs - ParentCommandLine: 'C:\Windows\System32\\*.exe' + ParentCommandLine: + - 'C:\Windows\System32\\*.exe' + - 'C:\Windows\SysWOW64\\*.exe' CommandLine: - - '*\cmd.exe /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' - - '*\cmd.exe /c del "C:\Users\\*\Desktop\\*.exe' + - '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' + - '* /c del "C:\Users\\*\Desktop\\*.exe' + - '* /C type nul > "C:\Users\\*\Desktop\\*.exe' condition: selection fields: - CommandLine From 68fd20cb665d0165211a2d0208107cccf1b16682 Mon Sep 17 00:00:00 2001 From: Karneades Date: Sat, 2 Nov 2019 11:25:29 +0100 Subject: [PATCH 113/269] fix: bound windows event log rules to message field Fixed rules - rules/windows/builtin/win_susp_msmpeng_crash.yml - rules/windows/builtin/win_alert_active_directory_user_control.yml - rules/windows/builtin/win_av_relevant_match.yml - rules/windows/builtin/win_mal_creddumper.yml - rules/windows/builtin/win_susp_sam_dump.yml - rules/windows/builtin/win_alert_mimikatz_keywords.yml - rules/windows/builtin/win_alert_enable_weak_encryption.yml --- ...in_alert_active_directory_user_control.yml | 3 +- .../win_alert_enable_weak_encryption.yml | 10 ++-- .../builtin/win_alert_mimikatz_keywords.yml | 1 + .../windows/builtin/win_av_relevant_match.yml | 46 ++++++++++--------- rules/windows/builtin/win_mal_creddumper.yml | 7 +-- .../builtin/win_susp_msmpeng_crash.yml | 5 +- rules/windows/builtin/win_susp_sam_dump.yml | 3 +- 7 files changed, 42 insertions(+), 33 deletions(-) diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index cb39ccfb1..e8f4a9028 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -14,7 +14,8 @@ detection: selection: EventID: 4704 keywords: - - 'SeEnableDelegationPrivilege' + Message: + - '*SeEnableDelegationPrivilege*' condition: all of them falsepositives: - Unknown diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index b09d69b7a..7d2974ba3 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -15,11 +15,13 @@ detection: selection: EventID: 4738 keywords: - - 'DES' - - 'Preauth' - - 'Encrypted' + Message: + - '*DES*' + - '*Preauth*' + - '*Encrypted*' filters: - - 'Enabled' + Message: + - '*Enabled*' condition: selection and keywords and filters falsepositives: - Unknown diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 5ba0670cb..e0d4033be 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -14,6 +14,7 @@ logsource: product: windows detection: keywords: + Message: - "* mimikatz *" - "* mimilib *" - "* <3 eo.oe *" diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index b30270453..6187109d3 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -6,29 +6,31 @@ logsource: service: application detection: keywords: - - HTool - - Hacktool - - ASP/Backdoor - - JSP/Backdoor - - PHP/Backdoor - - Backdoor.ASP - - Backdoor.JSP - - Backdoor.PHP - - Webshell - - Portscan - - Mimikatz - - WinCred - - PlugX - - Korplug - - Pwdump - - Chopper - - WmiExec - - Xscan - - Clearlog - - ASPXSpy + Message: + - "*HTool*" + - "*Hacktool*" + - "*ASP/Backdoor*" + - "*JSP/Backdoor*" + - "*PHP/Backdoor*" + - "*Backdoor.ASP*" + - "*Backdoor.JSP*" + - "*Backdoor.PHP*" + - "*Webshell*" + - "*Portscan*" + - "*Mimikatz*" + - "*WinCred*" + - "*PlugX*" + - "*Korplug*" + - "*Pwdump*" + - "*Chopper*" + - "*WmiExec*" + - "*Xscan*" + - "*Clearlog*" + - "*ASPXSpy*" filters: - - Keygen - - Crack + Message: + - "*Keygen*" + - "*Crack*" condition: keywords and not 1 of filters falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 1b748ef41..01039d732 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -15,9 +15,10 @@ detection: EventID: - 7045 keywords: - - 'WCE SERVICE' - - 'WCESERVICE' - - 'DumpSvc' + Message: + - '*WCE SERVICE*' + - '*WCESERVICE*' + - '*DumpSvc*' quarkspwdump: EventID: 16 HiveName: '*\AppData\Local\Temp\SAM*.dmp' diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index c935fface..9f725c6d4 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -21,8 +21,9 @@ detection: Source: 'Windows Error Reporting' EventID: 1001 keywords: - - 'MsMpEng.exe' - - 'mpengine.dll' + Message: + - '*MsMpEng.exe*' + - '*mpengine.dll*' condition: 1 of selection* and all of keywords falsepositives: - MsMpEng.exe can crash when C:\ is full diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 0f71f622b..b8ed30dbe 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -13,7 +13,8 @@ detection: selection: EventID: 16 keywords: - - '*\AppData\Local\Temp\SAM-*.dmp *' + Message: + - '*\AppData\Local\Temp\SAM-*.dmp *' condition: all of them falsepositives: - Penetration testing From 0117dac1db97a0049eac059d60951826fa520fdb Mon Sep 17 00:00:00 2001 From: Karneades Date: Sat, 2 Nov 2019 11:43:04 +0100 Subject: [PATCH 114/269] fix: bound sysmon logon script rule to field Fixed rule: - rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml --- ...smon_logon_scripts_userinitmprlogonscript.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index f4fdf4183..2453d5214 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -18,17 +18,23 @@ detection: exec_exclusion: Image: '*\explorer.exe' CommandLine: '*\netlogon.bat' - create_selection: + create_selection_cli: EventID: - 1 + create_selection_reg: + EventID: - 11 - 12 - 13 - 14 - create_keywords: - - UserInitMprLogonScript - condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords) + create_keywords_reg: + TargetObject: + - '*UserInitMprLogonScript*' + create_keywords_cli: + CommandLine: + - '*UserInitMprLogonScript*' + condition: (exec_selection and not exec_exclusion) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli) falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming -level: high \ No newline at end of file +level: high From c9eb921f68cb9b16649a92d16e4a275c6077da22 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 2 Nov 2019 22:54:35 +0100 Subject: [PATCH 115/269] ConditionAND/OR constructor now allows arbeitrary number of operands --- tools/sigma/parser/condition.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 626b6093e..db40575d3 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -202,11 +202,11 @@ class ConditionAND(ConditionBase): """AND Condition""" op = COND_AND - def __init__(self, sigma=None, op=None, val1=None, val2=None): - if sigma == None and op == None and val1 == None and val2 == None: # no parameters given - initialize empty + def __init__(self, sigma=None, op=None, *args): + if sigma == None and op == None and len(args) == 0: # no parameters given - initialize empty self.items = list() else: # called by parser, use given values - self.items = [ val1, val2 ] + self.items = args class ConditionOR(ConditionAND): """OR Condition""" From 8af2b705942475d1fd1c4b313655dc9e14b8a274 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 2 Nov 2019 22:55:04 +0100 Subject: [PATCH 116/269] Restrict search not bound to fields to keyword fields --- tools/sigma/backends/elasticsearch.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index db94d23bb..1a7be9a3d 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -22,6 +22,7 @@ import sys import sigma import yaml from sigma.parser.modifiers.type import SigmaRegularExpressionModifier +from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression from .base import BaseBackend, SingleTextQueryBackend from .mixins import RulenameCommentMixin, MultiRuleOutputMixin from .exceptions import NotSupportedError @@ -109,6 +110,29 @@ class ElasticsearchQuerystringBackend(ElasticsearchWildcardHandlingMixin, Single if expression: return "(%s%s)" % (self.notToken, expression) + def generateSubexpressionNode(self, node): + """Check for search not bound to a field and restrict search to keyword fields""" + nodetype = type(node.items) + if nodetype in { ConditionAND, ConditionOR } and type(node.items.items) == list and { type(item) for item in node.items.items }.issubset({str, int}): + newitems = list() + for item in node.items: + newitem = item + if type(item) == str: + if not item.startswith("*"): + newitem = "*" + newitem + if not item.endswith("*"): + newitem += "*" + newitems.append(newitem) + else: + newitems.append(item) + newnode = NodeSubexpression(nodetype(None, None, *newitems)) + self.matchKeyword = True + result = "\\*.keyword:" + super().generateSubexpressionNode(newnode) + self.matchKeyword = False # one of the reasons why the converter needs some major overhaul + return result + else: + return super().generateSubexpressionNode(node) + class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend): """ElasticSearch DSL backend""" identifier = 'es-dsl' From 4f19ef57084ee6656cf2e3d9f953e7b7a3693e2d Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 2 Nov 2019 22:56:01 +0100 Subject: [PATCH 117/269] Graylog backend now derived from es-qs Technically, Graylog is ES. Fixes and improvements for ES didn't propagate to Graylog, now they do. --- tools/sigma/backends/graylog.py | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/tools/sigma/backends/graylog.py b/tools/sigma/backends/graylog.py index 6a875e04c..615cca1b1 100644 --- a/tools/sigma/backends/graylog.py +++ b/tools/sigma/backends/graylog.py @@ -15,24 +15,13 @@ # along with this program. If not, see . import re -from .base import SingleTextQueryBackend +from .elasticsearch import ElasticsearchQuerystringBackend -class GraylogQuerystringBackend(SingleTextQueryBackend): +class GraylogQuerystringBackend(ElasticsearchQuerystringBackend): """Converts Sigma rule into Graylog query string. Only searches, no aggregations.""" identifier = "graylog" active = True config_required = False reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|(? Date: Sun, 3 Nov 2019 23:32:50 +0100 Subject: [PATCH 118/269] Default configurations for backends --- tools/sigma/backends/base.py | 1 + tools/sigma/backends/limacharlie.py | 4 +++- tools/sigma/backends/logpoint.py | 2 ++ tools/sigma/backends/netwitness.py | 2 ++ tools/sigma/backends/powershell.py | 2 ++ tools/sigma/backends/qradar.py | 2 ++ tools/sigma/backends/qualys.py | 2 ++ tools/sigma/backends/sumologic.py | 2 ++ tools/sigmac | 17 +++++++++++------ 9 files changed, 27 insertions(+), 7 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index fb09b841f..4675b0197 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -89,6 +89,7 @@ class BaseBackend: file_list = None options = tuple() # a list of tuples with following elements: option name, default value, help text, target attribute name (option name if None) config_required = True + default_config = None def __init__(self, sigmaconfig, backend_options=dict()): """ diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 801a21c74..3180e2a83 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -155,6 +155,8 @@ class LimaCharlieBackend(BaseBackend): """Converts Sigma rule into LimaCharlie D&R rules. Contributed by LimaCharlie. https://limacharlie.io""" identifier = "limacharlie" active = True + config_required = False + default_config = ["limacharlie"] def generate(self, sigmaparser): # Take the log source information and figure out which set of mappings to use. @@ -409,4 +411,4 @@ class LimaCharlieBackend(BaseBackend): return ("starts with", val[:-1]) elif val.startswith("*"): return ("ends with", val[1:]) - return ("is", val) \ No newline at end of file + return ("is", val) diff --git a/tools/sigma/backends/logpoint.py b/tools/sigma/backends/logpoint.py index 230b5139e..6b8edd58a 100644 --- a/tools/sigma/backends/logpoint.py +++ b/tools/sigma/backends/logpoint.py @@ -22,6 +22,8 @@ class LogPointBackend(SingleTextQueryBackend): """Converts Sigma rule into LogPoint query""" identifier = "logpoint" active = True + config_required = False + default_config = ["sysmon", "logpoint-windows"] # \ -> \\ # \* -> \* diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py index fbbd5ed22..25aed08d0 100644 --- a/tools/sigma/backends/netwitness.py +++ b/tools/sigma/backends/netwitness.py @@ -24,6 +24,8 @@ from .mixins import MultiRuleOutputMixin class NetWitnessBackend(SingleTextQueryBackend): """Converts Sigma rule into NetWitness saved search. Contributed by @tuckner""" identifier = "netwitness" + config_required = False + default_config = ["sysmon", "netwitness"] active = True reEscape = re.compile('(")') reClear = None diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py index a6fbb1d74..a4de4f9d6 100644 --- a/tools/sigma/backends/powershell.py +++ b/tools/sigma/backends/powershell.py @@ -23,6 +23,8 @@ class PowerShellBackend(SingleTextQueryBackend): """Converts Sigma rule into PowerShell event log cmdlets.""" identifier = "powershell" active = True + config_required = False + default_config = ["sysmon", "powershell"] options = ( ("csv", False, "Return the results in CSV format instead of Powershell objects", None), ) diff --git a/tools/sigma/backends/qradar.py b/tools/sigma/backends/qradar.py index 996faf6dd..455a368f0 100644 --- a/tools/sigma/backends/qradar.py +++ b/tools/sigma/backends/qradar.py @@ -27,6 +27,8 @@ class QRadarBackend(SingleTextQueryBackend): """Converts Sigma rule into Qradar saved search. Contributed by SOC Prime. https://socprime.com""" identifier = "qradar" active = True + config_required = False + default_config = ["sysmon", "qradar"] reEscape = re.compile('(")') reClear = None andToken = " and " diff --git a/tools/sigma/backends/qualys.py b/tools/sigma/backends/qualys.py index fbe0ff4e7..668cf6db8 100644 --- a/tools/sigma/backends/qualys.py +++ b/tools/sigma/backends/qualys.py @@ -22,6 +22,8 @@ class QualysBackend(SingleTextQueryBackend): """Converts Sigma rule into Qualys saved search. Contributed by SOC Prime. https://socprime.com""" identifier = "qualys" active = True + config_required = False + default_config = ["sysmon", "qualys"] andToken = " and " orToken = " or " notToken = "not " diff --git a/tools/sigma/backends/sumologic.py b/tools/sigma/backends/sumologic.py index db63d5163..0613c7fbf 100644 --- a/tools/sigma/backends/sumologic.py +++ b/tools/sigma/backends/sumologic.py @@ -32,6 +32,8 @@ class SumoLogicBackend(SingleTextQueryBackend): """Converts Sigma rule into SumoLogic query""" identifier = "sumologic" active = True + config_required = False + default_config = ["sysmon", "sumologic"] index_field = "_index" reClear = None diff --git a/tools/sigmac b/tools/sigmac index d3d90d875..468757f16 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -168,6 +168,16 @@ if cmdargs.filter: sys.exit(ERR_RULE_FILTER_PARSING) sigmaconfigs = SigmaConfigurationChain() +backend_class = backends.getBackend(cmdargs.target) +if cmdargs.config is None: + if backend_class.config_required and not cmdargs.shoot_yourself_in_the_foot: + print("The backend you want to use usually requires a configuration to generate valid results. Please provide one with --config/-c.", file=sys.stderr) + print("Available choices for this backend (get complete list with --lists/-l):") + list_configurations(cmdargs.target) + sys.exit(ERR_CONFIG_REQUIRED) + if backend_class.default_config is not None: + cmdargs.config = backend_class.default_config + if cmdargs.config: order = 0 for conf_name in cmdargs.config: @@ -198,12 +208,7 @@ if cmdargs.config: exit(ERR_CONFIG_PARSING) backend_options = BackendOptions(cmdargs.backend_option, cmdargs.backend_config) -backend = backends.getBackend(cmdargs.target)(sigmaconfigs, backend_options) -if backend.config_required and cmdargs.config is None and not cmdargs.shoot_yourself_in_the_foot: - print("The backend you want to use usually requires a configuration to generate valid results. Please provide one with --config/-c.", file=sys.stderr) - print("Available choices for this backend (get complete list with --lists/-l):") - list_configurations(cmdargs.target) - sys.exit(ERR_CONFIG_REQUIRED) +backend = backend_class(sigmaconfigs, backend_options) filename = cmdargs.output if filename: From 8a35a51211d7cf1fdd71c891665b79acbc0e8274 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:08:17 +0300 Subject: [PATCH 119/269] Update lnx_auditd_web_rce.yml --- rules/linux/auditd/lnx_auditd_web_rce.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 2f4baa176..d7c6463cd 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -1,16 +1,18 @@ -title: Webshell/RCE command execute detect +title: Webshell Remote Command Execution status: experimental -description: Posible command execute detect on web application/web shell +description: Detects posible command execution by web application/web shell # You need to add to the config auditd.conf: # -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www # -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www # change 33 to id you webserver user. default: www-data:x:33:33 tags: - attack.persistence + - attack.t1100 references: - personal experience -author: Ilyas Ochkov and Beyu Denis , oscd.community +author: Ilyas Ochkov, Beyu Denis, oscd.community date: 2019/10/12 +modified: 2019/11/04 logsource: product: linux service: auditd @@ -24,5 +26,3 @@ falsepositives: - Admin activity - Crazy web applications level: critical - - From 5786688f971242d653a499a9655a9f5e6ca3277a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Nov 2019 16:10:10 +0100 Subject: [PATCH 120/269] rule: Firewall disabled via Netsh --- .../win_susp_firewall_disable.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_firewall_disable.yml diff --git a/rules/windows/process_creation/win_susp_firewall_disable.yml b/rules/windows/process_creation/win_susp_firewall_disable.yml new file mode 100644 index 000000000..e1d7b1ba0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_firewall_disable.yml @@ -0,0 +1,22 @@ +title: Firewall Disabled via Netsh +description: Detects netsh commands that turns off the Windows firewall +references: + - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ + - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ +date: 2019/11/01 +status: experimental +author: Fatih Sirin +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - netsh firewall set opmode mode=disable + - netsh advfirewall set * state off + condition: selection +falsepositives: + - Legitimate administration +level: medium From a800093aaf3714c2fb2a633bcb3ae2fa875d03f7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:14:44 +0300 Subject: [PATCH 121/269] Update win_susp_bginfo.yml --- rules/windows/process_creation/win_susp_bginfo.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml index e18d5955d..80e6d4a9a 100644 --- a/rules/windows/process_creation/win_susp_bginfo.yml +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -1,13 +1,16 @@ -title: BYPASSING APPLICATION WHITELISTING WITH BGINFO +title: Application whitelisting bypass via bginfo status: experimental description: Execute VBscript code that is referenced within the *.bgi file. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Bginfo.yml - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ -author: Beyu Denis +author: Beyu Denis, oscd.community date: 2019/10/26 +modified: 2019/11/04 tags: - - attack.persistence + - attack.defense_evasion + - attack.execution + - attack.t1218 level: medium logsource: category: process_creation @@ -15,8 +18,9 @@ logsource: detection: selection: Image: '*\bginfo.exe' - CommandLine: '* /popup /nolicprompt' + CommandLine|contains|all: + - '/popup' + - '/nolicprompt' condition: selection falsepositives: - Unknown - From 43c20d203d1bfffdc22fbe3f1cfd209aa619a14a Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:16:39 +0300 Subject: [PATCH 122/269] Update and rename win_susp_capture_screenshots.yml to win_susp_psr_capture_screenshots.yml --- ...e_screenshots.yml => win_susp_psr_capture_screenshots.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/process_creation/{win_susp_capture_screenshots.yml => win_susp_psr_capture_screenshots.yml} (88%) diff --git a/rules/windows/process_creation/win_susp_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml similarity index 88% rename from rules/windows/process_creation/win_susp_capture_screenshots.yml rename to rules/windows/process_creation/win_susp_psr_capture_screenshots.yml index 061e174a5..31779b045 100644 --- a/rules/windows/process_creation/win_susp_capture_screenshots.yml +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -6,6 +6,7 @@ references: - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf author: Beyu Denis, oscd.community date: 2019/10/12 +modified: 2019/11/04 tags: - attack.persistence - attack.t1218 @@ -16,8 +17,7 @@ logsource: detection: selection: Image: '*\Psr.exe' - CommandLine: '*/start*' + CommandLine|contains: '/start' condition: selection falsepositives: - Unknown - From 989d75033a85dc5f7b8892ce73cd6c83294b62bf Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:25:30 +0300 Subject: [PATCH 123/269] Update win_susp_cdb.yml --- rules/windows/process_creation/win_susp_cdb.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml index c6a41d841..27c32c907 100644 --- a/rules/windows/process_creation/win_susp_cdb.yml +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -1,13 +1,16 @@ -title: Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner +title: Possible Application Whitelisting Bypass via WinDbg/CDB as a shellcode runner status: experimental description: Launch 64-bit shellcode from the x64_calc.wds file using cdb.exe. references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Cdb.yml - http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html -author: Beyu Denis +author: Beyu Denis, oscd.community date: 2019/10/26 +modified: 2019/11/04 tags: - - attack.persistence + - attack.defense_evasion + - attack.execution + - attack.t1218 level: medium logsource: category: process_creation @@ -15,7 +18,7 @@ logsource: detection: selection: Image: '*\cdb.exe' - CommandLine: '* -cf *.wds -o *' + CommandLine|contains: '-cf' condition: selection falsepositives: - - Unknown + - Legitimate use of debugging tools From dc23e566a0712e6d8a790706b3ee64ef53c3c4e3 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:30:04 +0300 Subject: [PATCH 124/269] Update win_susp_devtoolslauncher_execution.yml --- .../win_susp_devtoolslauncher_execution.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml b/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml index 658a65949..9ef34bfaa 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml @@ -6,8 +6,10 @@ references: - https://twitter.com/_felamos/status/1179811992841797632 author: Beyu Denis, oscd.community (rule), @_felamos (idea) date: 2019/10/12 +modified: 2019/11/04 tags: - - attack.persistence + - attack.defense_evasion + - attack.execution - attack.t1218 level: critical logsource: @@ -16,8 +18,7 @@ logsource: detection: selection: Image: '*\devtoolslauncher.exe' - CommandLine: '*LaunchForDeploy*' + CommandLine|contains: 'LaunchForDeploy' condition: selection falsepositives: - - Unknown - + - Legitimate use of devtoolslauncher.exe by legitimate user From a9fdfee5c2ba80a82261ed611c3b33fb3fb792b7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:34:25 +0300 Subject: [PATCH 125/269] Update win_susp_dnx.yml --- .../windows/process_creation/win_susp_dnx.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index fabdc0bc2..517b21271 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -1,19 +1,23 @@ -title: Bypassing Application Whitelisting by using dnx.exe +title: Application Whitelisting bypass via dnx.exe status: experimental description: Execute C# code located in the consoleapp folder references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ -author: Beyu Denis +author: Beyu Denis, oscd.community date: 2019/10/26 -tags: attack.persistence +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 level: medium logsource: category: process_creation product: windows detection: - selection: - Image: '*\dnx.exe' - condition: selection + selection: + Image: '*\dnx.exe' + condition: selection falsepositives: - - Unknown + - Legitimate use of dnx.exe by legitimate user From 56b7402e629c02d65daa6bb27ac0fd94dd530b8a Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:38:37 +0300 Subject: [PATCH 126/269] Update win_susp_dxcap.yml --- .../process_creation/win_susp_dxcap.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 41092e92a..4e69e9db0 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -1,12 +1,16 @@ -title: Bypassing Application Whitelisting by using dxcap.exe +title: Application Whitelisting bypass via dxcap.exe status: experimental -description: Local execution of a process as a subprocess of Dxcap.exe +description: Detects execution of of Dxcap.exe references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dxcap.yml - https://twitter.com/harr0ey/status/992008180904419328 -author: Beyu Denis +author: Beyu Denis, oscd.community date: 2019/10/26 -tags: attack.persistence +modified: 2019/11/04 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218 level: medium logsource: category: process_creation @@ -14,7 +18,9 @@ logsource: detection: selection: Image: '*\dxcap.exe' - CommandLine: '* -c *.exe' + CommandLine|contains|all: + - '-c' + - '.exe' condition: selection falsepositives: - - Unknown \ No newline at end of file + - Legitimate execution of dxcap.exe by legitimate user From a66539c77134222e3f139f2999dd47228378532d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:42:26 +0300 Subject: [PATCH 127/269] Update win_susp_msoffice.yml --- .../process_creation/win_susp_msoffice.yml | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index 50be710ab..f742afd08 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -1,26 +1,28 @@ -title: Malicious payload download via Office binaries +title: Malicious payload download via Office binaries status: experimental description: Downloads payload from remote server references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Powerpnt.yml - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 - Reegun J (OCBC Bank) -author: Beyu Denis +author: Beyu Denis, oscd.community date: 2019/10/26 +modified: 2019/11/04 tags: - - attack.persistence + - attack.command_and_control + - attack.lateral_movement + - attack.t1105 level: medium logsource: category: process_creation product: windows detection: - selection: - Image: - - '*\powerpnt.exe' - - '*\winword.exe' - - '*\excel.exe' - CommandLine: '* http*' - condition: selection + selection: + Image: + - '*\powerpnt.exe' + - '*\winword.exe' + - '*\excel.exe' + CommandLine|contains: 'http' + condition: selection falsepositives: - Unknown - From df07291e534cd6739a713f66bd3c98db1b17a249 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:43:03 +0300 Subject: [PATCH 128/269] Update win_susp_cdb.yml --- rules/windows/process_creation/win_susp_cdb.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml index 27c32c907..1e779a0c4 100644 --- a/rules/windows/process_creation/win_susp_cdb.yml +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -16,9 +16,9 @@ logsource: category: process_creation product: windows detection: - selection: - Image: '*\cdb.exe' - CommandLine|contains: '-cf' - condition: selection + selection: + Image: '*\cdb.exe' + CommandLine|contains: '-cf' + condition: selection falsepositives: - Legitimate use of debugging tools From bd0ebf0604edc27327a0d86587ac7a0f1b451cf4 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:43:42 +0300 Subject: [PATCH 129/269] Update win_susp_dxcap.yml --- rules/windows/process_creation/win_susp_dxcap.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index 4e69e9db0..e66089a2f 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -16,11 +16,11 @@ logsource: category: process_creation product: windows detection: - selection: - Image: '*\dxcap.exe' - CommandLine|contains|all: - - '-c' - - '.exe' - condition: selection + selection: + Image: '*\dxcap.exe' + CommandLine|contains|all: + - '-c' + - '.exe' + condition: selection falsepositives: - Legitimate execution of dxcap.exe by legitimate user From c18fa0940d0bc58504d49af37f6e733bdaf0d99f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 18:44:07 +0300 Subject: [PATCH 130/269] Update win_susp_msoffice.yml --- rules/windows/process_creation/win_susp_msoffice.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index f742afd08..28c150441 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -10,7 +10,6 @@ date: 2019/10/26 modified: 2019/11/04 tags: - attack.command_and_control - - attack.lateral_movement - attack.t1105 level: medium logsource: From e6a39f1061dcea3c426bfe741274843984500f6d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 19:01:30 +0300 Subject: [PATCH 131/269] Update win_susp_odbcconf.yml --- .../process_creation/win_susp_odbcconf.yml | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index 49a206ca2..e6e7d74fb 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -1,10 +1,11 @@ -title: Odbcconf.exe efensive counter measures evasion via odbcconf.exe -description: Defence evasion via odbcconf.exe loading DLL specified in target .RSP file +title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe +description: Defence evasion via odbcconf.exe loading DLL specified in target .RSP file status: experimental references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml -author: Beyu Denis, oscd.community +author: Beyu Denis, Daniil Yugoslavskiy, oscd.community date: 2019/10/25 +modified: 2019/11/04 tags: - attack.defense_evasion - attack.execution @@ -13,10 +14,17 @@ logsource: category: process_creation product: windows detection: - selection: + selection_1: Image: '*\odbcconf.exe' - CommandLine: '* -f *.rsp' - condition: selection + selection_2: + CommandLine|contains|all: + - '-f' + - '.rsp' + selection_3: + CommandLine|contains|all: + - 'regsvr' + - '.dll' + condition: selection_1 and ( selection_2 or selection_3 ) level: medium falsepositives: - - Unknown \ No newline at end of file + - Legitimate use of odbcconf.exe by legitimate user From 9371e533c31708d6f5ff4361b00b65eef800fafd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 19:05:23 +0300 Subject: [PATCH 132/269] Update win_susp_openwith_execution.yml --- .../win_susp_openwith_execution.