From 5938569d3e78586d7615051007018b932c3f61f5 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 8 Mar 2022 19:07:37 +0100 Subject: [PATCH 1/2] Refactor regex --- ...voke_obfuscation_via_compress_services.yml | 29 ++++++----- ...invoke_obfuscation_via_rundll_services.yml | 20 ++++---- ...oke_obfuscation_via_use_mshta_services.yml | 22 +++++---- ..._obfuscation_via_use_rundll32_services.yml | 25 ++++++---- .../security/win_asr_bypass_via_appvlp_re.yml | 44 +++++++++++++---- .../posh_pm_invoke_obfuscation_via_rundll.yml | 18 ++++--- ...pm_invoke_obfuscation_via_use_rundll32.yml | 23 ++++++--- ...osh_ps_invoke_obfuscation_via_compress.yml | 22 +++++---- .../posh_ps_invoke_obfuscation_via_rundll.yml | 18 ++++--- ...ps_invoke_obfuscation_via_use_rundll32.yml | 23 ++++++--- ...ion_win_hiding_malware_in_fonts_folder.yml | 48 +++++++++++++++---- ...n_win_invoke_obfuscation_via_use_mhsta.yml | 12 +++-- ...in_invoke_obfuscation_via_use_rundll32.yml | 13 ++++- 13 files changed, 220 insertions(+), 97 deletions(-) diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml index 8860d9931..b97a2ad42 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml @@ -7,22 +7,27 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/09/18 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +logsource: + product: windows + category: driver_load +detection: + selection: + ImagePath|contains|all: + - 'new-object' + - 'text.encoding]::ascii' + ImagePath|contains: + - 'system.io.compression.deflatestream' + - 'system.io.streamreader' + ImagePath|endswitch: 'readtoend' + condition: selection +falsepositives: + - unknown +level: medium tags: - attack.defense_evasion - attack.t1027 - attack.execution - attack.t1059.001 -logsource: - product: windows - category: driver_load -detection: - - selection: - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection -falsepositives: - - unknown -level: medium \ No newline at end of file diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml index 99de9dccd..04fbe6eb0 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml @@ -7,21 +7,25 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: unsupported author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/09/18 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: driver_load detection: selection: - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ImagePath|contains|all: + - 'rundll32.exe' + - 'shell32.dll' + - 'shellexec_rundll' + - 'powershell' condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml index 3f8b975f3..b20d46c23 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml @@ -7,21 +7,27 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: driver_load detection: selection: - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + ImagePath|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml index 9212ee142..24c189ecf 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml @@ -7,21 +7,30 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: unsupported author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: driver_load detection: selection: - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + ImagePath|contains|all: + - '&&' + - 'rundll32' + - 'shell32.dll' + - 'shellexec_rundll' + ImagePath|contains: + - 'value' + - 'invoke' + - 'comspec' + - 'iex' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml index f5a71543b..2ea2e8cd4 100644 --- a/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml +++ b/rules/windows/builtin/security/win_asr_bypass_via_appvlp_re.yml @@ -1,25 +1,49 @@ title: Using AppVLP To Circumvent ASR File Path Rule id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 status: experimental -description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file' +description: | + Application Virtualization Utility is included with Microsoft Office. We are able to abuse "AppVLP" to execute shell commands. + Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder + or to mark a file as a system file. author: Sreeman date: 2020/03/13 -modified: 2021/06/11 -tags: - - attack.t1218 - - attack.defense_evasion - - attack.execution +modified: 2022/03/08 logsource: product: windows service: security detection: - selection: - CommandLine|re: '(?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)' - condition: selection + selection_1: + CommandLine|contains: 'appvlp.exe' + selection_2: + CommandLine|contains: + - 'cmd.exe' + - 'powershell.exe' + selection_3: + CommandLine|contains: + - '.sh' + - '.exe' + - '.dll' + - '.bin' + - '.bat' + - '.cmd' + - '.js' + - '.msh' + - '.reg' + - '.scr' + - '.ps' + - '.vb' + - '.jar' + - '.pl' + - '.inf' + condition: all of selection_* falsepositives: - unknown fields: - ParentProcess - CommandLine - ParentCommandLine -level: medium \ No newline at end of file +level: medium +tags: + - attack.t1218 + - attack.defense_evasion + - attack.execution diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index bde556966..a8ad4066e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -7,22 +7,26 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/16 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + Payload|contains|all: + - 'rundll32.exe' + - 'shell32.dll' + - 'shellexec_rundll' + - 'powershell' condition: selection_4103 falsepositives: - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index a30dd2ccc..a7861292b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -7,22 +7,31 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2021/10/16 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: ps_module definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + Payload|contains|all: + - '&&' + - 'rundll32' + - 'shell32.dll' + - 'shellexec_rundll' + Payload|contains: + - 'value' + - 'invoke' + - 'comspec' + - 'iex' condition: selection_4103 falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 3a4a52312..95479368b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -4,22 +4,28 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/16 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + ScriptBlockText|contains|all: + - 'new-object' + - 'text.encoding]::ascii' + ScriptBlockText|contains: + - 'system.io.compression.deflatestream' + - 'system.io.streamreader' + ScriptBlockText|endswitch: 'readtoend' condition: selection_4104 falsepositives: - unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index e4d2ad84b..b28d35358 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -4,22 +4,26 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/16 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + ScriptBlockText|contains|all: + - 'rundll32.exe' + - 'shell32.dll' + - 'shellexec_rundll' + - 'powershell' condition: selection_4104 falsepositives: - Unknown level: medium +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index b910c0837..9b89392ce 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -4,22 +4,31 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2021/10/16 +modified: 2022/03/08 references: - https://github.com/Neo23x0/sigma/issues/1009 -tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + ScriptBlockText|contains|all: + - '&&' + - 'rundll32' + - 'shell32.dll' + - 'shellexec_rundll' + ScriptBlockText|contains: + - 'value' + - 'invoke' + - 'comspec' + - 'iex' condition: selection_4104 falsepositives: - Unknown level: high +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml index c02a938e3..d821325d0 100644 --- a/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml @@ -5,24 +5,52 @@ status: experimental references: - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ date: 2020/21/04 -modified: 2021/06/11 +modified: 2022/