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_openwith_execution.yml b/rules/windows/process_creation/win_susp_openwith_execution.yml index ea6a21cc8..dc9b66563 100644 --- a/rules/windows/process_creation/win_susp_openwith_execution.yml +++ b/rules/windows/process_creation/win_susp_openwith_execution.yml @@ -4,10 +4,12 @@ description: The OpenWith.exe executes other binary references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Openwith.yml - https://twitter.com/harr0ey/status/991670870384021504 -author: Beyu Denis, oscd.community (rule), harr0ey (idea) +author: 'Beyu Denis, oscd.community (rule), @harr0ey (idea)' date: 2019/10/12 +modified: 2019/11/04 tags: - - attack.persistence + - attack.defense_evasion + - attack.execution - attack.t1218 level: critical logsource: @@ -15,9 +17,8 @@ logsource: product: windows detection: selection: - Image: '*OpenWith.exe' - CommandLine: '*/c*' + Image: '*\OpenWith.exe' + CommandLine|contains: '/c' condition: selection falsepositives: - - Unknown - + - Legitimate use of OpenWith.exe by legitimate user From 19396fd274af44faba0a52a93d477133834a2e62 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 19:23:52 +0300 Subject: [PATCH 133/269] Update sysmon_webshell_creation_detect.yml --- .../sysmon_webshell_creation_detect.yml | 46 +++++++++++-------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml index 72c24271d..1af4f31f8 100644 --- a/rules/windows/sysmon/sysmon_webshell_creation_detect.yml +++ b/rules/windows/sysmon/sysmon_webshell_creation_detect.yml @@ -5,6 +5,7 @@ references: - PT ESC rule and personal experience author: Beyu Denis, oscd.community date: 2019/10/22 +modified: 2019/11/04 tags: - attack.persistence - attack.t1100 @@ -13,24 +14,31 @@ logsource: product: windows service: sysmon detection: - selection: - # Sysmon: File Creation (ID 11) + selection_1: EventID: 11 - #.NET webshells - TargetFilename: - - '*\inetpub\wwwroot\*.asp' - - '*\inetpub\wwwroot\*.aspx' - - '*\inetpub\wwwroot\*.ashx' - #php webshells - - '*\inetpub\wwwroot\*.ph*' - - '*\www\*.ph*' - - '*\htdocs\*.ph*' - - '*\html\*.ph*' - #apache tomcap webshell - - '*\*.jsp*' - #cgi-bin perl webshell - - '*\cgi-bin\*.pl' - condition: selection + selection_2: + TargetFilename|contains: '\inetpub\wwwroot\' + selection_3: + TargetFilename|contains: + - '.asp' + - '.ashx' + - '.ph' + selection_4: + TargetFilename|contains: + - '\www\' + - '\htdocs\' + - '\html\' + selection_5: + TargetFilename|contains: '.ph' + selection_6: + - TargetFilename|contains|all: + - '\' + - '.jsp' + - TargetFilename|contains|all: + - '\cgi-bin\' + - '.pl' + condition: selection_1 and ( selection_2 and selection_3 ) or + selection_1 and ( selection_4 and selection_5 ) or + selection_1 and selection_6 falsepositives: - - Unknown - - Admin activity + - Legitimate administrator or developer creating legitimate executable files in a web application folder From 95412e5f3060a90c6f127d5ed8934b0fb23bf792 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:35:11 +0300 Subject: [PATCH 134/269] Rename win_susp_bginfo.yml to process_creation_susp_bginfo.yml --- .../{win_susp_bginfo.yml => process_creation_susp_bginfo.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_bginfo.yml => process_creation_susp_bginfo.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/process_creation_susp_bginfo.yml similarity index 100% rename from rules/windows/process_creation/win_susp_bginfo.yml rename to rules/windows/process_creation/process_creation_susp_bginfo.yml From 49bc6ada251043fde64cb764cf220dcbd4fcf90c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:35:28 +0300 Subject: [PATCH 135/269] Rename win_susp_cdb.yml to process_creation_susp_cdb.yml --- .../{win_susp_cdb.yml => process_creation_susp_cdb.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_cdb.yml => process_creation_susp_cdb.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/process_creation_susp_cdb.yml similarity index 100% rename from rules/windows/process_creation/win_susp_cdb.yml rename to rules/windows/process_creation/process_creation_susp_cdb.yml From d18314b6b2d1c271fa445bd4203e403c99a090f4 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:35:43 +0300 Subject: [PATCH 136/269] Rename win_susp_devtoolslauncher_execution.yml to process_creation_susp_devtoolslauncher_execution.yml --- ...n.yml => process_creation_susp_devtoolslauncher_execution.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_devtoolslauncher_execution.yml => process_creation_susp_devtoolslauncher_execution.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml b/rules/windows/process_creation/process_creation_susp_devtoolslauncher_execution.yml similarity index 100% rename from rules/windows/process_creation/win_susp_devtoolslauncher_execution.yml rename to rules/windows/process_creation/process_creation_susp_devtoolslauncher_execution.yml From 66eba43a8d1821c35aed544ff7fbac552195128f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:35:53 +0300 Subject: [PATCH 137/269] Rename win_susp_dnx.yml to process_creation_susp_dnx.yml --- .../{win_susp_dnx.yml => process_creation_susp_dnx.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_dnx.yml => process_creation_susp_dnx.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/process_creation_susp_dnx.yml similarity index 100% rename from rules/windows/process_creation/win_susp_dnx.yml rename to rules/windows/process_creation/process_creation_susp_dnx.yml From 9c19d1b58c3f752c58dd92f83e18abe31e5fe996 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:36:07 +0300 Subject: [PATCH 138/269] Rename win_susp_dxcap.yml to process_creation_susp_dxcap.yml --- .../{win_susp_dxcap.yml => process_creation_susp_dxcap.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_dxcap.yml => process_creation_susp_dxcap.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/process_creation_susp_dxcap.yml similarity index 100% rename from rules/windows/process_creation/win_susp_dxcap.yml rename to rules/windows/process_creation/process_creation_susp_dxcap.yml From de098ff5b72747c4260de346bcf73c02887d911e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:36:21 +0300 Subject: [PATCH 139/269] Rename win_susp_msoffice.yml to process_creation_susp_msoffice.yml --- .../{win_susp_msoffice.yml => process_creation_susp_msoffice.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_msoffice.yml => process_creation_susp_msoffice.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/process_creation_susp_msoffice.yml similarity index 100% rename from rules/windows/process_creation/win_susp_msoffice.yml rename to rules/windows/process_creation/process_creation_susp_msoffice.yml From 8d0923de2de7bb162f0e35649f8c1f2dabd62c6f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:36:46 +0300 Subject: [PATCH 140/269] Rename win_susp_odbcconf.yml to process_creation_susp_odbcconf.yml --- .../{win_susp_odbcconf.yml => process_creation_susp_odbcconf.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_odbcconf.yml => process_creation_susp_odbcconf.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/process_creation_susp_odbcconf.yml similarity index 100% rename from rules/windows/process_creation/win_susp_odbcconf.yml rename to rules/windows/process_creation/process_creation_susp_odbcconf.yml From 85cd989b6ff033d49b0782178486302c5183f1ff Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:36:58 +0300 Subject: [PATCH 141/269] Rename win_susp_openwith_execution.yml to process_creation_susp_openwith_execution.yml --- ...execution.yml => process_creation_susp_openwith_execution.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_openwith_execution.yml => process_creation_susp_openwith_execution.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_openwith_execution.yml b/rules/windows/process_creation/process_creation_susp_openwith_execution.yml similarity index 100% rename from rules/windows/process_creation/win_susp_openwith_execution.yml rename to rules/windows/process_creation/process_creation_susp_openwith_execution.yml From 999126446b693686c6a6c388d56aa326f8395688 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:37:16 +0300 Subject: [PATCH 142/269] Rename win_susp_psr_capture_screenshots.yml to process_creation_susp_psr_capture_screenshots.yml --- ...hots.yml => process_creation_susp_psr_capture_screenshots.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{win_susp_psr_capture_screenshots.yml => process_creation_susp_psr_capture_screenshots.yml} (100%) diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml similarity index 100% rename from rules/windows/process_creation/win_susp_psr_capture_screenshots.yml rename to rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml From 54e9be9cd062547389a7283913c79ece4bd56a4a Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:38:24 +0300 Subject: [PATCH 143/269] Rename process_creation_susp_devtoolslauncher_execution.yml to process_creation_susp_devtoolslauncher.yml --- ...r_execution.yml => process_creation_susp_devtoolslauncher.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_creation_susp_devtoolslauncher_execution.yml => process_creation_susp_devtoolslauncher.yml} (100%) diff --git a/rules/windows/process_creation/process_creation_susp_devtoolslauncher_execution.yml b/rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_devtoolslauncher_execution.yml rename to rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml From 3f1c94837bf2ee0f3507bd1652431e92423846ff Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 20:38:44 +0300 Subject: [PATCH 144/269] Rename process_creation_susp_openwith_execution.yml to process_creation_susp_openwith.yml --- ..._openwith_execution.yml => process_creation_susp_openwith.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_creation_susp_openwith_execution.yml => process_creation_susp_openwith.yml} (100%) diff --git a/rules/windows/process_creation/process_creation_susp_openwith_execution.yml b/rules/windows/process_creation/process_creation_susp_openwith.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_openwith_execution.yml rename to rules/windows/process_creation/process_creation_susp_openwith.yml From bb71f958105a343796ebfdc87bdbae0f8c3506b0 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 21:58:42 +0300 Subject: [PATCH 145/269] Update lnx_auditd_masquerading_crond.yml --- rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 6849ee989..3306a3ac6 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -3,7 +3,6 @@ status: experimental description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. author: Timur Zinniatullin, oscd.community references: - - https://attack.mitre.org/techniques/T1036/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml logsource: product: linux From 0d5489bbb0d1c231656c99981d9985aaf1333c54 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:07:30 +0300 Subject: [PATCH 146/269] Update lnx_auditd_user_discovery.yml --- .../linux/auditd/lnx_auditd_user_discovery.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 0fcfd9314..78be55043 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -1,24 +1,20 @@ -title: System Owner/User Discovery +title: System Owner or User Discovery status: experimental description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. author: Timur Zinniatullin, oscd.community references: - - https://attack.mitre.org/techniques/T1033/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml logsource: product: linux service: auditd detection: - selection1: + selection: type: 'EXECVE' - a0: 'users' - selection2: - type: 'EXECVE' - a0: 'u' - selection3: - type: 'EXECVE' - a0: 'who' - condition: 1 of them + a0: + - 'users' + - 'w' + - 'who' + condition: selection falsepositives: - Admin activity level: low From 8b2216e94eba5dd52ff83a2f49bd52b32a80697f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:14:10 +0300 Subject: [PATCH 147/269] Update lnx_auditd_masquerading_crond.yml --- rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 3306a3ac6..8e0e6012e 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -2,6 +2,7 @@ title: Masquerading as Linux crond process status: experimental description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.yaml logsource: From 75f2b8536fa90c61f233779afe90f23f258eafb2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:14:30 +0300 Subject: [PATCH 148/269] Update lnx_auditd_user_discovery.yml --- rules/linux/auditd/lnx_auditd_user_discovery.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 78be55043..8ccef1273 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -2,6 +2,7 @@ title: System Owner or User Discovery status: experimental description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml logsource: From cbf01aa51eeaae8d1df87ef0d9349be3f1864c17 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:46:55 +0300 Subject: [PATCH 149/269] Update and rename win_change_default_file_association.yml to process_creation_change_default_file_association.yml --- ...process_creation_change_default_file_association.yml} | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) rename rules/windows/process_creation/{win_change_default_file_association.yml => process_creation_change_default_file_association.yml} (86%) diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/process_creation_change_default_file_association.yml similarity index 86% rename from rules/windows/process_creation/win_change_default_file_association.yml rename to rules/windows/process_creation/process_creation_change_default_file_association.yml index e7cd16d34..315ff7035 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/process_creation_change_default_file_association.yml @@ -2,16 +2,19 @@ title: Change Default File Association status: experimental description: When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1042/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '*cmd.exe*/c*assoc*' + CommandLine|contains|all: + - 'cmd' + - '/c' + - 'assoc' condition: selection falsepositives: - Admin activity From f880fa82b54ad4b47c9e825397bba0105c73f9db Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:48:13 +0300 Subject: [PATCH 150/269] Rename process_creation_change_default_file_association.yml to win_change_default_file_association.yml --- ...le_association.yml => win_change_default_file_association.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_creation_change_default_file_association.yml => win_change_default_file_association.yml} (100%) diff --git a/rules/windows/process_creation/process_creation_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml similarity index 100% rename from rules/windows/process_creation/process_creation_change_default_file_association.yml rename to rules/windows/process_creation/win_change_default_file_association.yml From cb167e73b1fb12feb6daeb16cb7b22301c9486a5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:49:28 +0300 Subject: [PATCH 151/269] fix filenames --- .../{process_creation_susp_bginfo.yml => win_susp_bginfo.yml} | 0 .../{process_creation_susp_cdb.yml => win_susp_cdb.yml} | 0 ...on_susp_devtoolslauncher.yml => win_susp_devtoolslauncher.yml} | 0 .../{process_creation_susp_dnx.yml => win_susp_dnx.yml} | 0 .../{process_creation_susp_dxcap.yml => win_susp_dxcap.yml} | 0 .../{process_creation_susp_msoffice.yml => win_susp_msoffice.yml} | 0 .../{process_creation_susp_odbcconf.yml => win_susp_odbcconf.yml} | 0 .../{process_creation_susp_openwith.yml => win_susp_openwith.yml} | 0 ...pture_screenshots.yml => win_susp_psr_capture_screenshots.yml} | 0 9 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_creation_susp_bginfo.yml => win_susp_bginfo.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_cdb.yml => win_susp_cdb.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_devtoolslauncher.yml => win_susp_devtoolslauncher.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_dnx.yml => win_susp_dnx.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_dxcap.yml => win_susp_dxcap.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_msoffice.yml => win_susp_msoffice.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_odbcconf.yml => win_susp_odbcconf.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_openwith.yml => win_susp_openwith.yml} (100%) rename rules/windows/process_creation/{process_creation_susp_psr_capture_screenshots.yml => win_susp_psr_capture_screenshots.yml} (100%) diff --git a/rules/windows/process_creation/process_creation_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_bginfo.yml rename to rules/windows/process_creation/win_susp_bginfo.yml diff --git a/rules/windows/process_creation/process_creation_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_cdb.yml rename to rules/windows/process_creation/win_susp_cdb.yml diff --git a/rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_devtoolslauncher.yml rename to rules/windows/process_creation/win_susp_devtoolslauncher.yml diff --git a/rules/windows/process_creation/process_creation_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_dnx.yml rename to rules/windows/process_creation/win_susp_dnx.yml diff --git a/rules/windows/process_creation/process_creation_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_dxcap.yml rename to rules/windows/process_creation/win_susp_dxcap.yml diff --git a/rules/windows/process_creation/process_creation_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_msoffice.yml rename to rules/windows/process_creation/win_susp_msoffice.yml diff --git a/rules/windows/process_creation/process_creation_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_odbcconf.yml rename to rules/windows/process_creation/win_susp_odbcconf.yml diff --git a/rules/windows/process_creation/process_creation_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_openwith.yml rename to rules/windows/process_creation/win_susp_openwith.yml diff --git a/rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml similarity index 100% rename from rules/windows/process_creation/process_creation_susp_psr_capture_screenshots.yml rename to rules/windows/process_creation/win_susp_psr_capture_screenshots.yml From e38116fce280bc6f6941b3bfab1a94e2e146aaac Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 22:55:32 +0300 Subject: [PATCH 152/269] Update and rename win_data_compressed.yml to win_data_compressed_with_rar.yml --- ...sed.yml => win_data_compressed_with_rar.yml} | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) rename rules/windows/process_creation/{win_data_compressed.yml => win_data_compressed_with_rar.yml} (68%) diff --git a/rules/windows/process_creation/win_data_compressed.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml similarity index 68% rename from rules/windows/process_creation/win_data_compressed.yml rename to rules/windows/process_creation/win_data_compressed_with_rar.yml index 469a946a2..de3ce76ac 100644 --- a/rules/windows/process_creation/win_data_compressed.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -2,19 +2,20 @@ title: Data Compressed status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1002/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml logsource: category: process_creation product: windows detection: - selection1: - Image: - - '*\rar.exe' - CommandLine: - - '* a -r *' - condition: selection1 + selection: + Image: '*\rar.exe' + CommandLine|contains|all: + - ' a ' + - '-r' + condition: selection fields: - Image - CommandLine @@ -24,7 +25,7 @@ fields: - ParentProcessGuid - ParentCommandLine falsepositives: - - highly likely if default archivator in the monitored environment is rar, and even if not + - highly likely if rar is default archiver in the monitored environment level: low tags: - attack.exfiltration From b565398bc5a3b53a0178ffa8be77a5a8cfe363e9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 23:02:03 +0300 Subject: [PATCH 153/269] Update win_network_sniffing.yml --- .../windows/process_creation/win_network_sniffing.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml index f4a3a2d22..31e03d534 100644 --- a/rules/windows/process_creation/win_network_sniffing.yml +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -2,17 +2,18 @@ title: Network Sniffing status: experimental description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1040/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '*tshark*-i*' - - '*windump*' + - Image: '*\tshark.exe' + CommandLine|contains: '-i' + - Image: '*\windump.exe' condition: selection falsepositives: - Admin activity @@ -29,4 +30,3 @@ tags: - attack.credential_access - attack.discovery - attack.t1040 - \ No newline at end of file From e81f4f0ea6a6cdf6fa17f1f0a62a4fe0b1701b19 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 4 Nov 2019 23:42:47 +0300 Subject: [PATCH 154/269] Update sysmon_xsl_script_processing.yml --- .../windows/sysmon/sysmon_xsl_script_processing.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml index 283f6626f..c849ab071 100644 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ b/rules/windows/sysmon/sysmon_xsl_script_processing.yml @@ -2,21 +2,19 @@ title: XSL Script Processing status: experimental description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1220/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml logsource: category: process_creation product: windows detection: selection1: - ParentImage: - - '*\wmic.exe' - ParentCommandLine: - - '*/format*' # wmic process list /FORMAT /? + ParentImage: '*\wmic.exe' + ParentCommandLine|contains: '/format' # wmic process list /FORMAT /? selection2: - Image: - - '*\msxsl.exe*' + Image: '*\msxsl.exe' condition: selection1 or selection2 falsepositives: From 2679baddcd9aecac0864367e3cbf51f30962aa8f Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 4 Nov 2019 23:46:43 +0300 Subject: [PATCH 155/269] Delete powershell_network_sniffing.yml --- .../powershell_network_sniffing.yml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 rules/windows/powershell/powershell_network_sniffing.yml diff --git a/rules/windows/powershell/powershell_network_sniffing.yml b/rules/windows/powershell/powershell_network_sniffing.yml deleted file mode 100644 index 75fa436a0..000000000 --- a/rules/windows/powershell/powershell_network_sniffing.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Network Sniffing -status: experimental -description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. -author: Timur Zinniatullin, oscd.community -references: - - https://attack.mitre.org/techniques/T1040/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml -logsource: - product: windows - service: powershell - description: 'Script block logging must be enabled' -detection: - selection: - EventID: 4104 - keyword1: - - '*tshark*-i*' - keyword2: - - '*windump*' - condition: selection and (keyword1 or keyword2) -falsepositives: - - Admin activity -level: low -tags: - - attack.credential_access - - attack.discovery - - attack.t1040 - \ No newline at end of file From cd43354c04b8b905435f71bc80d5ce4a85f5481c Mon Sep 17 00:00:00 2001 From: zinint Date: Mon, 4 Nov 2019 23:47:23 +0300 Subject: [PATCH 156/269] Delete sysmon_xsl_script_processing.yml --- .../sysmon/sysmon_xsl_script_processing.yml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_xsl_script_processing.yml diff --git a/rules/windows/sysmon/sysmon_xsl_script_processing.yml b/rules/windows/sysmon/sysmon_xsl_script_processing.yml deleted file mode 100644 index c849ab071..000000000 --- a/rules/windows/sysmon/sysmon_xsl_script_processing.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: XSL Script Processing -status: experimental -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses -author: Timur Zinniatullin, oscd.community -date: 2019/10/21 -modified: 2019/11/04 -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml -logsource: - category: process_creation - product: windows -detection: - selection1: - ParentImage: '*\wmic.exe' - ParentCommandLine|contains: '/format' # wmic process list /FORMAT /? - selection2: - Image: '*\msxsl.exe' - condition: - selection1 or selection2 -falsepositives: - - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment - - msxsl.exe is not installed by default so unlikely. -level: medium -tags: - - attack.execution - - attack.t1220 From fd6875485b3694dadea1242a88334eabfcafbf0d Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 5 Nov 2019 00:00:14 +0300 Subject: [PATCH 157/269] Add files via upload --- .../win_xsl_script_processing.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_xsl_script_processing.yml diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml new file mode 100644 index 000000000..1a051520f --- /dev/null +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -0,0 +1,28 @@ +title: XSL Script Processing +status: experimental +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses +author: Timur Zinniatullin, oscd.community +references: + - https://attack.mitre.org/techniques/T1220/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\wmic.exe' + CommandLine: + - '*/format*' # wmic process list /FORMAT /? + selection2: + Image: + - '*\msxsl.exe*' + condition: + selection1 or selection2 +falsepositives: + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment + - msxsl.exe is not installed by default so unlikely. +level: medium +tags: + - attack.execution + - attack.t1220 \ No newline at end of file From a3ec56da071509830627656c6232fb8bb95b21ad Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 5 Nov 2019 00:02:19 +0300 Subject: [PATCH 158/269] Update win_xsl_script_processing.yml --- rules/windows/process_creation/win_xsl_script_processing.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index 1a051520f..cf0e4bd8d 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -25,4 +25,5 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1220 \ No newline at end of file + - attack.t1220 + From cd1cd48619f4fe5099dd5e225242f49b0aec9e53 Mon Sep 17 00:00:00 2001 From: zinint Date: Tue, 5 Nov 2019 01:18:26 +0300 Subject: [PATCH 159/269] Delete win_app_windows_discovery.yml --- .../win_app_windows_discovery.yml | 31 ------------------- 1 file changed, 31 deletions(-) delete mode 100644 rules/windows/process_creation/win_app_windows_discovery.yml diff --git a/rules/windows/process_creation/win_app_windows_discovery.yml b/rules/windows/process_creation/win_app_windows_discovery.yml deleted file mode 100644 index 6ef25ce14..000000000 --- a/rules/windows/process_creation/win_app_windows_discovery.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Application Window Discovery -status: experimental -description: Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger. In Mac, this can be done natively with a small AppleScript script - https://attack.mitre.org/techniques/T1155/ -author: Timur Zinniatullin, oscd.community -references: - - https://attack.mitre.org/techniques/T1010/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.yaml -logsource: - category: process_creation - product: windows -detection: - selection1: - Image: - - '*\csc.exe' - CommandLine: - - '*-out:*.cs*' - condition: selection1 -fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine -falsepositives: - - Unknown -level: low -tags: - - attack.exfiltration - - attack.t1010 From ce55f80fb61f720bd795700aeccb8931c3cce324 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 01:31:55 +0300 Subject: [PATCH 160/269] Update win_xsl_script_processing.yml --- .../win_xsl_script_processing.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index cf0e4bd8d..1c9b6eb6d 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -2,23 +2,20 @@ title: XSL Script Processing status: experimental description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1220/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml logsource: category: process_creation product: windows detection: - selection1: - Image: - - '*\wmic.exe' - CommandLine: - - '*/format*' # wmic process list /FORMAT /? - selection2: - Image: - - '*\msxsl.exe*' + selection: + - Image: '*\wmic.exe' + CommandLine|contains: '/format' # wmic process list /FORMAT /? + - Image: '*\msxsl.exe' condition: - selection1 or selection2 + selection falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment - msxsl.exe is not installed by default so unlikely. @@ -26,4 +23,3 @@ level: medium tags: - attack.execution - attack.t1220 - From 9831897b6bf69f25b5f260a47bb0dacaa365d4ef Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 01:32:29 +0300 Subject: [PATCH 161/269] Update win_xsl_script_processing.yml --- rules/windows/process_creation/win_xsl_script_processing.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index 1c9b6eb6d..c7738c87f 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -14,8 +14,7 @@ detection: - Image: '*\wmic.exe' CommandLine|contains: '/format' # wmic process list /FORMAT /? - Image: '*\msxsl.exe' - condition: - selection + condition: selection falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment - msxsl.exe is not installed by default so unlikely. From b755d4fb6818dac5807ca582adbd67fe7e4f4649 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 02:31:20 +0300 Subject: [PATCH 162/269] Update and rename win_system_owner_user_discovery.yml to win_local_system_owner_account_discovery.yml --- ...n_local_system_owner_account_discovery.yml | 60 +++++++++++++++++++ .../win_system_owner_user_discovery.yml | 30 ---------- 2 files changed, 60 insertions(+), 30 deletions(-) create mode 100644 rules/windows/process_creation/win_local_system_owner_account_discovery.yml delete mode 100644 rules/windows/process_creation/win_system_owner_user_discovery.yml diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml new file mode 100644 index 000000000..654f1edba --- /dev/null +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -0,0 +1,60 @@ +title: Local accounts discovery +status: experimental +description: Local accounts, System Owner/User discovery using operating systems utilities +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml +logsource: + category: process_creation + product: windows +detection: + selection_1: + - Image: '*\whoami.exe' + - Image: '*\wmic.exe' + CommandLine|contains|all: + - 'useraccount' + - 'get' + - Image: + - '*\quser.exe' + - '*\qwinsta.exe' + - Image: '*\cmdkey.exe' + CommandLine|contains: '/list' + - Image: '*\cmd.exe' + CommandLine|contains|all: + - '/c' + - 'dir' + - '\Users\' + selection_2: + Image: + - '*\net.exe' + - '*\net1.exe' + CommandLine|contains: 'user' + filter: + CommandLine|contains: + - '/domain' # local account discovery only + - '/add' # discovery only + - '/delete' # discovery only + - '/active' # discovery only + - '/expires' # discovery only + - '/passwordreq' # discovery only + - '/scriptpath' # discovery only + - '/times' # discovery only + - '/workstations' # discovery only + condition: selection_1 or ( selection_2 and not filter ) +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - Legitimate administrator or user enumerates local users for legitimate reason +level: low +tags: + - attack.discovery + - attack.t1033 + - attack.t1087 diff --git a/rules/windows/process_creation/win_system_owner_user_discovery.yml b/rules/windows/process_creation/win_system_owner_user_discovery.yml deleted file mode 100644 index 9936bb6de..000000000 --- a/rules/windows/process_creation/win_system_owner_user_discovery.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: System Owner/User Discovery -status: experimental -description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. -author: Timur Zinniatullin, oscd.community -references: - - https://attack.mitre.org/techniques/T1033/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine: - - '*cmd.exe*/c*whoami*' - - '*wmic*useraccount*get*' - - '*quser*' - - '*qwinsta*' - condition: selection -fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine -level: low -tags: - - attack.discovery - - attack.t1033 From c147863eb367f75fa4b083427008280161913a45 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 02:38:36 +0300 Subject: [PATCH 163/269] Update powershell_data_compressed.yml --- .../powershell/powershell_data_compressed.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index 6dbf737d1..567014d9c 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -2,8 +2,9 @@ title: Data Compressed status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1002/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml logsource: product: windows @@ -12,12 +13,13 @@ logsource: detection: selection: EventID: 4104 - keyword: - - '*-Recurse | Compress-Archive*' - - '*-Recurse| Compress-Archive*' - - '*-Recurse |Compress-Archive*' - - '*-Recurse|Compress-Archive*' - condition: selection and keyword + keyword_1: + - '*-Recurse*' + keyword_2: + - '*|*' + keyword_3: + - '*Compress-Archive*' + condition: selection and all of keyword_* falsepositives: - highly likely if archive ops are done via PS level: low From 66bfbd0af998df93d2e67d224ec03c106cc46508 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 02:55:41 +0300 Subject: [PATCH 164/269] Update and rename win_service_execution.yml to win_custom_service_execution.yml --- ...n.yml => win_custom_service_execution.yml} | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) rename rules/windows/process_creation/{win_service_execution.yml => win_custom_service_execution.yml} (54%) diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_custom_service_execution.yml similarity index 54% rename from rules/windows/process_creation/win_service_execution.yml rename to rules/windows/process_creation/win_custom_service_execution.yml index 0b3c3d356..aa5f25ce8 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_custom_service_execution.yml @@ -1,22 +1,29 @@ -title: Service Execution +title: Custom Service Execution status: experimental description: Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. -author: Timur Zinniatullin, oscd.community +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1035/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml logsource: category: process_creation product: windows detection: - selection: - Image: - - '*\sc.exe' - CommandLine: - - '*create*binPath=*' - - '*start*' - - '*delete*' - condition: selection + selection_1: + Image: '*\sc.exe' + selection_2: + Image: + - '*\net.exe' + - '*\net1.exe' + selection_3: + CommandLine|contains|all: + - 'create' + - 'binpath' + selection_4: + CommandLine|contains: 'start' + condition: selection_1 and ( selection_3 or selection_4 ) or + ( selection_2 and selection_4 ) fields: - Image - CommandLine @@ -27,7 +34,7 @@ fields: - ParentImage - ParentCommandLine falsepositives: - - Admin activity + - Legitimate administrator or user creates and executes a service for legitimate reason level: low tags: - attack.execution From 3d5f5e2fe729a9b52bf235b8a407f9e7f11e7cc7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 02:56:50 +0300 Subject: [PATCH 165/269] Update win_custom_service_execution.yml --- rules/windows/process_creation/win_custom_service_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_custom_service_execution.yml b/rules/windows/process_creation/win_custom_service_execution.yml index aa5f25ce8..ff9b9e25e 100644 --- a/rules/windows/process_creation/win_custom_service_execution.yml +++ b/rules/windows/process_creation/win_custom_service_execution.yml @@ -34,7 +34,7 @@ fields: - ParentImage - ParentCommandLine falsepositives: - - Legitimate administrator or user creates and executes a service for legitimate reason + - Legitimate administrator or user creates and/or (only) executes a service for legitimate reason level: low tags: - attack.execution From 27e63abcc4aef1581d184194e7a257202b4424ba Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 02:57:15 +0300 Subject: [PATCH 166/269] Update and rename win_custom_service_execution.yml to win_service_execution.yml --- ...n_custom_service_execution.yml => win_service_execution.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{win_custom_service_execution.yml => win_service_execution.yml} (95%) diff --git a/rules/windows/process_creation/win_custom_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml similarity index 95% rename from rules/windows/process_creation/win_custom_service_execution.yml rename to rules/windows/process_creation/win_service_execution.yml index ff9b9e25e..2c409f12e 100644 --- a/rules/windows/process_creation/win_custom_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -1,4 +1,4 @@ -title: Custom Service Execution +title: Service Execution status: experimental description: Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community From 9d9de64387e18b18c2977ede426cc45b73856775 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 03:00:33 +0300 Subject: [PATCH 167/269] Update win_query_registry.yml --- .../process_creation/win_query_registry.yml | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 9f5678cdf..507fb8a67 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -2,28 +2,27 @@ title: Query Registry status: experimental description: Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1012/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '*reg query*currentVersion\windows*' - - '*reg query*currentVersion\runServicesOnce*' - - '*reg query*currentVersion\runServices*' - - '*reg query*winlogon\*' - - '*reg query*currentVersion\shellServiceObjectDelayLoad*' - - '*reg query*currentVersion\runOnce*' - - '*reg query*currentVersion\runOnceEx*' - - '*reg query*currentVersion\run*' - - '*reg query*currentVersion\policies\explorer\run*' - - '*reg query*currentcontrolset\services*' - - '*reg save hklm\security*' - - '*reg save hklm\system*' - - '*reg save hklm\sam*' + Image: '*\reg.exe' + CommandLine|contains: + - 'currentVersion\windows' + - 'currentVersion\runServicesOnce' + - 'currentVersion\runServices' + - 'winlogon\' + - 'currentVersion\shellServiceObjectDelayLoad' + - 'currentVersion\runOnce' + - 'currentVersion\runOnceEx' + - 'currentVersion\run' + - 'currentVersion\policies\explorer\run' + - 'currentcontrolset\services' condition: selection fields: - Image From 37674b944ffca278ff2a3a3fb2edba320c519e16 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 03:04:46 +0300 Subject: [PATCH 168/269] Update win_query_registry.yml --- rules/windows/process_creation/win_query_registry.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 507fb8a67..193fa70eb 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -36,3 +36,4 @@ level: low tags: - attack.discovery - attack.t1012 + - attack.t1007 From 479aafe466c520f2e24241b3aab86e49947ac7e0 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 04:26:19 +0300 Subject: [PATCH 169/269] Update win_service_execution.yml --- .../win_service_execution.yml | 33 +++++-------------- 1 file changed, 9 insertions(+), 24 deletions(-) diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 2c409f12e..cf8fcfe3c 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -1,6 +1,6 @@ title: Service Execution -status: experimental -description: Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation. +status: experimental +description: Detects manual service execution (start) via system utilities author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -10,31 +10,16 @@ logsource: category: process_creation product: windows detection: - selection_1: - Image: '*\sc.exe' - selection_2: - Image: + selection: + - Image: '*\sc.exe' + CommandLine|contains: 'start' + - Image: - '*\net.exe' - '*\net1.exe' - selection_3: - CommandLine|contains|all: - - 'create' - - 'binpath' - selection_4: - CommandLine|contains: 'start' - condition: selection_1 and ( selection_3 or selection_4 ) or - ( selection_2 and selection_4 ) -fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentImage - - ParentCommandLine + CommandLine|re: '.*start.*[a-zA-Z0-9]' # search for a service name after 'net start', avoiding intersection with "service discovery" technique detection rules + condition: selection falsepositives: - - Legitimate administrator or user creates and/or (only) executes a service for legitimate reason + - Legitimate administrator or user executes a service for legitimate reason level: low tags: - attack.execution From ac95d840b4005c403a8297c4299fb503703d7479 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 04:33:07 +0300 Subject: [PATCH 170/269] Update powershell_winlogon_helper_dll.yml --- .../powershell/powershell_winlogon_helper_dll.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 83a4e058a..b9b8c03e4 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -1,9 +1,10 @@ title: Winlogon Helper DLL -status: test +status: experimental description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1004/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml logsource: product: windows @@ -14,11 +15,10 @@ detection: EventID: 4104 keyword1: - '*Set-ItemProperty*' - keyword2: - '*New-Item*' - keyword3: + keyword2: - '*CurrentVersion\Winlogon*' - condition: selection and (keyword1 or keyword2) and keyword3 + condition: selection and ( keyword1 and keyword2 ) falsepositives: - Unknown level: medium From 70fdd9c7d7d5acb7fd100b36735425e345683d8d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 04:38:27 +0300 Subject: [PATCH 171/269] Update lnx_data_compressed.yml --- rules/linux/auditd/lnx_data_compressed.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 59e775e0c..00bd269b0 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -2,8 +2,9 @@ title: Data Compressed status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1002/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml logsource: product: linux @@ -19,10 +20,10 @@ detection: selection3: type: 'execve' a0: 'tar' - a1: '-cvzf' + a1|contains: '-c' condition: 1 of them falsepositives: - - highly likely + - Legitimate use of archiving tools by legitimate user level: low tags: - attack.exfiltration From 534f5fc0e1835cd8ce9a521fc1a0ff4082e01aee Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 04:40:40 +0300 Subject: [PATCH 172/269] Update lnx_network_sniffing.yml --- rules/linux/auditd/lnx_network_sniffing.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index 70cae6654..4049f170c 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -2,8 +2,9 @@ title: Network Sniffing status: experimental description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Timur Zinniatullin, oscd.community +date: 2019/10/21 +modified: 2019/11/04 references: - - https://attack.mitre.org/techniques/T1040/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml logsource: product: linux @@ -13,11 +14,7 @@ detection: type: 'execve' a0: 'tcpdump' a1: '-c' - a3: - - '-ni' - - '-nni' - - '-nnni' # you don't need "n" three times here, but ART's test is like this, they say "we don't know why, but we've seen people do that just for emphasis" - - '-i' + a3|contains: '-i' selection2: type: 'execve' a0: 'tshark' @@ -25,7 +22,7 @@ detection: a3: '-i' condition: selection1 or selection2 falsepositives: - - Admin activity + - Legitimate administrator or user uses network sniffing tool for legitimate reason level: low tags: - attack.credential_access From cc7aebe9b6e90e124cfa242ec8196dbf2bb5d466 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 04:42:53 +0300 Subject: [PATCH 173/269] Update win_service_execution.yml --- rules/windows/process_creation/win_service_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index cf8fcfe3c..830e15fac 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -17,7 +17,7 @@ detection: - '*\net.exe' - '*\net1.exe' CommandLine|re: '.*start.*[a-zA-Z0-9]' # search for a service name after 'net start', avoiding intersection with "service discovery" technique detection rules - condition: selection + condition: selection falsepositives: - Legitimate administrator or user executes a service for legitimate reason level: low From c60563e546aaf4fbdd09a16988dfd45e81ca882a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 5 Nov 2019 11:24:52 +0100 Subject: [PATCH 174/269] rule: add modified rule date --- rules/windows/process_creation/win_proc_wrong_parent.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index 8ed0e5a5c..5dbea3bae 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -8,6 +8,7 @@ references: - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf - https://attack.mitre.org/techniques/T1036/ date: 2019/02/23 +modified: 2019/08/20 tags: - attack.defense_evasion - attack.t1036 From e52f29dda997cdb3fa084555c0cdcaeee6a73a5d Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Wed, 30 Oct 2019 15:23:56 -0500 Subject: [PATCH 175/269] Fix matches operator field set to value instead of re. --- tools/sigma/backends/limacharlie.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 3180e2a83..db68f8829 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -292,11 +292,15 @@ class LimaCharlieBackend(BaseBackend): mappedFiltered = [] for k in filtered: op, newVal = self._valuePatternToLcOp(k) - mappedFiltered.append({ + newOp = { "op": op, "path": self._fieldMappingInEffect["keywords"], - "value": newVal, - }) + } + if op == "matches": + newOp["re"] = newVal + else: + newOp["value"] = newVal + mappedFiltered.append(newOp) filtered = mappedFiltered if 1 == len(filtered): return filtered[0] From 102ab3081b19df53ba72d7bfc1336cf738ca8ae6 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Wed, 30 Oct 2019 21:25:14 -0500 Subject: [PATCH 176/269] Fix the convertion from simple wildcard strings to a full regular expression so that it is always correct. The previous solution just mostly-worked. --- tools/sigma/backends/limacharlie.py | 121 ++++++++++++++++++++++------ 1 file changed, 95 insertions(+), 26 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index db68f8829..53290df21 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -344,22 +344,30 @@ class LimaCharlieBackend(BaseBackend): if isinstance(value, (int, str)): op, newVal = self._valuePatternToLcOp(value) - return { + newOp = { "op": op, "path": fieldname, - "value": newVal, "case sensitive": False, } + if op == "matches": + newOp["re"] = newVal + else: + newOp["value"] = newVal + return newOp elif isinstance(value, list): subOps = [] for v in value: op, newVal = self._valuePatternToLcOp(v) - subOps.append({ + newOp = { "op": op, "path": fieldname, - "value": newVal, "case sensitive": False, - }) + } + if op == "matches": + newOp["re"] = newVal + else: + newOp["value"] = newVal + subOps.append(newOp) if 1 == len(subOps): return subOps[0] return { @@ -395,24 +403,85 @@ class LimaCharlieBackend(BaseBackend): if not isinstance(val, str): return ("is", str(val) if self._isAllStringValues else val) - # The following logic is taken from the WDATP backend to translate - # the basic wildcard format into proper regular expression. - if "*" in val[1:-1]: - # Contains a wildcard within, must be translated. - # TODO: getting a W605 from the \g escape, this may be broken. - val = re.sub('([".^$]|\\\\(?![*?]))', '\\\\\g<1>', val) - val = re.sub('\\*', '.*', val) - val = re.sub('\\?', '.', val) - return ("matches", val) - # value possibly only starts and/or ends with *, use prefix/postfix match - # TODO: this is actually not correct since the string could end with - # a \* expression which would mean it's NOT a wildcard. We'll gloss over - # it for now to get something out but it should eventually be fixed - # so that it's accurate in all corner cases. - if val.endswith("*") and val.startswith("*"): - return ("contains", val[1:-1]) - elif val.endswith("*"): - return ("starts with", val[:-1]) - elif val.startswith("*"): - return ("ends with", val[1:]) - return ("is", val) + + # Is there any wildcard in this string? If not, we can short circuit. + if "*" not in val and "?" not in val: + return ("is", val) + + # Now we do a small optimization for the shortcut operators + # available in LC. + isStartsWithWildcard = False + isEndsWithWildcard = False + tmpVal = val + if tmpVal.startswith("*"): + isStartsWithWildcard = True + tmpVal = tmpVal[1:] + if tmpVal.endswith("*") and not tmpVal.endswith("\\*"): + isEndsWithWildcard = True + tmpVal = tmpVal[:-1] + + # Check to see if there are any other wildcards. If there are + # we cannot use our shortcuts. + if "*" not in tmpVal and "?" not in tmpVal: + if isStartsWithWildcard and isEndsWithWildcard: + return ("contains", tmpVal) + + if isStartsWithWildcard: + return ("ends with", tmpVal) + + if isEndsWithWildcard: + return ("starts with", tmpVal) + + # This is messy, but it is accurate in generating a RE based on + # the simplified wildcard system, while also supporting the + # escaping of those wildcards. + segments = [] + tmpVal = val + while True: + nEscapes = 0 + for i in range(len(tmpVal)): + # We keep a running count of backslash escape + # characters we see so that if we meet a wildcard + # we can tell whether the wildcard is escaped + # (with odd number of escapes) or if it's just a + # backslash literal before a wildcard (even number). + if "\\" == tmpVal[i]: + nEscapes += 1 + continue + + if "*" == tmpVal[i]: + if 0 == nEscapes: + segments.append(re.escape(tmpVal[:i])) + segments.append(".*") + elif nEscapes % 2 == 0: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i]) + segments.append(".*") + else: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i + 1]) + tmpVal = tmpVal[i + 1:] + break + + if "?" == tmpVal[i]: + if 0 == nEscapes: + segments.append(re.escape(tmpVal[:i])) + segments.append(".") + elif nEscapes % 2 == 0: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i]) + segments.append(".") + else: + segments.append(re.escape(tmpVal[:i - nEscapes])) + segments.append(tmpVal[i - nEscapes:i + 1]) + tmpVal = tmpVal[i + 1:] + break + + nEscapes = 0 + else: + segments.append(re.escape(tmpVal)) + break + + val = ''.join(segments) + + return ("matches", val) \ No newline at end of file From 9aedb8f76410e71e64f73e6fef7e114acf637f43 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Wed, 30 Oct 2019 21:34:29 -0500 Subject: [PATCH 177/269] Adding another exception case to get more "contains" shortcuts instead of REs. --- tools/sigma/backends/limacharlie.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 53290df21..54c8ff7d5 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -416,7 +416,7 @@ class LimaCharlieBackend(BaseBackend): if tmpVal.startswith("*"): isStartsWithWildcard = True tmpVal = tmpVal[1:] - if tmpVal.endswith("*") and not tmpVal.endswith("\\*"): + if tmpVal.endswith("*") and not (tmpVal.endswith("\\*") and not tmpVal.endswith("\\\\*")): isEndsWithWildcard = True tmpVal = tmpVal[:-1] From 0b9a3f3a086bf4c356a4b2704b331fc5ab8fd5ab Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Thu, 31 Oct 2019 11:15:07 -0500 Subject: [PATCH 178/269] Refactor to better support keyword fields. --- tools/sigma/backends/limacharlie.py | 82 ++++++++++++++++++----------- 1 file changed, 50 insertions(+), 32 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 54c8ff7d5..df98ad334 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -42,7 +42,7 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'preConditions', 'fieldMappings', 'isAllStringValues', - 'isKeywordsSupported', + 'keywordField', ]) _allFieldMappings = { "windows/process_creation/": SigmaLCConfig( @@ -71,7 +71,7 @@ _allFieldMappings = { "Command": "event/COMMAND_LINE", }, isAllStringValues = False, - isKeywordsSupported = False + keywordField = "event/COMMAND_LINE" ), "windows//": SigmaLCConfig( topLevelParams = { @@ -81,7 +81,7 @@ _allFieldMappings = { preConditions = None, fieldMappings = _windowsEventLogFieldName, isAllStringValues = True, - isKeywordsSupported = False + keywordField = None ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -91,7 +91,7 @@ _allFieldMappings = { preConditions = None, fieldMappings = _windowsEventLogFieldName, isAllStringValues = True, - isKeywordsSupported = False + keywordField = None ), "dns//": SigmaLCConfig( topLevelParams = { @@ -102,7 +102,7 @@ _allFieldMappings = { "query": "event/DOMAIN_NAME", }, isAllStringValues = False, - isKeywordsSupported = False + keywordField = None ), "linux//": SigmaLCConfig( topLevelParams = { @@ -115,12 +115,12 @@ _allFieldMappings = { "op": "is linux", }, fieldMappings = { - "keywords": "event/COMMAND_LINE", "exe": "event/FILE_PATH", "type": None, }, isAllStringValues = False, - isKeywordsSupported = True), + keywordField = 'event/COMMAND_LINE' + ), "unix//": SigmaLCConfig( topLevelParams = { "events": [ @@ -132,12 +132,12 @@ _allFieldMappings = { "op": "is linux", }, fieldMappings = { - "keywords": "event/COMMAND_LINE", "exe": "event/FILE_PATH", "type": None, }, isAllStringValues = False, - isKeywordsSupported = True), + keywordField = 'event/COMMAND_LINE' + ), "netflow//": SigmaLCConfig( topLevelParams = { "event": "NETWORK_CONNECTIONS", @@ -148,7 +148,8 @@ _allFieldMappings = { "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT", }, isAllStringValues = False, - isKeywordsSupported = True) + keywordField = None + ), } class LimaCharlieBackend(BaseBackend): @@ -183,7 +184,7 @@ class LimaCharlieBackend(BaseBackend): # See if we have a definition for the source combination. mappingKey = "%s/%s/%s" % (product, category, service) - topFilter, preCond, mappings, isAllStringValues, isKeywordsSupported = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None])) + topFilter, preCond, mappings, isAllStringValues, keywordField = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None])) if mappings is None: raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service)) @@ -197,7 +198,7 @@ class LimaCharlieBackend(BaseBackend): self._isAllStringValues = isAllStringValues # Are we supporting keywords full text search? - self._isKeywordsSupported = isKeywordsSupported + self._keywordField = keywordField # Call the original generation code. detectComponent = super().generate(sigmaparser) @@ -256,6 +257,7 @@ class LimaCharlieBackend(BaseBackend): # and only convert to string (yaml) once the # whole thing is assembled. result = self.generateNode(parsed.parsedSearch) + if self._preCondition is not None: result = { "op": "and", @@ -271,6 +273,10 @@ class LimaCharlieBackend(BaseBackend): filtered = [ g for g in generated if g is not None ] if not filtered: return None + + # Map any possible keywords. + filtered = self._mapKeywordVals(filtered) + if 1 == len(filtered): return filtered[0] return { @@ -283,25 +289,10 @@ class LimaCharlieBackend(BaseBackend): filtered = [g for g in generated if g is not None] if not filtered: return None - if isinstance(filtered[0], str): - if not self._isKeywordsSupported: - raise NotImplementedError("Full-text keyboard searches not supported.") - # This seems to be indicative only of "keywords" which are mostly - # representative of full-text searches. We don't suport that but - # in some data sources we can alias them to an actual field. - mappedFiltered = [] - for k in filtered: - op, newVal = self._valuePatternToLcOp(k) - newOp = { - "op": op, - "path": self._fieldMappingInEffect["keywords"], - } - if op == "matches": - newOp["re"] = newVal - else: - newOp["value"] = newVal - mappedFiltered.append(newOp) - filtered = mappedFiltered + + # Map any possible keywords. + filtered = self._mapKeywordVals(filtered) + if 1 == len(filtered): return filtered[0] return { @@ -484,4 +475,31 @@ class LimaCharlieBackend(BaseBackend): val = ''.join(segments) - return ("matches", val) \ No newline at end of file + return ("matches", val) + + def _mapKeywordVals(self, values): + mapped = [] + + for val in values: + if not isinstance(val, str): + mapped.append(val) + continue + + if self._keywordField is None: + raise NotImplementedError("Full-text keyboard searches not supported.") + + # This seems to be indicative only of "keywords" which are mostly + # representative of full-text searches. We don't suport that but + # in some data sources we can alias them to an actual field. + op, newVal = self._valuePatternToLcOp(val) + newOp = { + "op": op, + "path": self._keywordField, + } + if op == "matches": + newOp["re"] = newVal + else: + newOp["value"] = newVal + mapped.append(newOp) + + return mapped \ No newline at end of file From 6f2f1d2bd725abf8b6b754fd9c9a3a8c11b42ae6 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Thu, 31 Oct 2019 13:40:41 -0500 Subject: [PATCH 179/269] Add ability to map fields and values based on callbacks. --- tools/sigma/backends/limacharlie.py | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index df98ad334..2ad9a8aa4 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -35,8 +35,9 @@ def _windowsEventLogFieldName(fieldName): # - top-level parameters # - pre-condition is a D&R rule node filtering relevant events. # - field mappings is a dict with a mapping or a callable to convert the field name. +# Individual mapping values can also be callabled(fieldname, value) returning a new fieldname and value. # - isAllStringValues is a bool indicating whether all values should be converted to string. -# - isKeywordsSupported is a bool indicating if full-text keyword searches are supported. +# - keywordField is the field name to alias for keywords if supported or None if not. SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'topLevelParams', 'preConditions', @@ -63,7 +64,7 @@ _allFieldMappings = { "User": "event/USER_NAME", # This field is redundant in LC, it seems to always be used with Image # so we will ignore it. - "OriginalFileName": None, + "OriginalFileName": lambda fn, fv: ("event/FILE_PATH", "*" + fv), # Custom field names coming from somewhere unknown. "NewProcessName": "event/FILE_PATH", "ProcessCommandLine": "event/COMMAND_LINE", @@ -318,14 +319,22 @@ class LimaCharlieBackend(BaseBackend): def generateMapItemNode(self, node): fieldname, value = node + fieldNameAndValCallback = None + # The mapping can be a dictionary of mapping or a callable # to get the correct value. if callable(self._fieldMappingInEffect): fieldname = self._fieldMappingInEffect(fieldname) else: try: - fieldname = self._fieldMappingInEffect[fieldname] + # The mapping can also be a callable that will + # return a mapped key AND value. + if callable(self._fieldMappingInEffect[fieldname]): + fieldNameAndValCallback = self._fieldMappingInEffect[fieldname] + else: + fieldname = self._fieldMappingInEffect[fieldname] except: + raise raise NotImplementedError("Field name %s not supported by backend." % (fieldname,)) # If fieldname returned is None, it's a special case where we @@ -334,6 +343,8 @@ class LimaCharlieBackend(BaseBackend): return None if isinstance(value, (int, str)): + if fieldNameAndValCallback is not None: + fieldname, value = fieldNameAndValCallback(fieldname, value) op, newVal = self._valuePatternToLcOp(value) newOp = { "op": op, @@ -348,6 +359,8 @@ class LimaCharlieBackend(BaseBackend): elif isinstance(value, list): subOps = [] for v in value: + if fieldNameAndValCallback is not None: + fieldname, v = fieldNameAndValCallback(fieldname, v) op, newVal = self._valuePatternToLcOp(v) newOp = { "op": op, @@ -367,6 +380,8 @@ class LimaCharlieBackend(BaseBackend): } elif isinstance(value, SigmaTypeModifier): if isinstance(value, SigmaRegularExpressionModifier): + if fieldNameAndValCallback is not None: + fieldname, value = fieldNameAndValCallback(fieldname, value) return { "op": "matches", "path": fieldname, @@ -375,6 +390,8 @@ class LimaCharlieBackend(BaseBackend): else: raise TypeError("Backend does not support TypeModifier: %s" % (str(type(value)))) elif value is None: + if fieldNameAndValCallback is not None: + fieldname, value = fieldNameAndValCallback(fieldname, value) return { "op": "exists", "not": True, @@ -478,6 +495,11 @@ class LimaCharlieBackend(BaseBackend): return ("matches", val) def _mapKeywordVals(self, values): + # This function ensures that the list of values passed + # are proper D&R operations, if they are strings it indicates + # they were requested as keyword matches. We only support + # keyword matches when specific in the config where we just + # map them to the most common field in LC that makes sense. mapped = [] for val in values: From 0c6b9e532be1c46a3f72f6c20f7570a2587ba180 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Thu, 31 Oct 2019 13:45:38 -0500 Subject: [PATCH 180/269] Remove debugging statement --- tools/sigma/backends/limacharlie.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 2ad9a8aa4..74037cc6c 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -334,7 +334,6 @@ class LimaCharlieBackend(BaseBackend): else: fieldname = self._fieldMappingInEffect[fieldname] except: - raise raise NotImplementedError("Field name %s not supported by backend." % (fieldname,)) # If fieldname returned is None, it's a special case where we From c2e621cf08007da716701c60f8b4d52ad8a047ae Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Thu, 31 Oct 2019 15:29:31 -0500 Subject: [PATCH 181/269] Fixing another edge case with string escape. --- tools/sigma/backends/limacharlie.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 74037cc6c..884d502f4 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -425,7 +425,13 @@ class LimaCharlieBackend(BaseBackend): tmpVal = tmpVal[1:] if tmpVal.endswith("*") and not (tmpVal.endswith("\\*") and not tmpVal.endswith("\\\\*")): isEndsWithWildcard = True - tmpVal = tmpVal[:-1] + if tmpVal.endswith("\\\\*"): + # An extra \ had to be there so it didn't escapte the + # *, but since we plan on removing the *, we can also + # remove one \. + tmpVal = tmpVal[:-2] + else: + tmpVal = tmpVal[:-1] # Check to see if there are any other wildcards. If there are # we cannot use our shortcuts. From b7018bcd4ad0cb1e1b4dc5b2ff8e4750f4c4c9b8 Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Fri, 1 Nov 2019 11:47:53 -0500 Subject: [PATCH 182/269] Adding a post-mapper mechanism to fix some common issues in Sigma rules to LC. --- tools/sigma/backends/limacharlie.py | 77 ++++++++++++++++++++++++----- 1 file changed, 64 insertions(+), 13 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 884d502f4..65956d957 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -28,6 +28,23 @@ def _windowsEventLogFieldName(fieldName): return 'Event/System/EventID' return 'Event/EventData/%s' % (fieldName,) +def _mapProcessCreationOperations(node): + # Here we fix some common pitfalls found in rules + # in a consistent fashion (already process to D&R rule). + + # First fixup is looking for a specific path prefix + # based on a specific drive letter. There are many cases + # where the driver letter can change or where the early + # boot process refers to it as "\Device\HarddiskVolume1\". + if ("starts with" == node["op"] and + "event/FILE_PATH" == node["path"] and + node["value"].lower().startswith("c:\\")): + node["op"] = "matches" + node["re"] = "^(?:(?:.:)|(?:\\\\Device\\\\HarddiskVolume.))\\\\%s" % (re.escape(node["value"][3:]),) + del(node["value"]) + + return node + # We support many different log sources so we keep different mapping depending # on the log source and category. # The mapping key is product/category/service. @@ -38,12 +55,14 @@ def _windowsEventLogFieldName(fieldName): # Individual mapping values can also be callabled(fieldname, value) returning a new fieldname and value. # - isAllStringValues is a bool indicating whether all values should be converted to string. # - keywordField is the field name to alias for keywords if supported or None if not. +# - postOpMapper is a callback that can modify an operation once it has been generated. SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'topLevelParams', 'preConditions', 'fieldMappings', 'isAllStringValues', 'keywordField', + 'postOpMapper', ]) _allFieldMappings = { "windows/process_creation/": SigmaLCConfig( @@ -72,7 +91,8 @@ _allFieldMappings = { "Command": "event/COMMAND_LINE", }, isAllStringValues = False, - keywordField = "event/COMMAND_LINE" + keywordField = "event/COMMAND_LINE", + postOpMapper = _mapProcessCreationOperations ), "windows//": SigmaLCConfig( topLevelParams = { @@ -82,7 +102,8 @@ _allFieldMappings = { preConditions = None, fieldMappings = _windowsEventLogFieldName, isAllStringValues = True, - keywordField = None + keywordField = None, + postOpMapper = None ), "windows_defender//": SigmaLCConfig( topLevelParams = { @@ -92,7 +113,8 @@ _allFieldMappings = { preConditions = None, fieldMappings = _windowsEventLogFieldName, isAllStringValues = True, - keywordField = None + keywordField = None, + postOpMapper = None ), "dns//": SigmaLCConfig( topLevelParams = { @@ -103,7 +125,8 @@ _allFieldMappings = { "query": "event/DOMAIN_NAME", }, isAllStringValues = False, - keywordField = None + keywordField = None, + postOpMapper = None ), "linux//": SigmaLCConfig( topLevelParams = { @@ -120,7 +143,8 @@ _allFieldMappings = { "type": None, }, isAllStringValues = False, - keywordField = 'event/COMMAND_LINE' + keywordField = 'event/COMMAND_LINE', + postOpMapper = None ), "unix//": SigmaLCConfig( topLevelParams = { @@ -137,7 +161,8 @@ _allFieldMappings = { "type": None, }, isAllStringValues = False, - keywordField = 'event/COMMAND_LINE' + keywordField = 'event/COMMAND_LINE', + postOpMapper = None ), "netflow//": SigmaLCConfig( topLevelParams = { @@ -149,7 +174,8 @@ _allFieldMappings = { "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT", }, isAllStringValues = False, - keywordField = None + keywordField = None, + postOpMapper = None ), } @@ -185,7 +211,7 @@ class LimaCharlieBackend(BaseBackend): # See if we have a definition for the source combination. mappingKey = "%s/%s/%s" % (product, category, service) - topFilter, preCond, mappings, isAllStringValues, keywordField = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None])) + topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None, None])) if mappings is None: raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service)) @@ -201,6 +227,9 @@ class LimaCharlieBackend(BaseBackend): # Are we supporting keywords full text search? self._keywordField = keywordField + # Call to fixup all operations after the fact. + self._postOpMapper = postOpMapper + # Call the original generation code. detectComponent = super().generate(sigmaparser) @@ -267,6 +296,8 @@ class LimaCharlieBackend(BaseBackend): result, ] } + if self._postOpMapper is not None: + result = self._postOpMapper(result) return yaml.safe_dump(result) def generateANDNode(self, node): @@ -279,11 +310,16 @@ class LimaCharlieBackend(BaseBackend): filtered = self._mapKeywordVals(filtered) if 1 == len(filtered): + if self._postOpMapper is not None: + filtered[0] = self._postOpMapper(filtered[0]) return filtered[0] - return { + result = { "op": "and", "rules": filtered, } + if self._postOpMapper is not None: + result = self._postOpMapper(result) + return result def generateORNode(self, node): generated = [self.generateNode(val) for val in node] @@ -295,11 +331,16 @@ class LimaCharlieBackend(BaseBackend): filtered = self._mapKeywordVals(filtered) if 1 == len(filtered): + if self._postOpMapper is not None: + filtered[0] = self._postOpMapper(filtered[0]) return filtered[0] - return { + result = { "op": "or", "rules": filtered, } + if self._postOpMapper is not None: + result = self._postOpMapper(result) + return result def generateNOTNode(self, node): generated = self.generateNode(node.item) @@ -307,7 +348,7 @@ class LimaCharlieBackend(BaseBackend): return None if not isinstance(generated, dict): raise NotImplementedError("Not operator not available on non-dict nodes.") - generated['not'] = True + generated["not"] = not generated.get("not", False) return generated def generateSubexpressionNode(self, node): @@ -354,6 +395,8 @@ class LimaCharlieBackend(BaseBackend): newOp["re"] = newVal else: newOp["value"] = newVal + if self._postOpMapper is not None: + newOp = self._postOpMapper(newOp) return newOp elif isinstance(value, list): subOps = [] @@ -370,6 +413,8 @@ class LimaCharlieBackend(BaseBackend): newOp["re"] = newVal else: newOp["value"] = newVal + if self._postOpMapper is not None: + newOp = self._postOpMapper(newOp) subOps.append(newOp) if 1 == len(subOps): return subOps[0] @@ -381,21 +426,27 @@ class LimaCharlieBackend(BaseBackend): if isinstance(value, SigmaRegularExpressionModifier): if fieldNameAndValCallback is not None: fieldname, value = fieldNameAndValCallback(fieldname, value) - return { + result = { "op": "matches", "path": fieldname, "re": re.compile(value), } + if self._postOpMapper is not None: + result = self._postOpMapper(result) + return result else: raise TypeError("Backend does not support TypeModifier: %s" % (str(type(value)))) elif value is None: if fieldNameAndValCallback is not None: fieldname, value = fieldNameAndValCallback(fieldname, value) - return { + result = { "op": "exists", "not": True, "path": fieldname, } + if self._postOpMapper is not None: + result = self._postOpMapper(result) + return result else: raise TypeError("Backend does not support map values of type " + str(type(value))) From 1b9054c1f3ee9a240a8e6b6b46864ebbe2e304df Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Tue, 5 Nov 2019 08:33:21 -0500 Subject: [PATCH 183/269] Adding some comments --- tools/sigma/backends/limacharlie.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 65956d957..d5682d492 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -30,7 +30,7 @@ def _windowsEventLogFieldName(fieldName): def _mapProcessCreationOperations(node): # Here we fix some common pitfalls found in rules - # in a consistent fashion (already process to D&R rule). + # in a consistent fashion (already processed to D&R rule). # First fixup is looking for a specific path prefix # based on a specific drive letter. There are many cases @@ -459,6 +459,7 @@ class LimaCharlieBackend(BaseBackend): # or into altered values to be functionally equivalent using # a few different LC D&R rule operators. + # No point evaluating non-strings. if not isinstance(val, str): return ("is", str(val) if self._isAllStringValues else val) @@ -467,7 +468,9 @@ class LimaCharlieBackend(BaseBackend): return ("is", val) # Now we do a small optimization for the shortcut operators - # available in LC. + # available in LC. We try to see if the wildcards are around + # the main value, but NOT within. If that's the case we can + # use the "starts with", "ends with" or "contains" operators. isStartsWithWildcard = False isEndsWithWildcard = False tmpVal = val @@ -554,11 +557,12 @@ class LimaCharlieBackend(BaseBackend): # This function ensures that the list of values passed # are proper D&R operations, if they are strings it indicates # they were requested as keyword matches. We only support - # keyword matches when specific in the config where we just + # keyword matches when specified in the config. We generally just # map them to the most common field in LC that makes sense. mapped = [] for val in values: + # Non-keywords are just passed through. if not isinstance(val, str): mapped.append(val) continue From ef14ee542d6839da8d7920565293e3427b942c36 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 5 Nov 2019 23:04:13 +0100 Subject: [PATCH 184/269] Added modifiers: startswith and endswith --- tests/test-modifiers.yml | 2 ++ tools/sigma/parser/modifiers/transform.py | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/tests/test-modifiers.yml b/tests/test-modifiers.yml index e856e19d5..8e578234c 100644 --- a/tests/test-modifiers.yml +++ b/tests/test-modifiers.yml @@ -13,4 +13,6 @@ detection: - foo - bar - bla + end|endswith: test + start|startswith: test condition: selection diff --git a/tools/sigma/parser/modifiers/transform.py b/tools/sigma/parser/modifiers/transform.py index 63b36fd8c..c30f92daf 100644 --- a/tools/sigma/parser/modifiers/transform.py +++ b/tools/sigma/parser/modifiers/transform.py @@ -31,6 +31,26 @@ class SigmaContainsModifier(ListOrStringModifierMixin, SigmaTransformModifier): val += "*" return val +class SigmaStartswithModifier(ListOrStringModifierMixin, SigmaTransformModifier): + """Add *-wildcard before and after all string(s)""" + identifier = "startswith" + active = True + + def apply_str(self, val : str): + if not val.endswith("*"): + val += "*" + return val + +class SigmaEndswithModifier(ListOrStringModifierMixin, SigmaTransformModifier): + """Add *-wildcard before and after all string(s)""" + identifier = "endswith" + active = True + + def apply_str(self, val : str): + if not val.startswith("*"): + val = "*" + val + return val + class SigmaAllValuesModifier(SigmaTransformModifier): """Override default OR-linking behavior for list with AND-linking of all list values""" identifier = "all" From 0d8c64da86aa84a4e1caa3a724e688ad36b92477 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 7 Nov 2019 03:21:09 +0300 Subject: [PATCH 185/269] duplicate rule deleted MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit this rule already present in Sigma repo — [./rules/windows/process_creation/win_susp_comsvcs_procdump.yml](https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_comsvcs_procdump.yml) --- .../process_creation/minidumpwritedump.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/process_creation/minidumpwritedump.yml diff --git a/rules/windows/process_creation/minidumpwritedump.yml b/rules/windows/process_creation/minidumpwritedump.yml deleted file mode 100644 index 2e73e1c01..000000000 --- a/rules/windows/process_creation/minidumpwritedump.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: MiniDumpWriteDump via COM+ -description: Detect dump memory via minidump -references: - - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ -tags: - - attack.credential_access - - attack.t1003 -status: experimental -author: Aleksey Potapov, oscd.community -date: 2019/10/22 -logsource: - category: process_creation - product: windows -detection: - selection: - Image: '*\rundll32.exe' - CommandLine: '*comsvcs.dll*minidump*' - condition: selection -falsepositives: - - unknown -level: critical \ No newline at end of file From ddf24819edee7e3b026ce1fcaba92fd044d21a90 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 7 Nov 2019 03:33:12 +0300 Subject: [PATCH 186/269] Update silenttrinity_stage_use.yml --- .../silenttrinity_stage_use.yml | 33 +++++++++---------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/rules/windows/process_creation/silenttrinity_stage_use.yml b/rules/windows/process_creation/silenttrinity_stage_use.yml index b66aaef8c..a99a63b32 100644 --- a/rules/windows/process_creation/silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/silenttrinity_stage_use.yml @@ -1,31 +1,30 @@ +--- action: global -title: SILENTTRINITY +title: SILENTTRINITY stager execution status: experimental -description: Detect SILENTTRINITY stager use +description: Detects SILENTTRINITY stager use references: - - https://github.com/byt3bl33d3r/SILENTTRINITY + - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community date: 2019/10/22 +modified: 2019/11/04 tags: - - attack.execution + - attack.execution detection: - condition: selection + selection: + Description|contains: 'st2stager' + condition: selection falsepositives: - - unknown + - unknown level: high --- logsource: - category: process_creation - product: windows - service: sysmon -detection: - selection: - Description: '*st2stager*' + category: process_creation + product: windows --- logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: - selection: - EventID: 7 - Description: '*st2stager*' + selection: + EventID: 7 From 404a6d9915f6d67b68cc785488e309f887978b54 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 7 Nov 2019 03:37:41 +0300 Subject: [PATCH 187/269] Update win_netsh_packet_capture.yml --- .../process_creation/win_netsh_packet_capture.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_netsh_packet_capture.yml b/rules/windows/process_creation/win_netsh_packet_capture.yml index 7592b97cd..d89c40c4a 100644 --- a/rules/windows/process_creation/win_netsh_packet_capture.yml +++ b/rules/windows/process_creation/win_netsh_packet_capture.yml @@ -1,6 +1,6 @@ -title: Capture a Network Trace with netsh +title: Capture a Network Trace with netsh.exe status: experimental -description: Detects capture a network trace via netsh trace functionality +description: Detects capture a network trace via netsh.exe trace functionality references: - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/ author: Kutepov Anton, oscd.community @@ -13,8 +13,11 @@ logsource: product: windows detection: selection: - CommandLine: netsh* trace* start* + CommandLine|contains|all: + - netsh + - trace + - start condition: selection falsepositives: - - Legitimate administration + - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason level: medium From 82b185db6a0e3568b772c7fceb474d6e0949529d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 7 Nov 2019 04:11:26 +0300 Subject: [PATCH 188/269] Update win_sysmon_driver_unload.yml --- .../win_sysmon_driver_unload.yml | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml index 13c4795a2..422daa3b4 100644 --- a/rules/windows/process_creation/win_sysmon_driver_unload.yml +++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml @@ -1,20 +1,23 @@ title: Sysmon driver unload status: experimental author: Kirill Kiryanov, oscd.community -description: Detect possible shutdown Sysmon +description: Detect possible Sysmon driver unload date: 2019/10/23 -references: - - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon -fields: - - CommandLine - - Details +modified: 2019/11/07 +references: + - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\fltmc.exe' + CommandLine|contains|all: + - 'unload' + - 'sys' + condition: selection falsepositives: Unknown level: high -logsource: - product: windows - category: process_creation -detection: - selection: - Image: '*\fltMC.exe' - CommandLine: '*unload*Sys*' - condition: selection +fields: + - CommandLine + - Details From 6083d70975a8e0d4d40ff5b310eca7e4e0d62e96 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 7 Nov 2019 04:23:20 +0300 Subject: [PATCH 189/269] Update sysmon_registry_persistence_key_linking.yml --- .../sysmon/sysmon_registry_persistence_key_linking.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml index e665ccec6..71455dabe 100644 --- a/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml @@ -5,6 +5,7 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 +modified: 2019/11/07 tags: - attack.persistence - attack.t1122 @@ -14,7 +15,9 @@ logsource: detection: selection: EventID: 12 - TargetObject: 'HKU\*_Classes\CLSID\*\TreatAs' + TargetObject|startswith: 'HKU\' + TargetObject|contains: '_Classes\CLSID\' + TargetObject|endswith: '\TreatAs' condition: selection falsepositives: - Maybe some system utilities in rare cases use linking keys for backward compability From 8b7560c2f4946581401e28e8fdfc4ca25c5676e0 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 7 Nov 2019 23:08:44 +0100 Subject: [PATCH 190/269] Added changelog --- CHANGELOG.md | 89 +++++++++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.md.j2 | 38 +++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 CHANGELOG.md create mode 100644 CHANGELOG.md.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..cf82e1c2f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,89 @@ +# Release Notes + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) +from version 0.14.0. + +## Unreleased + +Changes from this section will be contained in the next release. + +### Added + +* sigma-similarity tool +* LimaCharlie backend +* Default configurations for some backends that are used if no configuration is passed. +* Value modifiers: + * startswith + * endswith + +### Changed + +* Removal of line breaks in elastalert output +* Searches not bound to fields are restricted to keyword fields in es-qs backend +* Graylog backend now based on es-qs backend + +## 0.13 + +### Added + +* Index mappings for Sumologic +* Malicious cmdlets in wdatp +* QRadar support for keyword searches +* QRadar mapping improvements +* QRadar field selection +* QRadar type regex modifier support +* Elasticsearch keyword field blacklisting with wildcards +* Added dateField configuration parameter in xpack-watcher backend +* Field mappings in configurations +* Field name mapping for conditional fields +* Value modifiers: + * utf16 + * utf16le + * wide + * utf16be + +### Changed + +* Improved --backend-config help text + +### Fixed + +* Backend errors in ala +* Slash escaping within es-dsl wildcard queries +* QRadar backend config +* QRadar field name and value escaping and handling +* Elasticsearch wildcard detection pattern +* Aggregation on keyword field in es-dsl backend + +## 0.12.1 + +### Fixed + +* Missing build dependency + +## 0.12 + +### Added + +* Usage of "Channel" field in ELK Windows configuration +* Fields to mappings +* xpack-watcher actions index and webhook +* Config for Winlogbeat 7.x +* Value modifiers +* Regular expression support + +### Changed + +* Warning/error messages +* Sumologic value cleaning +* Explicit OR for Elasticsearch query strings +* Listing of available configurations on missing configuration error + +### Fixed + +* Conditions in es-dsl backend +* Sumologic handling of null values +* Ignore timeframe detection keyword in all/any of conditions diff --git a/CHANGELOG.md.j2 b/CHANGELOG.md.j2 new file mode 100644 index 000000000..8dd07eee2 --- /dev/null +++ b/CHANGELOG.md.j2 @@ -0,0 +1,38 @@ +## {{ version.minor }}.{{ version.major }}.{{ version.patch }} ({{ date }}) + +### Added + +{% for item in added %} +* {{ item | indent(2) }} +{% endfor %} + +### Changed + +{% for item in changed %} +* {{ item | indent(2) }} +{% endfor %} + +### Deprecated + +{% for item in deprecated %} +* {{ item | indent(2) }} +{% endfor %} + +### Removed + +{% for item in removed %} +* {{ item | indent(2) }} +{% endfor %} + +### Fixed + +{% for item in fixed %} +* {{ item | indent(2) }} +{% endfor %} + +### Security + +{% for item in security %} +* {{ item | indent(2) }} +{% endfor %} + From 3b34ed6150e8d460f9f9bc23180d4279d50c2da2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 8 Nov 2019 01:34:30 +0300 Subject: [PATCH 191/269] add modifiers --- .../win_data_compressed_with_rar.yml | 2 +- ...n_local_system_owner_account_discovery.yml | 20 +++++++++--------- .../process_creation/win_network_sniffing.yml | 4 ++-- .../win_possible_applocker_bypass.yml | 20 +++++++++--------- .../process_creation/win_query_registry.yml | 2 +- .../win_service_execution.yml | 8 +++---- .../process_creation/win_susp_bginfo.yml | 2 +- .../windows/process_creation/win_susp_cdb.yml | 2 +- .../win_susp_devtoolslauncher.yml | 2 +- .../windows/process_creation/win_susp_dnx.yml | 2 +- .../process_creation/win_susp_dxcap.yml | 2 +- .../process_creation/win_susp_msoffice.yml | 8 +++---- .../process_creation/win_susp_odbcconf.yml | 21 +++++++++---------- .../process_creation/win_susp_openwith.yml | 2 +- .../win_susp_psr_capture_screenshots.yml | 2 +- .../win_xsl_script_processing.yml | 4 ++-- 16 files changed, 51 insertions(+), 52 deletions(-) diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index de3ce76ac..6c04dcd27 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image: '*\rar.exe' + Image|endswith: '\rar.exe' CommandLine|contains|all: - ' a ' - '-r' diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index 654f1edba..50c945dd3 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -11,25 +11,25 @@ logsource: product: windows detection: selection_1: - - Image: '*\whoami.exe' - - Image: '*\wmic.exe' + - Image|endswith: '\whoami.exe' + - Image|endswith: '\wmic.exe' CommandLine|contains|all: - 'useraccount' - 'get' - - Image: - - '*\quser.exe' - - '*\qwinsta.exe' - - Image: '*\cmdkey.exe' + - Image|endswith: + - '\quser.exe' + - '\qwinsta.exe' + - Image|endswith: '\cmdkey.exe' CommandLine|contains: '/list' - - Image: '*\cmd.exe' + - Image|endswith: '\cmd.exe' CommandLine|contains|all: - '/c' - 'dir' - '\Users\' selection_2: - Image: - - '*\net.exe' - - '*\net1.exe' + Image|endswith: + - '\net.exe' + - '\net1.exe' CommandLine|contains: 'user' filter: CommandLine|contains: diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml index 31e03d534..fdcb9a287 100644 --- a/rules/windows/process_creation/win_network_sniffing.yml +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -11,9 +11,9 @@ logsource: product: windows detection: selection: - - Image: '*\tshark.exe' + - Image|endswith: '\tshark.exe' CommandLine|contains: '-i' - - Image: '*\windump.exe' + - Image|endswith: '\windump.exe' condition: selection falsepositives: - Admin activity diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 2fbf5924c..0a34fc3a8 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -16,16 +16,16 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\msdt.exe*' - - '*\installutil.exe*' - - '*\regsvcs.exe*' - - '*\regasm.exe*' - # - '*\regsvr32.exe*' # too many FPs, very noisy - - '*\msbuild.exe*' - - '*\ieexec.exe*' - - '*\mshta.exe*' - - '*\csc.exe*' + CommandLine|contains: + - '\msdt.exe' + - '\installutil.exe' + - '\regsvcs.exe' + - '\regasm.exe' + # - '\regsvr32.exe' # too many FPs, very noisy + - '\msbuild.exe' + - '\ieexec.exe' + - '\mshta.exe' + - '\csc.exe' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 193fa70eb..64ad9df5f 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image: '*\reg.exe' + Image|endswith: '\reg.exe' CommandLine|contains: - 'currentVersion\windows' - 'currentVersion\runServicesOnce' diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 830e15fac..9fc0b971b 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -11,11 +11,11 @@ logsource: product: windows detection: selection: - - Image: '*\sc.exe' + - Image|endswith: '\sc.exe' CommandLine|contains: 'start' - - Image: - - '*\net.exe' - - '*\net1.exe' + - Image|endswith: + - '\net.exe' + - '\net1.exe' CommandLine|re: '.*start.*[a-zA-Z0-9]' # search for a service name after 'net start', avoiding intersection with "service discovery" technique detection rules condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_bginfo.yml b/rules/windows/process_creation/win_susp_bginfo.yml index 80e6d4a9a..4038182a4 100644 --- a/rules/windows/process_creation/win_susp_bginfo.yml +++ b/rules/windows/process_creation/win_susp_bginfo.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Image: '*\bginfo.exe' + Image|endswith: '\bginfo.exe' CommandLine|contains|all: - '/popup' - '/nolicprompt' diff --git a/rules/windows/process_creation/win_susp_cdb.yml b/rules/windows/process_creation/win_susp_cdb.yml index 1e779a0c4..34e21dff2 100644 --- a/rules/windows/process_creation/win_susp_cdb.yml +++ b/rules/windows/process_creation/win_susp_cdb.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Image: '*\cdb.exe' + Image|endswith: '\cdb.exe' CommandLine|contains: '-cf' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_devtoolslauncher.yml b/rules/windows/process_creation/win_susp_devtoolslauncher.yml index 9ef34bfaa..da6379dc5 100644 --- a/rules/windows/process_creation/win_susp_devtoolslauncher.yml +++ b/rules/windows/process_creation/win_susp_devtoolslauncher.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Image: '*\devtoolslauncher.exe' + Image|endswith: '\devtoolslauncher.exe' CommandLine|contains: 'LaunchForDeploy' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_dnx.yml b/rules/windows/process_creation/win_susp_dnx.yml index 517b21271..707ef7838 100644 --- a/rules/windows/process_creation/win_susp_dnx.yml +++ b/rules/windows/process_creation/win_susp_dnx.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Image: '*\dnx.exe' + Image|endswith: '\dnx.exe' condition: selection falsepositives: - Legitimate use of dnx.exe by legitimate user diff --git a/rules/windows/process_creation/win_susp_dxcap.yml b/rules/windows/process_creation/win_susp_dxcap.yml index e66089a2f..ce9a91ad4 100644 --- a/rules/windows/process_creation/win_susp_dxcap.yml +++ b/rules/windows/process_creation/win_susp_dxcap.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Image: '*\dxcap.exe' + Image|endswith: '\dxcap.exe' CommandLine|contains|all: - '-c' - '.exe' diff --git a/rules/windows/process_creation/win_susp_msoffice.yml b/rules/windows/process_creation/win_susp_msoffice.yml index 28c150441..b036b25d5 100644 --- a/rules/windows/process_creation/win_susp_msoffice.yml +++ b/rules/windows/process_creation/win_susp_msoffice.yml @@ -17,10 +17,10 @@ logsource: product: windows detection: selection: - Image: - - '*\powerpnt.exe' - - '*\winword.exe' - - '*\excel.exe' + Image|endswith: + - '\powerpnt.exe' + - '\winword.exe' + - '\excel.exe' CommandLine|contains: 'http' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_odbcconf.yml b/rules/windows/process_creation/win_susp_odbcconf.yml index e6e7d74fb..585b63422 100644 --- a/rules/windows/process_creation/win_susp_odbcconf.yml +++ b/rules/windows/process_creation/win_susp_odbcconf.yml @@ -1,11 +1,12 @@ title: Possible Application Whitelisting Bypass via dll loaded by odbcconf.exe -description: Defence evasion via odbcconf.exe loading DLL specified in target .RSP file +description: Detects defence evasion attempt via odbcconf.exe execution to load DLL status: experimental references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml -author: Beyu Denis, Daniil Yugoslavskiy, oscd.community + - https://twitter.com/Hexacorn/status/1187143326673330176 +author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community date: 2019/10/25 -modified: 2019/11/04 +modified: 2019/11/07 tags: - attack.defense_evasion - attack.execution @@ -15,16 +16,14 @@ logsource: product: windows detection: selection_1: - Image: '*\odbcconf.exe' - selection_2: - CommandLine|contains|all: + Image|endswith: '\odbcconf.exe' + CommandLine|contains: - '-f' - - '.rsp' - selection_3: - CommandLine|contains|all: - 'regsvr' - - '.dll' - condition: selection_1 and ( selection_2 or selection_3 ) + selection_2: + ParentImage|endswith: '\odbcconf.exe' + Image|endswith: '\rundll32.exe' + condition: selection_1 or selection_2 level: medium falsepositives: - Legitimate use of odbcconf.exe by legitimate user diff --git a/rules/windows/process_creation/win_susp_openwith.yml b/rules/windows/process_creation/win_susp_openwith.yml index dc9b66563..5be5cce50 100644 --- a/rules/windows/process_creation/win_susp_openwith.yml +++ b/rules/windows/process_creation/win_susp_openwith.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - Image: '*\OpenWith.exe' + Image|endswith: '\OpenWith.exe' CommandLine|contains: '/c' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml index 31779b045..61ce4d314 100644 --- a/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml +++ b/rules/windows/process_creation/win_susp_psr_capture_screenshots.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Image: '*\Psr.exe' + Image|endswith: '\Psr.exe' CommandLine|contains: '/start' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index c7738c87f..8670b9209 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -11,9 +11,9 @@ logsource: product: windows detection: selection: - - Image: '*\wmic.exe' + - Image|endswith: '\wmic.exe' CommandLine|contains: '/format' # wmic process list /FORMAT /? - - Image: '*\msxsl.exe' + - Image|endswith: '\msxsl.exe' condition: selection falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment From 4443870577218b1c41d47f7ffa2d30ef5da20585 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 8 Nov 2019 01:36:03 +0300 Subject: [PATCH 192/269] Delete win_odbcconf_execution.yml merged with rules/windows/process_creation/win_odbcconf_execution.yml --- .../win_odbcconf_execution.yml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/windows/process_creation/win_odbcconf_execution.yml diff --git a/rules/windows/process_creation/win_odbcconf_execution.yml b/rules/windows/process_creation/win_odbcconf_execution.yml deleted file mode 100644 index b2abd8078..000000000 --- a/rules/windows/process_creation/win_odbcconf_execution.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: ODBCCONF execution dll -status: experimental -author: Kirill Kiryanov, oscd.community -description: Detect possible execution by odbcconf -date: 2019/10/23 -references: - - https://twitter.com/Hexacorn/status/1187143326673330176 -fields: - - CommandLine - - Details -falsepositives: Unknown -level: high -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage: '*\odbcconf.exe' - CommandLine: '*\rundll32*' - selection1: - Image: '*\rundll32.exe' - CommandLine: '*exe' - condition: selection and selection1 From 52d099a6e3c5f36c20ff9393a809ba85d1b54486 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 8 Nov 2019 01:41:26 +0300 Subject: [PATCH 193/269] improve sysmon_cobaltstrike_process_injection.yml --- .../sysmon/sysmon_cobaltstrike_process_injection.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml index b7ae773ba..75d192cce 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml @@ -2,18 +2,24 @@ title: CobaltStrike Process Injection description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f + - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ tags: - attack.defense_evasion - attack.t1055 status: experimental -author: Olaf Hartong, Florian Roth +author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community +date: 2018/11/30 +modified: 2019/11/08 logsource: product: windows service: sysmon detection: selection: EventID: 8 - TargetProcessAddress: '*0B80' + TargetProcessAddress|endswith: + - '0B80' + - '0C7C' + - '0C88' condition: selection falsepositives: - unknown From 562e07de38a22d6a111dbd17b6551eac9f45d597 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 8 Nov 2019 01:42:42 +0300 Subject: [PATCH 194/269] Delete cobalt_execute_assembly.yml merged with existing [sysmon_cobaltstrike_process_injection.yml](https://github.com/Neo23x0/sigma/blob/oscd/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml) --- .../sysmon/cobalt_execute_assembly.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/sysmon/cobalt_execute_assembly.yml diff --git a/rules/windows/sysmon/cobalt_execute_assembly.yml b/rules/windows/sysmon/cobalt_execute_assembly.yml deleted file mode 100644 index 3d1b82b47..000000000 --- a/rules/windows/sysmon/cobalt_execute_assembly.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: CobaltStrike Execute-Assembly command detect -description: Cobalt Strike’s in-memory threat emulation and evasion capabilities, adds a means to run .NET executable assemblies without touching disk, and implements the Token Duplication UAC bypass attack. For CobaltStrike version 3.12-3.14 -references: - - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ -tags: - - attack.defense_evasion - - attack.t1055 -status: experimental -author: Aleksey Potapov, oscd.community -date: 2019/10/22 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 8 - TargetProcessAddress: - - '*0B80' - - '*0C7C' - - '*0C88' - condition: selection -falsepositives: - - unknown -level: critical \ No newline at end of file From 6d61401b12d77a692696132b93e164b939324293 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 8 Nov 2019 02:06:20 +0300 Subject: [PATCH 195/269] =?UTF-8?q?Delete=20sysmon=5F=D1=81reds=5Fdump.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml --- rules/windows/sysmon/sysmon_сreds_dump.yml | 26 ---------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_сreds_dump.yml diff --git a/rules/windows/sysmon/sysmon_сreds_dump.yml b/rules/windows/sysmon/sysmon_сreds_dump.yml deleted file mode 100644 index 42bf392c1..000000000 --- a/rules/windows/sysmon/sysmon_сreds_dump.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Cred access -description: The following GrantedAccess only privileged levels of memory access to specific processes. This will typically be very low volume, with Sysmon events only being logged in the event of attacker activity. Most characteristic of powershell offensive tools. -references: - - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center -tags: - - attack.credential_access - - attack.t1003 -status: experimental -author: Aleksey Potapov, oscd.community -date: 2019/10/23 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 10 - TargetImage: 'C:\windows\system32\lsass.exe' - GrantedAccess: - - '0x1f0fff' - - '0x1f1fff' - - '0x1f2fff' - - '0x1f3fff' - condition: selection -falsepositives: - - unknown -level: high \ No newline at end of file From 98f32e9098495c2b85930e24234cd69b2cc233d5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 8 Nov 2019 02:06:31 +0300 Subject: [PATCH 196/269] =?UTF-8?q?Delete=20sysmon=5Fmimikatz=5F=D1=81reds?= =?UTF-8?q?=5Fdump.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit merged with rules/windows/sysmon/sysmon_cred_dump_lsass_access.yml --- .../sysmon/sysmon_mimikatz_сreds_dump.yml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml diff --git a/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml b/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml deleted file mode 100644 index 4c2c14611..000000000 --- a/rules/windows/sysmon/sysmon_mimikatz_сreds_dump.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Mimikatz сred access dump -description: Detects process access to LSASS which is typical for like Mimikatz tools different version -references: - - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf -tags: - - attack.credential_access - - attack.t1003 -status: experimental -author: Aleksey Potapov, oscd.community -date: 2019/10/23 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 10 - TargetImage: 'C:\windows\system32\lsass.exe' - GrantedAccess: - - '0x1410' - - '0x1010' - - '0x143a' - condition: selection -falsepositives: - - unknown -level: high \ No newline at end of file From 00fc6c62b423e986d09b546c9ad302826949b30d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Fri, 8 Nov 2019 02:16:01 +0300 Subject: [PATCH 197/269] Delete renamed_binary_description.yml agreed on improvements. will be added later --- .../renamed_binary_description.yml | 60 ------------------- 1 file changed, 60 deletions(-) delete mode 100644 rules/windows/process_creation/renamed_binary_description.yml diff --git a/rules/windows/process_creation/renamed_binary_description.yml b/rules/windows/process_creation/renamed_binary_description.yml deleted file mode 100644 index 9d31a8b66..000000000 --- a/rules/windows/process_creation/renamed_binary_description.yml +++ /dev/null @@ -1,60 +0,0 @@ -title: Renamed Binary -status: experimental -description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon Description datapoint. -author: Aleksey Potapov, oscd.community -date: 2019/10/22 -references: - - https://attack.mitre.org/techniques/T1036/ -tags: - - attack.t1036 - - attack.defense_evasion -logsource: - category: process_creation - product: windows - service: sysmon -detection: - selection: - Description: - - "active directory editor" - - "sysinternals process dump utility" - - "msbuild.exe" - - ".net core host" - - "windows command processor" - - "windows powershell" - - "execute processes remotely" - - ".net framework installation utility" - - "microsoft ® console based script host" - - "microsoft ® windows based script host" - - "microsoft (r) html application host" - - "microsoft(c) register server" - - "wmi commandline utility" - - "certutil.exe" - - "windows host process (rundll32)" - - "microsoft connection manager profile Installer" - - "windows ® installer" - - "7-zip console" - - filter: - Image: - - '*\adexplorer.exe' - - '*\procdump.exe' - - '*\msbuild.exe' - - '*\dotnet.exe' - - '*\cmd.exe' - - '*\powershell.exe' - - '*\psexec.exe' - - '*\installutil.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' - - '*\7z.exe' - condition: selection and not filter -falsepositives: - - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist -level: medium \ No newline at end of file From 5d995ad7043453592883494d3e55848b9a4ce778 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 8 Nov 2019 21:15:13 +0100 Subject: [PATCH 198/269] sigma-similarity: primary rule set for restriction of comparison --- tools/sigma-similarity | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/sigma-similarity b/tools/sigma-similarity index 0253b6000..de5022c3e 100755 --- a/tools/sigma-similarity +++ b/tools/sigma-similarity @@ -18,6 +18,7 @@ argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse i argparser.add_argument("--verbose", "-v", action="count", help="Be verbose. Use once more for debug output.") argparser.add_argument("--top", "-t", type=int, help="Only output the n most similar rule pairs.") argparser.add_argument("--min-similarity", "-m", type=int, help="Only output pairs with a similarity above this threshold (percent)") +argparser.add_argument("--primary", "-p", help="File with list of paths to primary rules. If given, only rule combinations with at leat one primary rule are compared. Primary rules must also be contained in input rule set.") argparser.add_argument("inputs", nargs="+", help="Sigma input files") args = argparser.parse_args() @@ -62,6 +63,11 @@ if args.recursive: else: paths = [ pathlib.Path(pathname) for pathname in args.inputs ] +primary_paths = None +if args.primary: + with open(args.primary, "r") as f: + primary_paths = { pathname.strip() for pathname in f.readlines() } + parsed = { str(path): SigmaCollectionParser(path.open().read()) for path in paths @@ -75,7 +81,11 @@ converted_flat = ( for path, nlist in converted.items() for i, normalized in zip(range(len(nlist)), nlist) ) -converted_pairs = list(itertools.combinations(converted_flat, 2)) +converted_pairs_iter = itertools.combinations(converted_flat, 2) +if primary_paths: + converted_pairs = [ pair for pair in converted_pairs_iter if pair[0][0] in primary_paths or pair[1][0] in paths ] +else: + converted_pairs = list(converted_pairs_iter) similarities = [ (item1[:2], item2[:2], difflib.SequenceMatcher(None, item1[2], item2[2]).ratio()) for item1, item2 in progressbar.progressbar(converted_pairs) From 6e2fe09d24afee470a2aa8334302e7d1ac791907 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 8 Nov 2019 22:02:12 +0100 Subject: [PATCH 199/269] Removed invalid tags --- rules/windows/process_creation/win_mavinject_proc_inj.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index a3da623be..79ed43cf0 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -8,9 +8,7 @@ references: author: Florian Roth date: 2018/12/12 tags: - - attack.process_injection - attack.t1055 - - attack.signed_binary_proxy_execution - attack.t1218 logsource: category: process_creation From 238adf9eeac5c3ca6b098d50691d72202bc9c446 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 8 Nov 2019 22:03:19 +0100 Subject: [PATCH 200/269] Improved rule test * Added ATT&CK technique * Removed invalid tags --- tests/test_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 98b7f7510..f481d11aa 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -12,12 +12,12 @@ import yaml import re class TestRules(unittest.TestCase): - MITRE_TECHNIQUES = ["t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102", "t1500"] + MITRE_TECHNIQUES = ["t1007", "t1075", "t1189", "t1190", "t1200", "t1091", "t1193", "t1192", "t1194", "t1195", "t1199", "t1078", "t1155", "t1191", "t1059", "t1223", "t1196", "t1173", "t1106", "t1129", "t1203", "t1061", "t1118", "t1152", "t1168", "t1177", "t1170", "t1086", "t1121", "t1117", "t1085", "t1053", "t1064", "t1035", "t1218", "t1216", "t1153", "t1151", "t1072", "t1154", "t1127", "t1204", "t1047", "t1028", "t1220", "t1156", "t1015", "t1098", "t1182", "t1103", "t1138", "t1131", "t1197", "t1067", "t1176", "t1042", "t1109", "t1122", "t1136", "t1038", "t1157", "t1133", "t1044", "t1158", "t1179", "t1062", "t1183", "t1215", "t1159", "t1160", "t1152", "t1161", "t1168", "t1162", "t1037", "t1031", "t1128", "t1050", "t1137", "t1034", "t1150", "t1205", "t1013", "t1163", "t1164", "t1108", "t1060", "t1053", "t1180", "t1101", "t1058", "t1166", "t1023", "t1198", "t1165", "t1019", "t1209", "t1154", "t1078", "t1100", "t1084", "t1004", "t1134", "t1015", "t1182", "t1103", "t1138", "t1088", "t1038", "t1157", "t1068", "t1181", "t1044", "t1179", "t1183", "t1160", "t1050", "t1034", "t1150", "t1013", "t1055", "t1053", "t1058", "t1166", "t1178", "t1165", "t1169", "t1206", "t1078", "t1100", "t1134", "t1009", "t1197", "t1088", "t1146", "t1191", "t1116", "t1223", "t1109", "t1122", "t1196", "t1207", "t1140", "t1089", "t1038", "t1073", "t1211", "t1181", "t1107", "t1222", "t1006", "t1144", "t1158", "t1147", "t1143", "t1148", "t1183", "t1054", "t1066", "t1070", "t1202", "t1130", "t1118", "t1152", "t1149", "t1036", "t1112", "t1170", "t1126", "t1096", "t1027", "t1150", "t1205", "t1186", "t1093", "t1055", "t1108", "t1121", "t1117", "t1014", "t1085", "t1064", "t1218", "t1216", "t1198", "t1045", "t1151", "t1221", "t1099", "t1127", "t1078", "t1102", "t1220", "t1098", "t1139", "t1110", "t1003", "t1081", "t1214", "t1212", "t1187", "t1179", "t1056", "t1141", "t1208", "t1142", "t1171", "t1040", "t1174", "t1145", "t1167", "t1111", "t1087", "t1010", "t1217", "t1083", "t1046", "t1135", "t1040", "t1201", "t1120", "t1069", "t1057", "t1012", "t1018", "t1063", "t1082", "t1016", "t1049", "t1033", "t1124", "t1155", "t1017", "t1175", "t1210", "t1037", "t1097", "t1076", "t1105", "t1021", "t1091", "t1051", "t1184", "t1080", "t1072", "t1077", "t1028", "t1123", "t1119", "t1115", "t1213", "t1005", "t1039", "t1025", "t1074", "t1114", "t1056", "t1185", "t1113", "t1125", "t1020", "t1002", "t1022", "t1030", "t1048", "t1041", "t1011", "t1052", "t1029", "t1043", "t1092", "t1090", "t1094", "t1024", "t1132", "t1001", "t1172", "t1008", "t1188", "t1104", "t1026", "t1079", "t1205", "t1219", "t1105", "t1071", "t1032", "t1095", "t1065", "t1102", "t1500"] MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control"] MITRE_GROUPS = ["g0018", "g0006", "g0005", "g0023", "g0025", "g0026", "g0073", "g0007", "g0016", "g0022", "g0013", "g0050", "g0064", "g0067", "g0001", "g0063", "g0060", "g0008", "g0058", "g0003", "g0080", "g0052", "g0070", "g0012", "g0079", "g0009", "g0035", "g0074", "g0017", "g0031", "g0066", "g0020", "g0051", "g0053", "g0037", "g0046", "g0061", "g0047", "g0036", "g0078", "g0043", "g0072", "g0004", "g0032", "g0077", "g0065", "g0030", "g0059", "g0045", "g0002", "g0021", "g0069", "g0019", "g0055", "g0014", "g0049", "g0071", "g0040", "g0011", "g0068", "g0033", "g0056", "g0024", "g0075", "g0048", "g0034", "g0029", "g0054", "g0038", "g0041", "g0039", "g0062", "g0015", "g0028", "g0027", "g0076", "g0010", "g0044"] MITRE_SOFTWARE = ["s0066", "s0065", "s0202", "s0309", "s0045", "s0092", "s0319", "s0296", "s0304", "s0310", "s0292", "s0099", "s0073", "s0110", "s0129", "s0093", "s0031", "s0245", "s0128", "s0234", "s0239", "s0127", "s0017", "s0268", "s0190", "s0069", "s0089", "s0114", "s0293", "s0252", "s0204", "s0014", "s0043", "s0119", "s0025", "s0274", "s0077", "s0030", "s0261", "s0222", "s0160", "s0220", "s0323", "s0144", "s0107", "s0020", "s0023", "s0054", "s0106", "s0154", "s0244", "s0126", "s0212", "s0137", "s0050", "s0046", "s0115", "s0235", "s0187", "s0255", "s0243", "s0301", "s0021", "s0200", "s0213", "s0281", "s0134", "s0186", "s0300", "s0320", "s0105", "s0315", "s0038", "s0062", "s0024", "s0081", "s0064", "s0082", "s0091", "s0152", "s0076", "s0181", "s0171", "s0267", "s0120", "s0182", "s0143", "s0036", "s0173", "s0193", "s0277", "s0095", "s0168", "s0049", "s0032", "s0026", "s0249", "s0290", "s0237", "s0008", "s0132", "s0047", "s0151", "s0037", "s0214", "s0246", "s0224", "s0071", "s0061", "s0170", "s0087", "s0135", "s0009", "s0232", "s0040", "s0070", "s0068", "s0322", "s0321", "s0203", "s0101", "s0278", "s0259", "s0260", "s0231", "s0100", "s0189", "s0015", "s0163", "s0044", "s0201", "s0283", "s0325", "s0215", "s0088", "s0265", "s0276", "s0271", "s0288", "s0250", "s0162", "s0156", "s0236", "s0211", "s0042", "s0121", "s0010", "s0282", "s0317", "s0167", "s0303", "s0175", "s0002", "s0179", "s0133", "s0051", "s0280", "s0084", "s0083", "s0080", "s0079", "s0149", "s0284", "s0256", "s0233", "s0205", "s0228", "s0247", "s0102", "s0272", "s0210", "s0039", "s0056", "s0034", "s0108", "s0104", "s0033", "s0198", "s0118", "s0299", "s0286", "s0138", "s0285", "s0052", "s0264", "s0229", "s0165", "s0072", "s0016", "s0208", "s0122", "s0316", "s0289", "s0158", "s0048", "s0097", "s0124", "s0291", "s0254", "s0013", "s0067", "s0012", "s0216", "s0150", "s0177", "s0139", "s0145", "s0194", "s0223", "s0184", "s0113", "s0279", "s0238", "s0029", "s0078", "s0147", "s0196", "s0197", "s0192", "s0006", "s0269", "s0262", "s0055", "s0241", "s0169", "s0295", "s0172", "s0326", "s0153", "s0075", "s0019", "s0166", "s0125", "s0174", "s0258", "s0003", "s0112", "s0270", "s0240", "s0103", "s0090", "s0148", "s0313", "s0253", "s0085", "s0074", "s0111", "s0195", "s0053", "s0185", "s0140", "s0294", "s0028", "s0063", "s0217", "s0007", "s0327", "s0218", "s0226", "s0159", "s0273", "s0157", "s0035", "s0227", "s0324", "s0305", "s0225", "s0058", "s0188", "s0328", "s0142", "s0018", "s0242", "s0060", "s0096", "s0098", "s0011", "s0329", "s0057", "s0164", "s0146", "s0131", "s0004", "s0183", "s0266", "s0307", "s0306", "s0308", "s0094", "s0001", "s0178", "s0199", "s0302", "s0263", "s0116", "s0221", "s0130", "s0275", "s0022", "s0136", "s0207", "s0257", "s0180", "s0109", "s0206", "s0005", "s0155", "s0219", "s0191", "s0176", "s0059", "s0141", "s0041", "s0312", "s0314", "s0161", "s0298", "s0123", "s0297", "s0318", "s0117", "s0311", "s0248", "s0251", "s0287", "s0027", "s0230", "s0086"] - MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] + MITRE_ALL = ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TACTICS + MITRE_GROUPS + MITRE_SOFTWARE] path_to_rules = "rules" From 465e41bfbbc6da173e726a162e34cbc6203bcfc3 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 8 Nov 2019 22:31:02 +0100 Subject: [PATCH 201/269] Added regular expression support in es-dsl backend --- CHANGELOG.md | 1 + tools/sigma/backends/elasticsearch.py | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf82e1c2f..c7e41c48a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ Changes from this section will be contained in the next release. * sigma-similarity tool * LimaCharlie backend * Default configurations for some backends that are used if no configuration is passed. +* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl) * Value modifiers: * startswith * endswith diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1a7be9a3d..423b93dc4 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -212,8 +212,6 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin def generateMapItemNode(self, node): key, value = node - if type(value) not in (str, int, list, type(None)): - raise TypeError("Map values must be strings, numbers, lists or null, not " + str(type(value))) if type(value) is list: res = {'bool': {'should': []}} for v in value: @@ -230,7 +228,7 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin elif value is None: key_mapped = self.fieldNameMapping(key, value) return { "bool": { "must_not": { "exists": { "field": key_mapped } } } } - else: + elif type(value) in (str, int): key_mapped = self.fieldNameMapping(key, value) if self.matchKeyword: # searches against keyowrd fields are wildcard searches, phrases otherwise queryType = 'wildcard' @@ -239,6 +237,11 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin queryType = 'match_phrase' value_cleaned = self.cleanValue(str(value)) return {queryType: {key_mapped: value_cleaned}} + elif isinstance(value, SigmaRegularExpressionModifier): + key_mapped = self.fieldNameMapping(key, value) + return { 'regexp': { key_mapped: str(value) } } + else: + raise TypeError("Map values must be strings, numbers, lists, null or regular expression, not " + str(type(value))) def generateValueNode(self, node): return {'multi_match': {'query': node, 'fields': [], 'type': 'phrase'}} From 8ae824f09f8bcc80cafd0aa8073213527927a67f Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 8 Nov 2019 23:46:41 +0100 Subject: [PATCH 202/269] Improved rules Reduced false positives --- .../process_creation/win_possible_applocker_bypass.yml | 4 ++-- rules/windows/process_creation/win_proc_wrong_parent.yml | 2 ++ rules/windows/process_creation/win_service_execution.yml | 2 -- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 0a34fc3a8..d620bf1cf 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -24,8 +24,8 @@ detection: # - '\regsvr32.exe' # too many FPs, very noisy - '\msbuild.exe' - '\ieexec.exe' - - '\mshta.exe' - - '\csc.exe' + #- '\mshta.exe' + #- '\csc.exe' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index 5dbea3bae..06e403401 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -31,6 +31,8 @@ detection: ParentImage: - '*\System32\\*' - '*\SysWOW64\\*' + - '*\SavService.exe' + - '*\Windows Defender\\*\MsMpEng.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index 9fc0b971b..807b4e5a0 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -11,8 +11,6 @@ logsource: product: windows detection: selection: - - Image|endswith: '\sc.exe' - CommandLine|contains: 'start' - Image|endswith: - '\net.exe' - '\net1.exe' From 2078a1d4f2982deebdfb01053ee51f1a1b885baa Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 7 Nov 2019 23:08:44 +0100 Subject: [PATCH 203/269] Added changelog --- CHANGELOG.md | 89 +++++++++++++++++++++++++++++++++++++++++++++++++ CHANGELOG.md.j2 | 38 +++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 CHANGELOG.md create mode 100644 CHANGELOG.md.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..cf82e1c2f --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,89 @@ +# Release Notes + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) +from version 0.14.0. + +## Unreleased + +Changes from this section will be contained in the next release. + +### Added + +* sigma-similarity tool +* LimaCharlie backend +* Default configurations for some backends that are used if no configuration is passed. +* Value modifiers: + * startswith + * endswith + +### Changed + +* Removal of line breaks in elastalert output +* Searches not bound to fields are restricted to keyword fields in es-qs backend +* Graylog backend now based on es-qs backend + +## 0.13 + +### Added + +* Index mappings for Sumologic +* Malicious cmdlets in wdatp +* QRadar support for keyword searches +* QRadar mapping improvements +* QRadar field selection +* QRadar type regex modifier support +* Elasticsearch keyword field blacklisting with wildcards +* Added dateField configuration parameter in xpack-watcher backend +* Field mappings in configurations +* Field name mapping for conditional fields +* Value modifiers: + * utf16 + * utf16le + * wide + * utf16be + +### Changed + +* Improved --backend-config help text + +### Fixed + +* Backend errors in ala +* Slash escaping within es-dsl wildcard queries +* QRadar backend config +* QRadar field name and value escaping and handling +* Elasticsearch wildcard detection pattern +* Aggregation on keyword field in es-dsl backend + +## 0.12.1 + +### Fixed + +* Missing build dependency + +## 0.12 + +### Added + +* Usage of "Channel" field in ELK Windows configuration +* Fields to mappings +* xpack-watcher actions index and webhook +* Config for Winlogbeat 7.x +* Value modifiers +* Regular expression support + +### Changed + +* Warning/error messages +* Sumologic value cleaning +* Explicit OR for Elasticsearch query strings +* Listing of available configurations on missing configuration error + +### Fixed + +* Conditions in es-dsl backend +* Sumologic handling of null values +* Ignore timeframe detection keyword in all/any of conditions diff --git a/CHANGELOG.md.j2 b/CHANGELOG.md.j2 new file mode 100644 index 000000000..8dd07eee2 --- /dev/null +++ b/CHANGELOG.md.j2 @@ -0,0 +1,38 @@ +## {{ version.minor }}.{{ version.major }}.{{ version.patch }} ({{ date }}) + +### Added + +{% for item in added %} +* {{ item | indent(2) }} +{% endfor %} + +### Changed + +{% for item in changed %} +* {{ item | indent(2) }} +{% endfor %} + +### Deprecated + +{% for item in deprecated %} +* {{ item | indent(2) }} +{% endfor %} + +### Removed + +{% for item in removed %} +* {{ item | indent(2) }} +{% endfor %} + +### Fixed + +{% for item in fixed %} +* {{ item | indent(2) }} +{% endfor %} + +### Security + +{% for item in security %} +* {{ item | indent(2) }} +{% endfor %} + From 8f1974d7d31f3d98c210c796bc370000abbd0d57 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 8 Nov 2019 22:31:02 +0100 Subject: [PATCH 204/269] Added regular expression support in es-dsl backend --- CHANGELOG.md | 1 + tools/sigma/backends/elasticsearch.py | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf82e1c2f..c7e41c48a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ Changes from this section will be contained in the next release. * sigma-similarity tool * LimaCharlie backend * Default configurations for some backends that are used if no configuration is passed. +* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl) * Value modifiers: * startswith * endswith diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1a7be9a3d..423b93dc4 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -212,8 +212,6 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin def generateMapItemNode(self, node): key, value = node - if type(value) not in (str, int, list, type(None)): - raise TypeError("Map values must be strings, numbers, lists or null, not " + str(type(value))) if type(value) is list: res = {'bool': {'should': []}} for v in value: @@ -230,7 +228,7 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin elif value is None: key_mapped = self.fieldNameMapping(key, value) return { "bool": { "must_not": { "exists": { "field": key_mapped } } } } - else: + elif type(value) in (str, int): key_mapped = self.fieldNameMapping(key, value) if self.matchKeyword: # searches against keyowrd fields are wildcard searches, phrases otherwise queryType = 'wildcard' @@ -239,6 +237,11 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, ElasticsearchWildcardHandlin queryType = 'match_phrase' value_cleaned = self.cleanValue(str(value)) return {queryType: {key_mapped: value_cleaned}} + elif isinstance(value, SigmaRegularExpressionModifier): + key_mapped = self.fieldNameMapping(key, value) + return { 'regexp': { key_mapped: str(value) } } + else: + raise TypeError("Map values must be strings, numbers, lists, null or regular expression, not " + str(type(value))) def generateValueNode(self, node): return {'multi_match': {'query': node, 'fields': [], 'type': 'phrase'}} From 2222550b6ecdeb84d3bc862b5bd02a6da696b1e9 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 8 Nov 2019 23:05:24 +0100 Subject: [PATCH 205/269] Allow ignore of type errors with sigmac -I --- CHANGELOG.md | 1 + tools/sigmac | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7e41c48a..3685e2371 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,6 +25,7 @@ Changes from this section will be contained in the next release. * Removal of line breaks in elastalert output * Searches not bound to fields are restricted to keyword fields in es-qs backend * Graylog backend now based on es-qs backend +* Type errors are now ignored with -I ## 0.13 diff --git a/tools/sigmac b/tools/sigmac index 468757f16..4bb1a15bd 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -257,7 +257,7 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): error = ERR_BACKEND if not cmdargs.defer_abort: sys.exit(error) - except NotImplementedError as e: + except (NotImplementedError, TypeError) as e: print("An unsupported feature is required for this Sigma rule (%s): " % (sigmafile) + str(e), file=sys.stderr) print("Feel free to contribute for fun and fame, this is open source :) -> https://github.com/Neo23x0/sigma", file=sys.stderr) if not cmdargs.ignore_backend_errors: From be62fad5cc3b430c49a367d8bf59f2216b765465 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Nov 2019 10:45:46 +0100 Subject: [PATCH 206/269] fix: fixed false positive in suspicious shell spawn rule --- rules/windows/process_creation/win_shell_spawn_susp_program.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 0de77853c..66f89ad0a 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -18,7 +18,7 @@ detection: ParentImage: - '*\mshta.exe' - '*\powershell.exe' - - '*\cmd.exe' + # - '*\cmd.exe' # too many false positives - '*\rundll32.exe' - '*\cscript.exe' - '*\wscript.exe' From 9835950f04c025d732c650cf672559b00678f195 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Nov 2019 12:49:54 +0100 Subject: [PATCH 207/269] rule: SID to AD object rule level adjusted --- rules/windows/builtin/win_susp_add_sid_history.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_add_sid_history.yml b/rules/windows/builtin/win_susp_add_sid_history.yml index 5f5daa7a0..3452d6138 100644 --- a/rules/windows/builtin/win_susp_add_sid_history.yml +++ b/rules/windows/builtin/win_susp_add_sid_history.yml @@ -25,4 +25,4 @@ detection: condition: selection1 or (selection2 and not selection3) falsepositives: - Migration of an account into a new domain -level: medium +level: low From a0beda240c6f649757ab73cb89a15cc514764834 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Nov 2019 22:42:00 +0100 Subject: [PATCH 208/269] fix: fixed wrong field mapping in windows-audit source config --- tools/config/generic/windows-audit.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index dc3691201..83b143c96 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -12,4 +12,3 @@ logsources: fieldmappings: Image: NewProcessName ParentImage: ParentProcessName - CommandLine: ProcessCommandLine From fbe138ed900af8072a1e0deb9c6d40e49d68de9a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Nov 2019 23:24:31 +0100 Subject: [PATCH 209/269] rule: reduced level of rule to medium due to FPs --- rules/windows/sysmon/sysmon_susp_file_characteristics.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml index 19956fce5..d55dac169 100644 --- a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml +++ b/rules/windows/sysmon/sysmon_susp_file_characteristics.yml @@ -6,6 +6,7 @@ references: - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection author: Markus Neis date: 2018/11/22 +modified: 2019/11/09 tags: - attack.defense_evasion - attack.execution @@ -29,4 +30,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: high +level: medium From 038f205f0f88510b503c41336d1f5724e95737d3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Nov 2019 23:32:53 +0100 Subject: [PATCH 210/269] fix: FPs with UserInitMprLogonScript rule --- .../sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml index 2453d5214..64e171ad8 100644 --- a/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml +++ b/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml @@ -15,8 +15,9 @@ detection: exec_selection: EventID: 1 # Migration to process_creation requires multipart YAML ParentImage: '*\userinit.exe' - exec_exclusion: + exec_exclusion1: Image: '*\explorer.exe' + exec_exclusion2: CommandLine: '*\netlogon.bat' create_selection_cli: EventID: @@ -33,7 +34,7 @@ detection: create_keywords_cli: CommandLine: - '*UserInitMprLogonScript*' - condition: (exec_selection and not exec_exclusion) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli) + condition: (exec_selection and not exec_exclusion1 and not exec_exclusion2) or (create_selection_reg and create_keywords_reg) or (create_selection_cli and create_keywords_cli) falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming From 8cc16d252a7ca3fb966d63c79e25f6c7a605a0fa Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 9 Nov 2019 23:36:29 +0100 Subject: [PATCH 211/269] fix: more FP reductions --- rules/windows/other/win_wmi_persistence.yml | 2 +- .../process_creation/win_susp_userinit_child.yml | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index f978565a5..077f0aacb 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -26,5 +26,5 @@ detection: condition: selection and 1 of keywords or selection2 falsepositives: - Unknown (data set is too small; further testing needed) -level: high +level: medium diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml index bed1fbbfd..5a255ad87 100644 --- a/rules/windows/process_creation/win_susp_userinit_child.yml +++ b/rules/windows/process_creation/win_susp_userinit_child.yml @@ -1,6 +1,6 @@ title: Suspicious Userinit Child Process status: experimental -description: Detects the creation of a process from Windows task manager +description: Detects a suspicious child process of userinit references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) @@ -11,14 +11,14 @@ logsource: detection: selection: ParentImage: '*\userinit.exe' - filter: - CommandLine: - - '*\explorer.exe*' - - '*\\netlogon\\*' - condition: selection and not filter + filter1: + CommandLine: '*\\netlogon\\*' + filter2: + Image: '*\explorer.exe' + condition: selection and not filter1 and not filter2 fields: - CommandLine - ParentCommandLine falsepositives: - Administrative scripts -level: high +level: medium From feb836cbf2833dfc714e5e63763809d20f7aacf3 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 10 Nov 2019 00:09:59 +0100 Subject: [PATCH 212/269] Sigmatools release 0.14 --- CHANGELOG.md | 7 +++++++ Pipfile.lock | 32 ++++++++++++++++---------------- tools/setup.py | 5 +++-- 3 files changed, 26 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7e41c48a..1806298b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,8 @@ from version 0.14.0. Changes from this section will be contained in the next release. +## 0.14 + ### Added * sigma-similarity tool @@ -26,6 +28,11 @@ Changes from this section will be contained in the next release. * Searches not bound to fields are restricted to keyword fields in es-qs backend * Graylog backend now based on es-qs backend +### Fixed + +* Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic + process creation log source configuration. + ## 0.13 ### Added diff --git a/Pipfile.lock b/Pipfile.lock index e6143397c..776e1a075 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -207,25 +207,25 @@ }, "pymisp": { "hashes": [ - "sha256:1983808d9a834c26d42d52871af1f86dc9739c9f2ee22091cf4a2a62ce6a171d", - "sha256:32675ce303f9d06698eb390c5381cb1de430d355e203612264bce6cd53972b95", - "sha256:9cf1187b5d618bd2b0e631cc877586b7cd5d02b59322a509a4f5ad07496cd171" + "sha256:17b145dbc39a1ba4ebce60e8b75a479d2c8fd3c2a239f32682f2e1a3636469ec", + "sha256:814023f346f9e1dcf6763d93450df44ff0157f2061c612a7eaf2020280f588a3", + "sha256:de67196f6a8916b9c52a84a1c45ea967c53fa9d2b3795b070ad2c1cbc28d79d7" ], "index": "pypi", - "version": "==2.4.117" + "version": "==2.4.117.2" }, "pyrsistent": { "hashes": [ - "sha256:34b47fa169d6006b32e99d4b3c4031f155e6e68ebcc107d6454852e8e0ee6533" + "sha256:eb6545dbeb1aa69ab1fb4809bfbf5a8705e44d92ef8fc7c2361682a47c46c778" ], - "version": "==0.15.4" + "version": "==0.15.5" }, "python-dateutil": { "hashes": [ - "sha256:7e6584c74aeed623791615e26efd690f29817a27c73085b78e4bad02493df2fb", - "sha256:c89805f6f4d64db21ed966fda138f8a5ed7a4fdbc1a8ee329ce1b74e3c74da9e" + "sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c", + "sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a" ], - "version": "==2.8.0" + "version": "==2.8.1" }, "python-utils": { "hashes": [ @@ -262,19 +262,19 @@ }, "six": { "hashes": [ - "sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c", - "sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73" + "sha256:1f1b7d42e254082a9db6279deae68afb421ceba6158efa6131de7b3003ee93fd", + "sha256:30f610279e8b2578cab6db20741130331735c781b56053c59c4076da27f06b66" ], - "version": "==1.12.0" + "version": "==1.13.0" }, "typing-extensions": { "hashes": [ - "sha256:2ed632b30bb54fc3941c382decfd0ee4148f5c591651c9272473fea2c6397d95", - "sha256:b1edbbf0652660e32ae780ac9433f4231e7339c7f9a8057d0f042fcbcea49b87", - "sha256:d8179012ec2c620d3791ca6fe2bf7979d979acdbef1fca0bc56b37411db682ed" + "sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2", + "sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d", + "sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575" ], "markers": "python_version < '3.7'", - "version": "==3.7.4" + "version": "==3.7.4.1" }, "urllib3": { "hashes": [ diff --git a/tools/setup.py b/tools/setup.py index 110b9aff6..8059c88e6 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -13,7 +13,7 @@ with open(path.join(here, 'README.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.13', + version='0.14', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", @@ -36,7 +36,7 @@ setup( keywords='security monitoring siem logging signatures elasticsearch splunk ids sysmon', packages=['sigma', 'sigma.backends', 'sigma.config', 'sigma.parser', 'sigma.parser.modifiers'], python_requires='~=3.6', - install_requires=['PyYAML', 'pymisp'], + install_requires=['PyYAML', 'pymisp', 'progressbar2'], extras_require={ 'test': ['coverage', 'yamllint'], }, @@ -70,5 +70,6 @@ setup( 'sigmac', 'merge_sigma', 'sigma2misp', + 'sigma-similarity', ] ) From 4fa928866fedee5431868438c0164b28ebe9d9aa Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 18:43:41 +0300 Subject: [PATCH 213/269] oscd task #6 done. add 25 new rules: - win_ad_replication_non_machine_account.yml - win_dpapi_domain_backupkey_extraction.yml - win_protected_storage_service_access.yml - win_dpapi_domain_masterkey_backup_attempt.yml - win_sam_registry_hive_handle_request.yml - win_sam_registry_hive_dump_via_reg_utility.yml - win_lsass_access_non_system_account.yml - win_ad_object_writedac_access.yml - powershell_alternate_powershell_hosts.yml - sysmon_remote_powershell_session_network.yml - win_remote_powershell_session.yml - win_scm_database_handle_failure.yml - win_scm_database_privileged_operation.yml - sysmon_wmi_module_load.yml - sysmon_remote_powershell_session_process.yml - sysmon_rdp_registry_modification.yml - sysmon_powershell_execution_pipe.yml - sysmon_alternate_powershell_hosts_pipe.yml - sysmon_powershell_execution_moduleload.yml - sysmon_createremotethread_loadlibrary.yml - sysmon_alternate_powershell_hosts_moduleload.yml - powershell_remote_powershell_session.yml - win_non_interactive_powershell.yml - win_syskey_registry_access.yml - win_wmiprvse_spawning_process.yml improve 1 rule: - rules/windows/builtin/win_account_backdoor_dcsync_rights.yml --- .../win_account_backdoor_dcsync_rights.yml | 8 ++--- ...win_ad_replication_non_machine_account.yml | 28 ++++++++++++++++++ .../win_dpapi_domain_backupkey_extraction.yml | 23 +++++++++++++++ ..._dpapi_domain_masterkey_backup_attempt.yml | 20 +++++++++++++ .../win_lsass_access_non_system_account.yml | 27 +++++++++++++++++ .../win_protected_storage_service_access.yml | 23 +++++++++++++++ .../win_sam_registry_hive_handle_request.yml | 23 +++++++++++++++ .../builtin/win_syskey_registry_access.yml | 17 ++++++----- .../powershell_remote_powershell_session.yml | 3 +- .../win_non_interactive_powershell.yml | 15 +++++----- .../win_wmiprvse_spawning_process.yml | 10 +++---- ..._alternate_powershell_hosts_moduleload.yml | 5 ++-- ...sysmon_alternate_powershell_hosts_pipe.yml | 5 ++-- .../sysmon_createremotethread_loadlibrary.yml | 5 ++-- ...n_non_interactive_powershell_execution.yml | 20 ------------- ...sysmon_powershell_execution_moduleload.yml | 3 +- .../sysmon_powershell_execution_pipe.yml | 3 +- .../sysmon_rdp_registry_modification.yml | 11 +++---- ...smon_remote_powershell_session_process.yml | 11 +++---- .../windows/sysmon/sysmon_wmi_module_load.yml | 29 ++++++++++--------- .../sysmon_wmiprvse_spawning_process.yml | 20 ------------- 21 files changed, 212 insertions(+), 97 deletions(-) create mode 100644 rules/windows/builtin/win_ad_replication_non_machine_account.yml create mode 100644 rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml create mode 100644 rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml create mode 100644 rules/windows/builtin/win_lsass_access_non_system_account.yml create mode 100644 rules/windows/builtin/win_protected_storage_service_access.yml create mode 100644 rules/windows/builtin/win_sam_registry_hive_handle_request.yml rename rules/windows/{builtin => process_creation}/win_non_interactive_powershell.yml (58%) rename rules/windows/{builtin => process_creation}/win_wmiprvse_spawning_process.yml (75%) delete mode 100644 rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml index 9bc99f507..fb54b399d 100644 --- a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml @@ -16,10 +16,10 @@ detection: selection: EventID: 5136 LDAPDisplayName: 'ntSecurityDescriptor' - Value: - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' - - '*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*' - - '*89e95b76-444d-4c62-991a-0facbeda640c*' + Value|contains: + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + - '89e95b76-444d-4c62-991a-0facbeda640c' condition: selection falsepositives: - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account. diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml new file mode 100644 index 000000000..8aa4d1fcb --- /dev/null +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -0,0 +1,28 @@ +title: T1003 Active Directory Replication from Non Machine Account +description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. +status: experimental +date: 2019/07/26 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4662 + AccessMask: '0x100' + Properties|contains: + - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + - '89e95b76-444d-4c62-991a-0facbeda640c' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml new file mode 100644 index 000000000..c28d7941f --- /dev/null +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -0,0 +1,23 @@ +title: T1003 DPAPI Domain Backup Key Extraction +description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers +status: experimental +date: 2019/06/20 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4662 + ObjectType: 'SecretObject' + AccessMask: '0x2' + ObjectName: 'BCKUPKEY' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml new file mode 100644 index 000000000..c47abde49 --- /dev/null +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -0,0 +1,20 @@ +title: T1003 DPAPI Domain Master Key Backup Attempt +description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. +status: experimental +date: 2019/08/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4692 + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml new file mode 100644 index 000000000..03b7d9a92 --- /dev/null +++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml @@ -0,0 +1,27 @@ +title: T1003 LSASS Access from Non System Account +description: Detects potential mimikatz-like tools accessing LSASS from non system account +status: experimental +date: 2019/06/20 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4663 + - 4656 + ObjectType: 'Process' + ObjectName|endswith: '\lsass.exe' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml new file mode 100644 index 000000000..b726363ad --- /dev/null +++ b/rules/windows/builtin/win_protected_storage_service_access.yml @@ -0,0 +1,23 @@ +title: T1003 Protected Storage Service Access +description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers +status: experimental +date: 2019/08/10 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md +tags: + - attack.lateral_movement + - attack.t1021 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + ShareName|contains: 'IPC' + RelativeTargetName: "protected_storage" + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml new file mode 100644 index 000000000..b6f36b5cd --- /dev/null +++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml @@ -0,0 +1,23 @@ +title: T1012 SAM Registry Hive Handle Request +description: Detects handles requested to SAM registry hive +status: experimental +date: 2019/08/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g +references: + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md +tags: + - attack.discovery + - attack.t1012 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4656 + ObjectType: 'Key' + ObjectName|endswith: '\SAM' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml index d2c5c2b85..58dbe641b 100644 --- a/rules/windows/builtin/win_syskey_registry_access.yml +++ b/rules/windows/builtin/win_syskey_registry_access.yml @@ -2,9 +2,10 @@ title: T1012 SysKey Registry Keys Access description: Detects handle requests and access operations to specific registry keys to calculate the SysKey status: experimental date: 2019/08/12 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_access.md + - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md tags: - attack.discovery - attack.t1012 @@ -12,16 +13,16 @@ logsource: product: windows service: security detection: - selection: - EventID: + selection: + EventID: - 4656 - 4663 ObjectType: 'key' - ObjectName: - - '*lsa\JD' - - '*lsa\GBG' - - '*lsa\Skew1' - - '*lsa\Data' + ObjectName|endswith: + - 'lsa\JD' + - 'lsa\GBG' + - 'lsa\Skew1' + - 'lsa\Data' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index b474f993c..035cbb974 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -2,6 +2,7 @@ title: T1086 Remote PowerShell Session description: Detects remote PowerShell sessions status: experimental date: 2019/08/10 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md @@ -14,7 +15,7 @@ detection: - 4103 - 400 HostName: 'ServerRemoteHost' - HostApplication: '*wsmprovhost.exe*' + HostApplication|contains: 'wsmprovhost.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml similarity index 58% rename from rules/windows/builtin/win_non_interactive_powershell.yml rename to rules/windows/process_creation/win_non_interactive_powershell.yml index 6ba84927d..766dea5f9 100644 --- a/rules/windows/builtin/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -1,19 +1,20 @@ title: T1086 Non Interactive PowerShell description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. status: experimental -date: 2019/12/10 -author: Roberto Rodriguez @Cyb3rWard0g +date: 2019/09/12 +modified: 2019/11/10 +author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md logsource: + category: process_creation product: windows - service: security detection: selection: - EventID: 4688 - NewProcessName: '*\powershell.exe' - ParentProcessName: '*\explorer.exe' - condition: selection + Image|endswith: '\powershell.exe' + filter: + ParentImage|endswith: '\explorer.exe' + condition: selection and not filter falsepositives: - Unknown level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml similarity index 75% rename from rules/windows/builtin/win_wmiprvse_spawning_process.yml rename to rules/windows/process_creation/win_wmiprvse_spawning_process.yml index 37ccaa4d2..9362869b7 100644 --- a/rules/windows/builtin/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -2,18 +2,18 @@ title: T1047 Wmiprvse Spawning Process description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md logsource: + category: process_creation product: windows - service: security detection: - selection: - EventID: 4688 - ParentProcessName: '*WmiPrvSe.exe' + selection: + ParentImage|endswith: '\WmiPrvSe.exe' filter: - TargetLogonId: '0x3e7' + LogonId: '0x3e7' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml index 0192877ae..854ea6a8e 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_moduleload.yml @@ -2,6 +2,7 @@ title: T1086 Alternate PowerShell Hosts description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/09/12 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md @@ -12,9 +13,9 @@ detection: selection: EventID: 7 Description: 'system.management.automation' - ImageLoaded: '*system.management.automation*' + ImageLoaded|contains: 'system.management.automation' filter: - Image: '*\powershell.exe' + Image|endswith: '\powershell.exe' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml index 47ffd1649..3fffb15da 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml @@ -2,6 +2,7 @@ title: T1086 Alternate PowerShell Hosts description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/09/12 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md @@ -11,9 +12,9 @@ logsource: detection: selection: EventID: 17 - PipeName: '\PSHost*' + PipeName|startswith: '\PSHost' filter: - Image: '*\powershell.exe' + Image|startswith: '\powershell.exe' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml index cdee77d86..6c2f972de 100644 --- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml @@ -1,7 +1,8 @@ title: T1055 CreateRemoteThread API and LoadLibrary -description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process +description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process status: experimental date: 2019/08/11 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md @@ -11,7 +12,7 @@ logsource: detection: selection: EventID: 8 - StartModule: '*\kernel32.dll' + StartModule|endswith: '\kernel32.dll' StartFunction: 'LoadLibraryA' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml b/rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml deleted file mode 100644 index 75ec63f63..000000000 --- a/rules/windows/sysmon/sysmon_non_interactive_powershell_execution.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: T1086 Non Interactive PowerShell Execution -description: Detects execution of PowerShell with not explorer.exe as a parent. -status: experimental -date: 2019/09/12 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\powershell.exe' - filter: - ParentImage: '*\explorer.exe' - condition: selection and not filter -falsepositives: - - Unknown -level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml index 2837ee65b..c9e16c9f1 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/sysmon/sysmon_powershell_execution_moduleload.yml @@ -2,6 +2,7 @@ title: T1086 PowerShell Execution description: Detects execution of PowerShell status: experimental date: 2019/09/12 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md @@ -12,7 +13,7 @@ detection: selection: EventID: 7 Description: 'system.management.automation' - ImageLoaded: '*system.management.automation*' + ImageLoaded|contains: 'system.management.automation' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml index 91ca4d8fc..64c22df7c 100644 --- a/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml +++ b/rules/windows/sysmon/sysmon_powershell_execution_pipe.yml @@ -2,6 +2,7 @@ title: T1086 PowerShell Execution description: Detects execution of PowerShell status: experimental date: 2019/09/12 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md @@ -11,7 +12,7 @@ logsource: detection: selection: EventID: 17 - PipeName: '\PSHost*' + PipeName|startswith: '\PSHost' condition: selection falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml index 1fae0cc66..a01d3a0eb 100644 --- a/rules/windows/sysmon/sysmon_rdp_registry_modification.yml +++ b/rules/windows/sysmon/sysmon_rdp_registry_modification.yml @@ -2,18 +2,19 @@ title: T1112 RDP Registry Modification description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. status: experimental date: 2019/09/12 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md logsource: product: windows service: sysmon detection: - selection_one: + selection: EventID: 13 - TargetObject: - - '*\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - - '*\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' + TargetObject|endswith: + - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' + - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' Details: 'DWORD (0x00000000)' condition: selection falsepositives: diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml b/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml index 2db614c8f..09b19b64b 100644 --- a/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml +++ b/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml @@ -2,6 +2,7 @@ title: T1086 Remote PowerShell Session description: Detects remote PowerShell seccions by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote sessionn) status: experimental date: 2019/09/12 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md @@ -9,13 +10,13 @@ logsource: product: windows service: sysmon detection: - selection_one: + selection_1: EventID: 1 - Image: '*\wsmprovhost.exe' - selection_two: + Image|endswith: '\wsmprovhost.exe' + selection_2: EventID: 1 - ParentImage: '*\wsmprovhost.exe' - condition: selection_one or selection_two + ParentImage|endswith: '\wsmprovhost.exe' + condition: selection_1 or selection_2 falsepositives: - Unknown level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml index 82368ec0a..05422cf03 100644 --- a/rules/windows/sysmon/sysmon_wmi_module_load.yml +++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml @@ -2,6 +2,7 @@ title: T1047 WMI Modules Loaded description: Detects non wmiprvse loading WMI modules status: experimental date: 2019/08/10 +modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md @@ -11,21 +12,21 @@ logsource: detection: selection: EventID: 7 - ImageLoaded: - - '*wmiclnt.dll' - - '*WmiApRpl.dll' - - '*wmiprov.dll' - - '*wmiutils.dll' - - '*wbemcomn.dll' - - '*wbemprox.dll' - - '*WMINet_Utils.dll' - - '*wbemsvc.dll' - - '*fastprox.dll' + ImageLoaded|endswith: + - '\wmiclnt.dll' + - '\WmiApRpl.dll' + - '\wmiprov.dll' + - '\wmiutils.dll' + - '\wbemcomn.dll' + - '\wbemprox.dll' + - '\WMINet_Utils.dll' + - '\wbemsvc.dll' + - '\fastprox.dll' filter: - Image: - - '*WmiPrvSe.exe' - - '*WmiAPsrv.exe' - - '*svchost.exe' + Image|endswith: + - '\WmiPrvSe.exe' + - '\WmiAPsrv.exe' + - '\svchost.exe' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml b/rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml deleted file mode 100644 index ed05c5424..000000000 --- a/rules/windows/sysmon/sysmon_wmiprvse_spawning_process.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: T1047 Wmiprvse Spawning Process -description: Detects wmiprvse spawning processes -status: experimental -date: 2019/08/15 -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*WmiPrvSe.exe' - filter: - LogonId: '0x3e7' - condition: selection and not filter -falsepositives: - - Unknown -level: critical \ No newline at end of file From 0db543677896aacabbcaa03b7af3af45c40a06ea Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 20:27:21 +0300 Subject: [PATCH 214/269] add tieto dns exfil rules --- .../net_dns_high_subdomain_rate.yml | 41 +++++++++++++++++++ .../net_dns_large_domain_name.yml | 36 ++++++++++++++++ .../win_tap_driver_installation.yml | 9 +++- .../powershell_dnscat_execution.yml | 2 +- .../win_dns_exfiltration_tools_execution.yml | 5 +-- ...ltration_and_tunneling_tools_execution.yml | 10 ++--- .../win_tap_installer_execution.yml | 2 +- 7 files changed, 94 insertions(+), 11 deletions(-) create mode 100644 rules/unsupported_logic/net_dns_high_subdomain_rate.yml create mode 100644 rules/unsupported_logic/net_dns_large_domain_name.yml rename rules/windows/{sysmon => builtin}/win_tap_driver_installation.yml (80%) diff --git a/rules/unsupported_logic/net_dns_high_subdomain_rate.yml b/rules/unsupported_logic/net_dns_high_subdomain_rate.yml new file mode 100644 index 000000000..6b76a1ef7 --- /dev/null +++ b/rules/unsupported_logic/net_dns_high_subdomain_rate.yml @@ -0,0 +1,41 @@ +title: High DNS subdomain requests rate per domain +description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + dns_question_name: + query: "*" + default_list_of_well_known_domains: + query_etld_plus_one: + - "akadns.net" + - "akamaiedge.net" + - "amazonaws.com" + - "apple.com" + - "apple-dns.net" + - "cloudfront.net" + - "icloud.com" + - "in-addr.arpa" + - "google.com" + - "yahoo.com" + - "dropbox.com" + - "windowsupdate.com" + - "microsoftonline.com" + - "s-microsoft.com" + - "office365.com" + - "linkedin.com" + timeframe: 15m + condition: count(subdomain) per query_etld_plus_one per computer_name > 200 and not default_list_of_well_known_domains + # for each host in timeframe + # for each dns_question_etld_plus_one + # if number of dns_question_name > 200 + # dns_question_etld_plus_one is not in default_list_of_well_known_domains +falsepositives: + - Legitimate domain name requested, which should be added to whitelist +level: high +status: experimental diff --git a/rules/unsupported_logic/net_dns_large_domain_name.yml b/rules/unsupported_logic/net_dns_large_domain_name.yml new file mode 100644 index 000000000..463ff1e05 --- /dev/null +++ b/rules/unsupported_logic/net_dns_large_domain_name.yml @@ -0,0 +1,36 @@ +title: Large domain name request +description: Detects large DNS domain names +author: Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +tags: + - attack.exfiltration + - attack.t1048 +logsource: + category: dns +detection: + selection: + query_length: "> 70" # IS MORE THAN 70 bytes + default_list_of_well_known_domains: + query_etld_plus_one: + - "akadns.net" + - "akamaiedge.net" + - "amazonaws.com" + - "apple.com" + - "apple-dns.net" + - "cloudfront.net" + - "icloud.com" + - "in-addr.arpa" + - "google.com" + - "yahoo.com" + - "dropbox.com" + - "windowsupdate.com" + - "microsoftonline.com" + - "s-microsoft.com" + - "office365.com" + - "linkedin.com" + condition: selection and not default_list_of_well_known_domains +falsepositives: + - Legitimate domain name requested, which should be added to whitelist +level: high +status: experimental \ No newline at end of file diff --git a/rules/windows/sysmon/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml similarity index 80% rename from rules/windows/sysmon/win_tap_driver_installation.yml rename to rules/windows/builtin/win_tap_driver_installation.yml index 3d09ad4fb..537d8a20c 100644 --- a/rules/windows/sysmon/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -13,7 +13,7 @@ falsepositives: level: medium detection: selection: - ImagePath: "*tap0901*" + ImagePath|contains: 'tap0901' condition: selection --- logsource: @@ -29,3 +29,10 @@ logsource: detection: selection: EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_dnscat_execution.yml b/rules/windows/powershell/powershell_dnscat_execution.yml index e8f698eaf..314cad819 100644 --- a/rules/windows/powershell/powershell_dnscat_execution.yml +++ b/rules/windows/powershell/powershell_dnscat_execution.yml @@ -12,7 +12,7 @@ logsource: detection: selection: EventID: 4104 - ScriptBlockText: "*Start-Dnscat2*" + ScriptBlockText|contains: "Start-Dnscat2" condition: selection falsepositives: - Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely) diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 6f072e792..cfd25684e 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -11,9 +11,8 @@ logsource: product: windows detection: selection: - NewProcessName: - - "*\\iodine.exe" - - "*\\dnscat2*" + - Image|endswith: '*\iodine.exe' + - Image|contains: '\dnscat2' condition: selection falsepositives: - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely) diff --git a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml index 0cd906be8..171b87c37 100644 --- a/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml +++ b/rules/windows/process_creation/win_exfiltration_and_tunneling_tools_execution.yml @@ -11,11 +11,11 @@ logsource: product: windows detection: selection: - NewProcessName: - - "*\\plink.exe" - - "*\\socat.exe" - - "*\\stunnel.exe" - - "*\\httptunnel.exe" + NewProcessName|endswith: + - '\plink.exe' + - '\socat.exe' + - '\stunnel.exe' + - '\httptunnel.exe' condition: selection falsepositives: - Legitimate Administrator using tool for exfiltration for other needs diff --git a/rules/windows/process_creation/win_tap_installer_execution.yml b/rules/windows/process_creation/win_tap_installer_execution.yml index b9c0395f1..ad9ca6bf1 100644 --- a/rules/windows/process_creation/win_tap_installer_execution.yml +++ b/rules/windows/process_creation/win_tap_installer_execution.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - CommandLine: "*\\tapinstall.exe" + Image|endswith: '\tapinstall.exe' condition: selection falsepositives: - Legitimate OpenVPN TAP insntallation From b665b1b9905393fa178a40a285c3258b5c1340b6 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 21:19:06 +0300 Subject: [PATCH 215/269] Update and rename win_susp_direct_run_key_modification.yml to win_susp_direct_asep_reg_keys_modification.yml --- ...susp_direct_asep_reg_keys_modification.yml | 38 +++++++++++++++++++ .../win_susp_direct_run_key_modification.yml | 27 ------------- 2 files changed, 38 insertions(+), 27 deletions(-) create mode 100644 rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml delete mode 100644 rules/windows/process_creation/win_susp_direct_run_key_modification.yml diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml new file mode 100644 index 000000000..29077cc02 --- /dev/null +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -0,0 +1,38 @@ +title: Direct autorun keys modification +description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/25 +modified: 2019/11/10 +author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection_1: + Image|endswith: '*\reg.exe' + CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules + selection_2: + CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys + - '\software\Microsoft\Windows\CurrentVersion\Run' + - '\software\Microsoft\Windows\CurrentVersion\RunOnce' + - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - '\software\Microsoft\Windows\CurrentVersion\RunServices' + - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' + - '\software\Microsoft\Windows NT\CurrentVersion\Windows' + - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' + - '\system\CurrentControlSet\Control\SafeBoot\AlternateShell' + condition: selection_1 and selection_2 +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason + - Legitimate administrator sets up autorun keys for legitimate reason +level: high diff --git a/rules/windows/process_creation/win_susp_direct_run_key_modification.yml b/rules/windows/process_creation/win_susp_direct_run_key_modification.yml deleted file mode 100644 index e6b707a29..000000000 --- a/rules/windows/process_creation/win_susp_direct_run_key_modification.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Direct Run key modification -description: Detects direct Run key modification for persistence using reg.exe. -status: test -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml -tags: - - attack.persistence - - attack.t1060 -date: 2019/10/25 -modified: 2019/10/25 -author: Victor Sergeev, oscd.community -logsource: - category: process_creation - product: windows -detection: - selection: - Image: - - '*\reg.exe' - CommandLine: - - '*add*Microsoft\Windows\CurrentVersion\Run*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Admin scripts -level: high From b9991bb2ecd93bb8f47539823294513b65ff6d6e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 21:21:42 +0300 Subject: [PATCH 216/269] Update win_susp_netsh_dll_persistence.yml --- .../process_creation/win_susp_netsh_dll_persistence.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml index 46e1f21f3..b8a39044f 100644 --- a/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml +++ b/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection: - Image: - - '*\netsh.exe' - CommandLine: - - '*add*helper*' + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'add' + - 'helper' condition: selection fields: - CommandLine From 0d00b643cd7b8845687fa3a53f9f35f56a6ca1e2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 21:25:26 +0300 Subject: [PATCH 217/269] Update win_susp_service_path_modification.yml --- .../win_susp_service_path_modification.yml | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index 93ae0e96a..f250bfa3e 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -1,25 +1,28 @@ title: Suspicious service path modification description: Detects service path modification to powershell/cmd -status: test +status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml tags: - attack.persistence - attack.t1031 date: 2019/10/21 -modified: 2019/10/21 +modified: 2019/11/10 author: Victor Sergeev, oscd.community logsource: category: process_creation - product: windows + product: windows detection: - selection: - Image: - - '*\sc.exe' - CommandLine: - - '*config*binpath*powershell*' - - '*config*binpath*cmd*' - condition: selection + selection_1: + Image|endswith: '\sc.exe' + CommandLine|contains|all: + - 'config' + - 'binpath' + selection_2: + CommandLine|contains: + - 'powershell' + - 'cmd' + condition: selection_1 and selection_2 fields: - CommandLine - ParentCommandLine From f2f1628506b264b08805a52ffd3bac7ce5387791 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 21:36:21 +0300 Subject: [PATCH 218/269] Update and rename sysmon_runkey_from_powershell.yml to sysmon_asep_regirstry_modification.yml --- .../sysmon_asep_regirstry_modification.yml | 32 +++++++++++++++++++ .../sysmon/sysmon_runkey_from_powershell.yml | 27 ---------------- 2 files changed, 32 insertions(+), 27 deletions(-) create mode 100644 rules/windows/sysmon/sysmon_asep_regirstry_modification.yml delete mode 100644 rules/windows/sysmon/sysmon_runkey_from_powershell.yml diff --git a/rules/windows/sysmon/sysmon_asep_regirstry_modification.yml b/rules/windows/sysmon/sysmon_asep_regirstry_modification.yml new file mode 100644 index 000000000..e9e990b9d --- /dev/null +++ b/rules/windows/sysmon/sysmon_asep_regirstry_modification.yml @@ -0,0 +1,32 @@ +title: Autorun keys modification +description: Detects modification of autostart extensibility point (ASEP) in registry +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml +tags: + - attack.persistence + - attack.t1060 +date: 2019/10/21 +modified: 2019/11/10 +author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + TargetObject|contains: + - '\software\Microsoft\Windows\CurrentVersion\Run' + - '\software\Microsoft\Windows\CurrentVersion\RunOnce' + - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - '\software\Microsoft\Windows\CurrentVersion\RunServices' + - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' + - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' + - '\software\Microsoft\Windows NT\CurrentVersion\Windows' + - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' + condition: selection +falsepositives: + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason + - Legitimate administrator sets up autorun keys for legitimate reason +level: medium diff --git a/rules/windows/sysmon/sysmon_runkey_from_powershell.yml b/rules/windows/sysmon/sysmon_runkey_from_powershell.yml deleted file mode 100644 index 3cda627fc..000000000 --- a/rules/windows/sysmon/sysmon_runkey_from_powershell.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Autorun key modification from powershell/cmd -description: Detects possible persistence from powershell/cmd scripts -status: test -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml -tags: - - attack.persistence - - attack.t1060 -date: 2019/10/21 -modified: 2019/10/21 -author: Victor Sergeev, oscd.community -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - Image: - - '*\powershell.exe' - - '*\cmd.exe' - TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' - condition: selection -falsepositives: - - Admin scripts -level: medium From 6f2243efc4f908ec30722265b664486fbdd562c7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 21:40:08 +0300 Subject: [PATCH 219/269] fix reg rule --- rules/windows/process_creation/win_query_registry.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 64ad9df5f..ee312aefc 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -10,8 +10,13 @@ logsource: category: process_creation product: windows detection: - selection: + selection_1: Image|endswith: '\reg.exe' + CommandLine|contains: + - 'query' + - 'save' + - 'export' + selection_2: CommandLine|contains: - 'currentVersion\windows' - 'currentVersion\runServicesOnce' @@ -23,7 +28,7 @@ detection: - 'currentVersion\run' - 'currentVersion\policies\explorer\run' - 'currentcontrolset\services' - condition: selection + condition: selection_1 and selection_2 fields: - Image - CommandLine From 5756df1922d77c6b9a7be9e362ae202262113b52 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 21:56:34 +0300 Subject: [PATCH 220/269] rename file --- ...try_modification.yml => sysmon_asep_reg_keys_modification.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/sysmon/{sysmon_asep_regirstry_modification.yml => sysmon_asep_reg_keys_modification.yml} (100%) diff --git a/rules/windows/sysmon/sysmon_asep_regirstry_modification.yml b/rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml similarity index 100% rename from rules/windows/sysmon/sysmon_asep_regirstry_modification.yml rename to rules/windows/sysmon/sysmon_asep_reg_keys_modification.yml From 0beeaadb6f6cd2b44b2b8ba93b03efc2b03e640c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 22:47:48 +0300 Subject: [PATCH 221/269] Update sysmon_narrator_feedback_persistance.yml --- .../sysmon/sysmon_narrator_feedback_persistance.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml index ff59f881d..687d7ea8c 100644 --- a/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml +++ b/rules/windows/sysmon/sysmon_narrator_feedback_persistance.yml @@ -4,23 +4,23 @@ references: - https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html tags: - attack.persistence + - attack.t1060 author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 +modified: 2019/11/10 logsource: product: windows service: sysmon detection: condition: 1 of them - # Registry Object Delete selection1: EventID: 12 EventType: DeleteValue - TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' - # Registry Object Value Set + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\DelegateExecute' selection2: EventID: 13 - TargetObject: '*\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' + TargetObject|endswith: '\AppXypsaf9f1qserqevf0sws76dx4k9a5206\Shell\open\command\(Default)' falsepositives: - unknown level: high From fcde35d6abb9e28856663b201d51da1e225b2eec Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 22:51:53 +0300 Subject: [PATCH 222/269] Update sysmon_regsvr32_network_activity.yml --- .../sysmon_regsvr32_network_activity.yml | 21 +++++++------------ 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml index dd9f0b7b6..5194d4090 100644 --- a/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml +++ b/rules/windows/sysmon/sysmon_regsvr32_network_activity.yml @@ -11,24 +11,17 @@ tags: author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 +modified: 2019/11/10 logsource: product: windows service: sysmon detection: - condition: 1 of them - selection1: - EventID: 3 - Image: '*\System32\regsvr32.exe' - selection2: - EventID: 22 - Image: '*\System32\regsvr32.exe' -# The 32-bit version of Regsvr32.exe on a 64-bit Windows version - selection3: - EventID: 3 - Image: '*\SysWoW64\regsvr32.exe' - selection4: - EventID: 22 - Image: '*\SysWoW64\regsvr32.exe' + selection: + EventID: + - 3 + - 22 + Image|endswith: '\regsvr32.exe' + condition: selection falsepositives: - unknown level: high From 1f5a31f0e7acaef3230bf1c749012f335606338e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Sun, 10 Nov 2019 23:10:24 +0300 Subject: [PATCH 223/269] fix logsource for remote_powershell_session_process.yml --- .../win_remote_powershell_session_process.yml} | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) rename rules/windows/{sysmon/sysmon_remote_powershell_session_process.yml => process_creation/win_remote_powershell_session_process.yml} (68%) diff --git a/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml similarity index 68% rename from rules/windows/sysmon/sysmon_remote_powershell_session_process.yml rename to rules/windows/process_creation/win_remote_powershell_session_process.yml index 09b19b64b..9367378cd 100644 --- a/rules/windows/sysmon/sysmon_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -7,16 +7,13 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md logsource: + category: process_creation product: windows - service: sysmon detection: - selection_1: - EventID: 1 - Image|endswith: '\wsmprovhost.exe' - selection_2: - EventID: 1 - ParentImage|endswith: '\wsmprovhost.exe' - condition: selection_1 or selection_2 + selection: + - Image|endswith: '\wsmprovhost.exe' + - ParentImage|endswith: '\wsmprovhost.exe' + condition: selection falsepositives: - Unknown level: critical \ No newline at end of file From a69d9d9980e27ae6cee992d7b29bc570fb0a365b Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:04:01 +0300 Subject: [PATCH 224/269] Update win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml --- ...tstrike_getsystem_service_installation.yml | 69 +++++++++++++------ 1 file changed, 48 insertions(+), 21 deletions(-) diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index beb90d7c3..3c5415e55 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,35 +1,62 @@ +--- +action: global title: Meterpreter or Cobalt Strike getsystem service installation description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation author: Teymur Kheirkhabarov date: 2019/10/26 +modified: 2019/11/11 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ tags: - attack.privilege_escalation - attack.t1134 +detection: + selection: + - ServiceFileName|contains: + - 'cmd' + - 'comspec' + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - ServiceFileName|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection +fields: + - ServiceFileName +falsepositives: + - Highly unlikely +level: critical +--- logsource: product: windows service: system detection: - service_installation_event: - EventID: - - 7045 - - 4697 - cmd_or_comspec: - ServiceFileName: - - '*cmd*' - - '*COMSPEC*' - getsystem_technique_1: - ServiceFileName: '*cmd* /c echo * > \\.\pipe\*' #cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a cmd /c echo 559891bb017 > \\.\pipe\5e120a - getsystem_cobaltstrike_technique_1: - ServiceFileName: '%COMSPEC% /c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - getsystem_technique_2: - ServiceFileName: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - condition: service_installation_event and (getsystem_technique_1 or getsystem_cobaltstrike_technique_1 or getsystem_technique_2) -fields: - - ServiceFileName -falsepositives: - - Penetration Test - - Unknown -level: critical \ No newline at end of file + selection: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 6 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 From 24e17a9c50852dfa13f7f8325d61727d2a71b5b9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:08:35 +0300 Subject: [PATCH 225/269] Update win_meterpreter_or_cobaltstrike_getsystem_service_start.yml --- ...r_cobaltstrike_getsystem_service_start.yml | 43 ++++++++++++------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index 2da2b5b03..e82b73c7f 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -2,6 +2,7 @@ title: Meterpreter or Cobalt Strike getsystem service start description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting author: Teymur Kheirkhabarov date: 2019/10/26 +modified: 2019/11/11 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -12,20 +13,30 @@ logsource: category: process_creation product: windows detection: - service_start: - ParentImage: '*\services.exe' - cmd_or_comspec: - CommandLine: - - '*cmd*' - - '*COMSPEC*' - getsystem_technique_1: - CommandLine: '*cmd* /c echo * > \\.\pipe\*' #cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a cmd /c echo 559891bb017 > \\.\pipe\5e120a - getsystem_cobaltstrike_technique_1: - CommandLine: '%COMSPEC% /c echo * > \\.\pipe\*' #%COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - getsystem_technique_2: - CommandLine: '*rundll32*.dll,a /p:*' #rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - condition: service_start and (getsystem_technique_1 or getsystem_cobaltstrike_technique_1 or getsystem_technique_2) + selection_1: + ParentImage|endswith: '\services.exe' + selection_2: + - CommandLine|contains: + - 'cmd' + - 'comspec' + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - CommandLine|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - CommandLine|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - CommandLine|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection_1 and selection_2 falsepositives: - - Penetration Test - - Unknown -level: critical \ No newline at end of file + - Highly unlikely +level: critical From 454701cbee67510474d27901a6812f950f3e68c2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:10:18 +0300 Subject: [PATCH 226/269] Update win_possible_privilege_escalation_using_rotten_potato.yml --- ...in_possible_privilege_escalation_using_rotten_potato.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml index 501afbbd2..d960252f1 100644 --- a/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml +++ b/rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml @@ -9,6 +9,7 @@ tags: status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 +modified: 2019/11/11 logsource: category: process_creation product: windows @@ -19,12 +20,11 @@ detection: - 'NT AUTHORITY\LOCAL SERVICE' User: 'NT AUTHORITY\SYSTEM' rundllexception: - Image: '*\rundll32.exe' - CommandLine: '*DavSetCookie*' + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'DavSetCookie' condition: selection and not rundllexception falsepositives: - Unknown - - Penetration Test level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x From 0e6d4f7d76eaf500119ec847a1e65e01d4f203d8 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:17:47 +0300 Subject: [PATCH 227/269] Update win_using_sc_to_change_sevice_image_path_by_non_admin.yml --- ...sc_to_change_sevice_image_path_by_non_admin.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml index ea5421dc2..b40a53b9d 100644 --- a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml +++ b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml @@ -1,5 +1,5 @@ title: Possible privilege escalation via weak service permissions -description: Detection of sc utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand +description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://pentestlab.blog/2017/03/30/weak-service-permissions/ @@ -9,19 +9,23 @@ tags: status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 +modified: 2019/11/11 logsource: category: process_creation product: windows detection: scbynonadmin: - Image: '*\sc.exe' + Image|endswith: '\sc.exe' IntegrityLevel: 'Medium' binpath: - CommandLine: '*config*binPath*' + CommandLine|contains|all: + - 'config' + - 'binPath' failurecommand: - CommandLine: '*failure*command*' + CommandLine|contains|all: + - 'failure' + - 'command' condition: scbynonadmin and (binpath or failurecommand) falsepositives: - Unknown - - Penetration Test level: high From 20c87ae83c5a31e3832a5bfc2956c20b3a70b1af Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:18:45 +0300 Subject: [PATCH 228/269] Update win_whoami_as_system.yml --- rules/windows/process_creation/win_whoami_as_system.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml index 7ded24ef3..aa263ab9a 100644 --- a/rules/windows/process_creation/win_whoami_as_system.yml +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -1,4 +1,3 @@ - title: Run whoami as SYSTEM status: experimental description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. @@ -6,6 +5,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov date: 2019/10/23 +modified: 2019/11/11 tags: - attack.discovery - attack.privilege_escalation @@ -16,9 +16,8 @@ logsource: detection: selection: User: 'NT AUTHORITY\SYSTEM' - Image: '*\whoami.exe' + Image|endswith: '\whoami.exe' condition: selection falsepositives: - Unknown - - Penetration Test -level: high \ No newline at end of file +level: high From 8adc51d4aa20e250c042cd5e2c0acc7d0d483785 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:30:19 +0300 Subject: [PATCH 229/269] Update sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml --- ...on_via_service_registry_permissions_weakness.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml index 67d72f56c..83fc32d84 100644 --- a/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml +++ b/rules/windows/sysmon/sysmon_possible_privilege_escalation_via_service_registry_permissions_weakness.yml @@ -9,21 +9,22 @@ tags: status: experimental author: Teymur Kheirkhabarov date: 2019/10/26 +modified: 2019/11/11 logsource: - category: process_creation product: windows + service: sysmon detection: selection: EventID: 13 IntegrityLevel: 'Medium' - TargetObject: - - '*\services\*\ImagePath' - - '*\services\*\FailureCommand' - - '*\services\*\Parameters\ServiceDll' + TargetObject|contains: '\services\' + TargetObject|endswith: + - '\ImagePath' + - '\FailureCommand' + - '\Parameters\ServiceDll' condition: selection falsepositives: - Unknown - - Penetration Test level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x From 37098be2915c00b1547b00da4d8c8602037b5a8e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:35:51 +0300 Subject: [PATCH 230/269] Update win_net_user_add.yml --- rules/windows/process_creation/win_net_user_add.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 477b35903..99ebe7bf5 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -8,7 +8,7 @@ date: 2018/30/11 tags: - attack.persistance - attack.credential_access - - attack.1136 + - attack.t1136 logsource: category: process_creation product: windows From 570f5b238e20ee4d83948f9650f1da5098c8eb5d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:40:45 +0300 Subject: [PATCH 231/269] Update win_soundrec_audio_capture.yml --- .../win_soundrec_audio_capture.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index dd8798cd1..a6bb8e747 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -1,20 +1,21 @@ title: Audio Capture via SoundRecorder -description: Detect attacker collecting audio via SoundRecorder application. +description: Detect attacker collecting audio via SoundRecorder application status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml tags: - attack.collection - attack.t1123 detection: selection: - Image: - - "*\SoundRecorder.exe" - CommandLine: - - "* /FILE *" + Image|endswith: '\SoundRecorder.exe' + CommandLine|contains: '/FILE' condition: selection falsepositives: - - legit audio capture + - Legitimate audio capture by legitimate user level: medium logsource: category: process_creation From bdff2c312b0b84398797eba4d0e08cd1cff4d0d7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:44:53 +0300 Subject: [PATCH 232/269] Update lnx_auditd_ld_so_preload_mod.yml --- rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 97643378a..526e3f965 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -1,8 +1,12 @@ title: Modification of ld.so.preload description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html tags: - attack.defense_evasion - attack.t1055 @@ -12,10 +16,8 @@ logsource: detection: selection: type: 'PATH' - name: - - '/etc/ld.so.preload' - condition: selection + name: '/etc/ld.so.preload' condition: selection falsepositives: - - unknown + - Unknown level: medium From fc8901fa1af750f42d0d2adc0b9a00be72ab8be9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:45:39 +0300 Subject: [PATCH 233/269] Update win_soundrec_audio_capture.yml --- rules/windows/process_creation/win_soundrec_audio_capture.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index a6bb8e747..923d8ee36 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -6,6 +6,7 @@ date: 2019/10/24 modified: 2019/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html tags: - attack.collection - attack.t1123 From afb17d0e0e13caf790c31e2322cad3be1ea80bad Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:53:46 +0300 Subject: [PATCH 234/269] Update win_bootconf_mod.yml --- .../process_creation/win_bootconf_mod.yml | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml index c6834ebe3..aff9b51ef 100644 --- a/rules/windows/process_creation/win_bootconf_mod.yml +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -1,25 +1,29 @@ title: Modification of Boot Configuration description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html tags: - attack.impact - attack.t1490 detection: selection1: - Image: - - '*bcdedit.exe' + Image|endswith: '\bcdedit.exe' + CommandLine: 'set' selection2: - CommandLine: - - '* set*' - selection3: - CommandLine: - - '* bootstatuspolicy *ignoreallfailures*' - - '* recoveryenabled* no*' - condition: selection1 and selection2 and selection3 + - CommandLine|contains|all: + - 'bootstatuspolicy' + - 'ignoreallfailures' + - CommandLine|contains|all: + - 'recoveryenabled' + - 'no' + condition: selection1 and selection2 falsepositives: - - unlike + - Unlikely level: high logsource: category: process_creation From 521d9311c7133027a393d39164326bd892fcabe9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:58:22 +0300 Subject: [PATCH 235/269] Delete win_cmd_rar.yml redundant with ./rules/windows/process_creation/win_data_compressed_with_rar.yml authorship was updated --- .../windows/process_creation/win_cmd_rar.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/process_creation/win_cmd_rar.yml diff --git a/rules/windows/process_creation/win_cmd_rar.yml b/rules/windows/process_creation/win_cmd_rar.yml deleted file mode 100644 index 098378a27..000000000 --- a/rules/windows/process_creation/win_cmd_rar.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Command-Line Creation of a RAR file -description: Detect compression of data into a RAR file using the rar.exe utility. -status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) -date: 2019/10/24 -tags: - - attack.exfiltration - - attack.t1002 -detection: - selection: - Image: - - '*rar.exe' - CommandLine: - - '* a *' - condition: selection -falsepositives: - - legit creation of a rar file using cmd -level: high -logsource: - category: process_creation - product: windows From e7e9185f996311cb7787a7436f11860f344da3df Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:59:29 +0300 Subject: [PATCH 236/269] Delete win_eventlog_cleared.yml redundant with ./rules/windows/process_creation/win_susp_eventlog_clear.yml --- .../process_creation/win_eventlog_cleared.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/process_creation/win_eventlog_cleared.yml diff --git a/rules/windows/process_creation/win_eventlog_cleared.yml b/rules/windows/process_creation/win_eventlog_cleared.yml deleted file mode 100644 index 3806ec5fd..000000000 --- a/rules/windows/process_creation/win_eventlog_cleared.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Clearing Windows Event Logs with wevtutil -description: Identifies attempts to clear Windows event logs with the command wevtutil. -status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) -date: 2019/10/24 -tags: - - attack.defense_evasion - - attack.t1070 -detection: - selection: - Image: - - '*wevtutil.exe' - CommandLine: - - '* cl *' - condition: selection -falsepositives: - - unknown -level: high -logsource: - category: process_creation - product: windows From 03d08067b5806dac1785f0f9c8a0ea3dc895e411 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 02:11:28 +0300 Subject: [PATCH 237/269] Delete win_fsutil_usn_delete.yml redundant with ./rules/windows/process_creation/win_susp_fsutil_usage.yml. authorship has been updated --- .../win_fsutil_usn_delete.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/process_creation/win_fsutil_usn_delete.yml diff --git a/rules/windows/process_creation/win_fsutil_usn_delete.yml b/rules/windows/process_creation/win_fsutil_usn_delete.yml deleted file mode 100644 index bd955931b..000000000 --- a/rules/windows/process_creation/win_fsutil_usn_delete.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Delete Volume USN Journal with fsutil -description: Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. -status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) -date: 2019/10/24 -tags: - - attack.defense_evasion - - attack.t1070 -detection: - selection1: - Image: - - '*fsutil.exe' - CommandLine: - - '*usn*' - selection2: - CommandLine: - - '* deletejournal*' - condition: selection1 and selection2 -falsepositives: - - unknown -level: high -logsource: - category: process_creation - product: windows From 24ea49a2a1e2b7fcf015907bbc9f7a2c568314a5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 02:57:59 +0300 Subject: [PATCH 238/269] Update win_susp_net_execution.yml --- rules/windows/process_creation/win_susp_net_execution.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index dfa3e7307..31dd19509 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -24,10 +24,6 @@ detection: Image: - '*\net.exe' - '*\net1.exe' - filename: - OriginalFileName: - - 'net.exe' - - 'net1.exe' cmdline: CommandLine: - '* group*' @@ -38,7 +34,7 @@ detection: - '* accounts*' - '* use*' - '* stop *' - condition: selection or filename and cmdline + condition: selection and cmdline fields: - CommandLine - ParentCommandLine From f585c556a479bcc183e086857c06e184223b70ad Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 03:04:54 +0300 Subject: [PATCH 239/269] Update win_hh_chm.yml --- rules/windows/process_creation/win_hh_chm.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 50e3988d3..a4f6756a3 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -1,18 +1,20 @@ title: HH.exe execution description: Identifies usage of hh.exe executing recently modified .chm files. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 +modified: 2019/11/11 tags: - attack.defense_evasion - attack.execution - attack.t1223 detection: selection: - Image: - - '*hh.exe' - CommandLine: - - '* .chm*' + Image|endswith: '\hh.exe' + CommandLine|contains: '.chm' condition: selection falsepositives: - unlike From c584b67095fa4247aa557d39392bd058601f3890 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 03:20:09 +0300 Subject: [PATCH 240/269] Update win_indirect_cmd.yml --- .../process_creation/win_indirect_cmd.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml index 316a276ea..41c13d4c5 100644 --- a/rules/windows/process_creation/win_indirect_cmd.yml +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -1,19 +1,24 @@ title: Indirect Command Execution -description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe. +description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html date: 2019/10/24 +modified: 2019/11/11 tags: - attack.defense_evasion - attack.t1202 detection: selection: - ParentImage: - - '*pcalua.exe' - - '*forfiles.exe' - condition: selection | count(CommandLine) > 10 + ParentImage|endswith: + - '\pcalua.exe' + - '\forfiles.exe' + condition: selection falsepositives: - - legit usage of scripts + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts + - Legit usage of scripts level: high logsource: category: process_creation From e18ff0b9f921334c58a096af8899f034c6cc702f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 04:05:21 +0300 Subject: [PATCH 241/269] Update win_interactive_at.yml --- rules/windows/process_creation/win_interactive_at.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 3333f2ef0..9d04e1681 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -1,20 +1,19 @@ title: Interactive AT Job description: Detect an interactive AT job, which may be used as a form of privilege escalation. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 tags: - attack.privilege_escalation - attack.t1053 detection: selection: - Image: - - '*at.exe' - CommandLine: - - '* interactive*' + Image|endswith: '\at.exe' + CommandLine|contains: 'interactive' condition: selection falsepositives: - - unlike (at.exe deprecated as of Windows 8) + - Unlikely (at.exe deprecated as of Windows 8) level: high logsource: category: process_creation From 119a3417c615112216d23fb6a15e72ad222246cd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 04:06:37 +0300 Subject: [PATCH 242/269] Update win_interactive_at.yml --- rules/windows/process_creation/win_interactive_at.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 9d04e1681..b7c3340e7 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -1,7 +1,10 @@ title: Interactive AT Job -description: Detect an interactive AT job, which may be used as a form of privilege escalation. +description: Detect an interactive AT job, which may be used as a form of privilege escalation status: experimental author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html date: 2019/10/24 modified: 2019/11/11 tags: From 20a116cde5419a9da04ddff85b911020af91f497 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:46:54 +0300 Subject: [PATCH 243/269] Update win_lsass_dump.yml --- .../process_creation/win_lsass_dump.yml | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index c0f7f9e74..0124c25f3 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -1,27 +1,30 @@ title: LSASS Memory Dumping description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html + - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml tags: - attack.credential_access - attack.t1003 detection: selection1: - CommandLine: - - '* lsass*.dmp*' + CommandLine|contains|all: + - 'lsass' + - '.dmp' selection2: - Image: - - '*werfault.exe' + Image|endswith: '\werfault.exe' selection3: - Image: - - '*procdump*.exe' - selection4: - CommandLine: - - '* lsass*' - condition: selection1 and not selection2 or selection3 and selection4 + Image|contains: '\procdump' + Image|endswith: '.exe' + CommandLine|contains: 'lsass' + condition: selection1 and not selection2 or selection3 falsepositives: - - unlike + - Unlikely level: high logsource: category: process_creation From f169163d3e34dbadcb6ed4a5bc7d15d6649db378 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:49:46 +0300 Subject: [PATCH 244/269] Update win_mshta_javascript.yml --- .../process_creation/win_mshta_javascript.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 678efff6c..86ab993e7 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -1,18 +1,20 @@ title: Mshta Network Connections -description: Identifies suspicious mshta.exe commands. +description: Identifies suspicious mshta.exe commands status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml tags: - attack.execution - attack.defense_evasion - attack.t1170 detection: selection: - Image: - - '*mshta.exe' - CommandLine: - - '* javascript*' + Image|endswith: '\mshta.exe' + CommandLine|contains: 'javascript' condition: selection falsepositives: - unknown @@ -20,3 +22,4 @@ level: high logsource: category: process_creation product: windows +## todo — add sysmon eid 3 for this rule From b181f0933931e3a54b7b4ddd7f8e4f1149928025 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:53:18 +0300 Subject: [PATCH 245/269] Update win_net_enum.yml --- rules/windows/process_creation/win_net_enum.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index 947b48121..c76da83c6 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -5,6 +5,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/11/30 +modified: 2019/11/11 tags: - attack.discovery - attack.t1018 @@ -13,11 +14,13 @@ logsource: product: windows detection: selection: - Image: '*\net.exe' - CommandLine: '* view*' + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'view' filter: - CommandLine: '*\\\\*' + CommandLine|contains: '\\' condition: selection and not filter falsepositives: - - unknown + - Legitimate use of net.exe utility by legitimate user level: low From 81b373cea70d73766c86c607addf26c09fd202b0 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:54:23 +0300 Subject: [PATCH 246/269] Update win_net_enum.yml --- rules/windows/process_creation/win_net_enum.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index c76da83c6..41b67c704 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -3,6 +3,7 @@ status: stable description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/11/30 modified: 2019/11/11 From 8d9e293143f81ec2f5249b3c1636e56a2ec4c139 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:00:46 +0300 Subject: [PATCH 247/269] Update win_net_user_add.yml --- rules/windows/process_creation/win_net_user_add.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 99ebe7bf5..951600fd2 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -1,10 +1,12 @@ title: Net.exe User Account Creation status: experimental -description: Identifies creation of local users via the net[1].exe command. +description: Identifies creation of local users via the net.exe command references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml author: Endgame, JHasenbusch (adapted to sigma for oscd.community) date: 2018/30/11 +modified: 2019/11/11 tags: - attack.persistance - attack.credential_access @@ -14,8 +16,14 @@ logsource: product: windows detection: selection: - CommandLine: '*\net*.exe * user */ad*' + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'user' + - 'add' condition: selection falsepositives: - Legit user creation + - Better use event ids for user creation rather than command line rules level: low From 90bf1c41877bc5f58f3375c2ca39ab462a4b8c44 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:03:49 +0300 Subject: [PATCH 248/269] Update win_powershell_audio_capture.yml --- .../win_powershell_audio_capture.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml index 4865300e1..dbfdf05db 100644 --- a/rules/windows/process_creation/win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -1,18 +1,21 @@ title: Audio Capture via PowerShell -description: Detect attacker collecting audio via PowerShell Cmdlet. +description: Detects audio capture via PowerShell Cmdlet status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html tags: - attack.collection - attack.t1123 detection: selection: - CommandLine: - - '* WindowsAudioDevice-Powershell-Cmdlet *' + CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' condition: selection falsepositives: - - legit audio capture + - Legitimate audio capture by legitimate user level: medium logsource: category: process_creation From bf4c2a508de3b1071400da70f88d2ebcefdae3bd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:06:57 +0300 Subject: [PATCH 249/269] Update win_powershell_bitsjob.yaml --- .../windows/process_creation/win_powershell_bitsjob.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yaml b/rules/windows/process_creation/win_powershell_bitsjob.yaml index 2eb6db523..1bbba2098 100644 --- a/rules/windows/process_creation/win_powershell_bitsjob.yaml +++ b/rules/windows/process_creation/win_powershell_bitsjob.yaml @@ -1,10 +1,12 @@ title: Suspicious Bitsadmin Job via PowerShell status: experimental -description: Detect download of BITS jobs via PowerShell. +description: Detect download by BITS jobs via PowerShell references: - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md author: Endgame, JHasenbusch (ported to sigma for oscd.community) -date: 2018/30/11 +date: 2018/10/30 +modified: 2019/11/11 tags: - attack.defense_evasion - attack.persistence @@ -14,7 +16,8 @@ logsource: product: windows detection: selection: - CommandLine: '*powershell.exe *Start-BitsTransfer*' + Image|endswith: '\powershell.exe' + CommandLine|contains: 'Start-BitsTransfer' condition: selection falsepositives: - Unknown From 4635c5b1f9281b6f1ee02cd9dee6fda02fb347d1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:35:43 +0300 Subject: [PATCH 250/269] Update win_net_user_add.yml --- rules/windows/process_creation/win_net_user_add.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 951600fd2..7dbef3b56 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -5,7 +5,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml author: Endgame, JHasenbusch (adapted to sigma for oscd.community) -date: 2018/30/11 +date: 2018/10/30 modified: 2019/11/11 tags: - attack.persistance From ef55a580cf38516cc1d9ca24533cc0a9f28860fe Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:36:00 +0300 Subject: [PATCH 251/269] Update win_net_enum.yml --- rules/windows/process_creation/win_net_enum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index 41b67c704..62d76d6db 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -5,7 +5,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml author: Endgame, JHasenbusch (ported for oscd.community) -date: 2018/11/30 +date: 2018/10/30 modified: 2019/11/11 tags: - attack.discovery From 4c10a36e940ba2d7c77b71bd5663f7320552624c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:51:35 +0300 Subject: [PATCH 252/269] Update win_remote_time_discovery.yml --- .../win_remote_time_discovery.yml | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml index 20813ab4b..55491edc2 100644 --- a/rules/windows/process_creation/win_remote_time_discovery.yml +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -1,23 +1,28 @@ -title: Command-Line Creation of a RAR file -description: Identifies use of various commands to query a remote system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +title: Discovery of a system time +description: Identifies use of various commands to query a system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md tags: - attack.discovery - attack.t1124 detection: - selection1: - Image: - - '*net.exe' - CommandLine: - - '* time *' - selection2: - CommandLine: - - '*\\\*' - condition: selection1 and selection2 + selection: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'time' + - Image|endswith: '\w32tm.exe' + CommandLine|contains: 'tz' + - Image|endswith: '\powershell.exe' + CommandLine|contains: 'Get-Date' + condition: selection falsepositives: - - legit admin usage + - Legitimate use of the system utilities to discover system time for legitimate reason level: high logsource: category: process_creation From 7f975f5878e735dd16f61a3dcb62dfb30ec7c569 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:02:13 +0300 Subject: [PATCH 253/269] Update win_trust_discovery.yml --- .../process_creation/win_trust_discovery.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 2929f545d..3f667eaf0 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -1,20 +1,24 @@ -title: Domain Trust Discovery via Nltest.exe -description: Identifies execution of nltest.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. +title: Domain Trust Discovery +description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md + - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html tags: - attack.discovery - attack.t1482 detection: selection: - Image: - - '*nltest.exe' - CommandLine: - - '* domain_trusts*' + - Image|endswith: '\nltest.exe' + CommandLine|contains: 'domain_trusts' + - Image|endswith: '\dsquery.exe' + CommandLine|contains: 'trustedDomain' condition: selection falsepositives: - - unlike + - Legitimate use of the utilities by legitimate user for legitimate reason level: high logsource: category: process_creation From f991bf20b0cbe6673333d29f4b9f92e47a17bbb2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:05:43 +0300 Subject: [PATCH 254/269] Update win_uac_cmstp.yml --- .../windows/process_creation/win_uac_cmstp.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index 915b9b2e9..7acc1a1f0 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -1,8 +1,12 @@ title: Bypass UAC via CMSTP description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +modified: 2019/11/11 date: 2019/10/24 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md tags: - attack.defense_evasion - attack.execution @@ -10,14 +14,13 @@ tags: - attack.t1088 detection: selection: - Image: - - "*\\cmstp.exe" - CommandLine: - - "* /s *" - - "* /au *" + Image|endswith: '\cmstp.exe' + CommandLine|contains: + - '/s' + - '/au' condition: selection falsepositives: - - unlikely + - Legitimate use of cmstp.exe utility by legitimate user level: high logsource: category: process_creation From 49fb6bdf8f5dcf583a6b4bf0e5403336df976154 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:10:49 +0300 Subject: [PATCH 255/269] Update win_uac_fodhelper.yml --- rules/windows/process_creation/win_uac_fodhelper.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index d811ca637..9947b1f97 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -1,18 +1,21 @@ title: Bypass UAC via Fodhelper.exe description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md tags: - attack.privilege_escalation - attack.t1088 detection: selection: - ParentImage: - - "*\fodhelper.exe" + ParentImage|endswith: '\fodhelper.exe' condition: selection falsepositives: - - unlikely + - Legitimate use of fodhelper.exe utility by legitimate user level: high logsource: category: process_creation From 38d0f832a48ee9472ab374c062d04d474224c524 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:13:28 +0300 Subject: [PATCH 256/269] Update win_uac_wsreset.yml --- rules/windows/process_creation/win_uac_wsreset.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index a4314c5ce..928264392 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -1,21 +1,22 @@ title: Bypass UAC via WSReset.exe description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html tags: - attack.privilege_escalation - attack.t1088 detection: selection: - ParentImage: - - '*wsreset.exe' + ParentImage|endswith: '\wsreset.exe' filter: - Image: - - '*conhost.exe' + Image|endswith: '\conhost.exe' condition: selection and not filter falsepositives: - - unknown + - Unknown level: high logsource: category: process_creation From 1f142f661356f244cd666e898701d83228eabc7e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:22:47 +0300 Subject: [PATCH 257/269] Delete win_reg_sam_dumping.yml redundant with https://github.com/Neo23x0/sigma/pull/516/files#diff-2f8d87b345d7d8c228d22b7a3b83c6ee authorship has been updated --- .../process_creation/win_reg_sam_dumping.yml | 32 ------------------- 1 file changed, 32 deletions(-) delete mode 100644 rules/windows/process_creation/win_reg_sam_dumping.yml diff --git a/rules/windows/process_creation/win_reg_sam_dumping.yml b/rules/windows/process_creation/win_reg_sam_dumping.yml deleted file mode 100644 index 6e01cb270..000000000 --- a/rules/windows/process_creation/win_reg_sam_dumping.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: SAM Dumping via Reg.exe -status: experimental -description: Identifies usage of reg.exe to export registry hives which contain the SAM and LSA secrets. -references: - - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html -author: Endgame, JHasenbusch (ported to sigma for oscd.community) -date: 2018/30/11 -tags: - - attack.credential_access - - attack.t1003 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image: '*\reg.exe' - CommandLine: - - '* save *' - - '* export *' - selection2: - CommandLine: - - '*hklm*' - - '*hkey_local_machine*' - selection3: - CommandLine: - - '*\\sam *' - - '*\\security *' - - '*\\system *' - condition: selection1 and selection2 and selection3 -falsepositives: - - Unknown -level: low From 26479485e61f31fe4875b1d7f63749c6e5fc278c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:34:46 +0300 Subject: [PATCH 258/269] Update win_new_or_renamed_user_account_with_dollar_sign.yml --- ..._renamed_user_account_with_dollar_sign.yml | 25 +++++++------------ 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 4f55fd485..393d8a45f 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -6,7 +6,16 @@ tags: - attack.t1036 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: security detection: + selection: + EventID: + - 4720 # create user + - 4781 # rename user + UserName|contains: '$' #SamAccountName condition: 1 of them fields: - EventID @@ -15,19 +24,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: security -detection: - create_user: - EventID: 4720 - UserName: '*$*' #SamAccountName ---- -logsource: - product: windows - service: security -detection: - rename_user: - EventID: 4781 - UserName: '*$*' #NewTargetUserName From 7f01a5b1bba2f3784acd469be30b4baf77e4c126 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:35:59 +0300 Subject: [PATCH 259/269] Update win_new_or_renamed_user_account_with_dollar_sign.yml --- .../win_new_or_renamed_user_account_with_dollar_sign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 393d8a45f..4b1924c1a 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -16,7 +16,7 @@ detection: - 4720 # create user - 4781 # rename user UserName|contains: '$' #SamAccountName - condition: 1 of them + condition: selection fields: - EventID - UserName From d8447946d6c01687eae6ba2800b2ac34aa38f3a9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:37:25 +0300 Subject: [PATCH 260/269] Update win_suspicious_outbound_kerberos_connection.yml --- .../win_suspicious_outbound_kerberos_connection.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 4167b05c3..df534a554 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -5,6 +5,7 @@ references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community date: 2019/10/24 +modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 @@ -16,12 +17,12 @@ detection: EventID: 5156 DestinationPort: 88 filter: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' condition: selection and not filter falsepositives: - Other browsers -level: high \ No newline at end of file +level: high From e6e308ef519b2b8c70c0627acd87ab71a241ffce Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:40:29 +0300 Subject: [PATCH 261/269] Update sysmon_disable_security_events_logging_adding_reg_key_minint.yml --- ...y_events_logging_adding_reg_key_minint.yml | 31 +++++++------------ 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 12afd3d55..57be53774 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -8,8 +8,19 @@ tags: - attack.t1089 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon detection: - condition: 1 of them + selection: + - EventID: 12 # key create + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\MiniNt' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\MiniNt' + condition: selection fields: - EventID - Image @@ -18,21 +29,3 @@ fields: falsepositives: - Unkown level: high ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SYSTEM\*\Control\MiniNt' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SYSTEM\*\Control\MiniNt' From bba360212ab0c09034d7bad38f3ca4f78c7af9b1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:43:45 +0300 Subject: [PATCH 262/269] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- ..._dll_added_to_appcertdlls_registry_key.yml | 41 +++++++------------ 1 file changed, 14 insertions(+), 27 deletions(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 1deb58c74..b943d0c56 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -9,7 +9,21 @@ tags: - attack.t1182 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 detection: +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\Session Manager\AppCertDlls' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\Session Manager\AppCertDlls' condition: 1 of them fields: - EventID @@ -19,30 +33,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' ---- -logsource: - product: windows - service: sysmon -detection: - value_set: - EventID: 13 - TargetObject: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' From 0cb1d4fdbd5e0751df6622b554f68c34f45b18a2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:44:03 +0300 Subject: [PATCH 263/269] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index b943d0c56..8ae921c7c 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -24,7 +24,7 @@ detection: - EventID: 14 # key rename NewName|contains: '\SYSTEM\' NewName|endswith: '\Control\Session Manager\AppCertDlls' - condition: 1 of them + condition: selection fields: - EventID - Image From ded75d033afc097c1dcbc62ad64aad1a624ff92e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:47:24 +0300 Subject: [PATCH 264/269] Update sysmon_new_dll_added_to_appinit_dlls_registry_key.yml --- ...dll_added_to_appinit_dlls_registry_key.yml | 42 +++++++------------ 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 77304269a..c660735b6 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -8,8 +8,21 @@ tags: - attack.t1103 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon detection: - condition: 1 of them + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SOFTWARE\' + TargetObject|endswith: '\Windows\AppInit_Dlls' + - EventID: 14 # key rename + NewName|contains: '\SOFTWARE\' + NewName|endswith: '\Windows\AppInit_Dlls' + condition: selection fields: - EventID - Image @@ -18,30 +31,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' ---- -logsource: - product: windows - service: sysmon -detection: - value_set: - EventID: 13 - TargetObject: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' From 07ad11f3ae5af174ddc0a6d4b12afe5308eb3c9d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:08:50 +0300 Subject: [PATCH 265/269] Update sysmon_possible_dns_rebinding.yml --- .../sysmon/sysmon_possible_dns_rebinding.yml | 41 ++++++++++--------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml index 015acde37..a53182be2 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -2,6 +2,7 @@ title: Possible DNS Rebinding status: experimental description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). date: 2019/10/25 +modified: 2019/11/13 author: Ilyas Ochkov, oscd.community references: - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 @@ -17,26 +18,26 @@ detection: QueryName: '*' QueryStatus: '0' filter_int_ip: - QueryResults: - - '(::ffff:)?10.*' - - '(::ffff:)?192.168.*' - - '(::ffff:)?172.16.*' - - '(::ffff:)?172.17.*' - - '(::ffff:)?172.18.*' - - '(::ffff:)?172.19.*' - - '(::ffff:)?172.20.*' - - '(::ffff:)?172.21.*' - - '(::ffff:)?172.22.*' - - '(::ffff:)?172.23.*' - - '(::ffff:)?172.24.*' - - '(::ffff:)?172.25.*' - - '(::ffff:)?172.26.*' - - '(::ffff:)?172.27.*' - - '(::ffff:)?172.28.*' - - '(::ffff:)?172.29.*' - - '(::ffff:)?172.30.*' - - '(::ffff:)?172.31.*' - - '(::ffff:)?127.*' + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' timeframe: 30s condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 level: medium From 1fe7f55d4785a407ba7d2efe5e2c4fb886c2bbb5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:10:05 +0300 Subject: [PATCH 266/269] Update sysmon_suspicious_outbound_kerberos_connection.yml --- ...sysmon_suspicious_outbound_kerberos_connection.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index 2bc9e19f9..8daac1661 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -5,6 +5,7 @@ references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community date: 2019/10/24 +modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 @@ -17,11 +18,11 @@ detection: DestinationPort: 88 Initiated: 'true' filter: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' condition: selection and not filter falsepositives: - Other browsers From b47748399d3b6d2851a71353a5fd88f4ed2cd6dd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:19:30 +0300 Subject: [PATCH 267/269] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 8ae921c7c..6ef46657c 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -10,7 +10,6 @@ tags: author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 -detection: logsource: product: windows service: sysmon From cb29628cebc416a3b2aa808e995b1cc6a13c2f5c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:23:16 +0300 Subject: [PATCH 268/269] modify rules based on BSI contribution --- .../win_data_compressed_with_rar.yml | 7 +- .../process_creation/win_renamed_binary.yml | 75 ++++++++++--------- .../win_susp_eventlog_clear.yml | 45 ++++++----- .../win_susp_fsutil_usage.yml | 18 +++-- 4 files changed, 81 insertions(+), 64 deletions(-) diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index 6c04dcd27..023e35fce 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -1,20 +1,19 @@ title: Data Compressed status: experimental description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network -author: Timur Zinniatullin, oscd.community +author: Timur Zinniatullin, E.M. Anhaus, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html logsource: category: process_creation product: windows detection: selection: Image|endswith: '\rar.exe' - CommandLine|contains|all: - - ' a ' - - '-r' + CommandLine|contains: ' a ' condition: selection fields: - Image diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 864ed1504..bb6e0d91c 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -1,8 +1,9 @@ title: Renamed Binary status: experimental description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. -author: Matthew Green - @mgreen27 +author: Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements) date: 2019/06/15 +modified: 2019/11/11 references: - https://attack.mitre.org/techniques/T1036/ - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html @@ -16,40 +17,46 @@ logsource: detection: selection: OriginalFileName: - - "cmd.exe" - - "powershell.exe" - - "powershell_ise.exe" - - "psexec.exe" - - "psexec.c" # old versions of psexec (2016 seen) - - "cscript.exe" - - "wscript.exe" - - "mshta.exe" - - "regsvr32.exe" - - "wmic.exe" - - "certutil.exe" - - "rundll32.exe" - - "cmstp.exe" - - "msiexec.exe" - - "7z.exe" - - "winrar.exe" + - 'cmd.exe' + - 'powershell.exe' + - 'powershell_ise.exe' + - 'psexec.exe' + - 'psexec.c' # old versions of psexec (2016 seen) + - 'cscript.exe' + - 'wscript.exe' + - 'mshta.exe' + - 'regsvr32.exe' + - 'wmic.exe' + - 'certutil.exe' + - 'rundll32.exe' + - 'cmstp.exe' + - 'msiexec.exe' + - '7z.exe' + - 'winrar.exe' + - 'wevtutil.exe' + - 'net.exe' + - 'net1.exe' filter: - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\powershell_ise.exe' - - '*\psexec.exe' - - '*\psexec64.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' - - '*\7z.exe' - - '*\winrar.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\powershell_ise.exe' + - '\psexec.exe' + - '\psexec64.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\certutil.exe' + - '\rundll32.exe' + - '\cmstp.exe' + - '\msiexec.exe' + - '\7z.exe' + - '\winrar.exe' + - '\wevtutil.exe' + - '\net.exe' + - '\net1.exe' condition: selection and not filter falsepositives: - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 0030bd8de..fb8b0f638 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,30 +1,37 @@ title: Suspicious eventlog clear or configuration using wevtutil -description: Detects clearing or configuration of eventlogs uwing wevtutil. Might be used by ransomwares during the attack (seen by NotPetya and others) -author: Ecco +description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others) +author: Ecco, Daniil Yugoslavskiy, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 +modified: 2019/11/11 tags: - - attack.execution - - attack.t1070 - - car.2016-04-002 + - attack.defense_evasion + - attack.t1070 + - car.2016-04-002 level: high logsource: category: process_creation product: windows detection: - selection_binary_1: - Image: '*\wevtutil.exe' - selection_binary_2: - OriginalFileName: 'wevtutil.exe' - selection_clear_1: - CommandLine: '* cl *' - selection_clear_2: - CommandLine: '* clear-log *' - selection_disable_1: - CommandLine: '* sl *' - selection_disable_2: - CommandLine: '* set-log *' - condition: (1 of selection_binary_*) and (1 of selection_clear_* or 1 of selection_disable_*) - + selection_wevtutil: + Image|endswith: '\wevtutil.exe' + CommandLine|contains: + - 'clear-log' # clears specified log + - 'cl' # short version of 'clear-log' + - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size + - 'sl' # short version of 'set-log' + selection_ps: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'Clear-EventLog' + - 'Remove-EventLog' + - 'Limit-EventLog' + selection_wmic: + Image|endswith: '\wmic.exe' + CommandLine|contains: 'ClearEventLog' + condition: 1 of them falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index d006b2f89..b0ff8e831 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,25 +1,29 @@ title: Fsutil suspicious invocation description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) -author: Ecco +author: Ecco, E.M. Anhaus, oscd.community date: 2019/09/26 +modified: 2019/11/11 level: high references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html +tags: + - attack.defense_evasion + - attack.t1070 logsource: category: process_creation product: windows detection: binary_1: - Image: '*\fsutil.exe' + Image|endswith: '\fsutil.exe' binary_2: OriginalFileName: 'fsutil.exe' selection: - CommandLine: - - '* deletejournal *' # usn deletejournal ==> generally ransomware or attacker - - '* createjournal *' # usn createjournal ==> can modify config to set it to a tiny size - + CommandLine|contains: + - 'deletejournal' # usn deletejournal ==> generally ransomware or attacker + - 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size condition: (1 of binary_*) and selection - falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment From f2caf366cbb00beb002dd7ba3fab5ba389d56043 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:24:53 +0300 Subject: [PATCH 269/269] moved net_possible_dns_rebinding.yml to unsupported logic directory; renamed win_powershell_bitsjob.yaml -> win_powershell_bitsjob.yml --- .../{network => unsupported_logic}/net_possible_dns_rebinding.yml | 0 .../{win_powershell_bitsjob.yaml => win_powershell_bitsjob.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/{network => unsupported_logic}/net_possible_dns_rebinding.yml (100%) rename rules/windows/process_creation/{win_powershell_bitsjob.yaml => win_powershell_bitsjob.yml} (100%) diff --git a/rules/network/net_possible_dns_rebinding.yml b/rules/unsupported_logic/net_possible_dns_rebinding.yml similarity index 100% rename from rules/network/net_possible_dns_rebinding.yml rename to rules/unsupported_logic/net_possible_dns_rebinding.yml diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yaml b/rules/windows/process_creation/win_powershell_bitsjob.yml similarity index 100% rename from rules/windows/process_creation/win_powershell_bitsjob.yaml rename to rules/windows/process_creation/win_powershell_bitsjob.yml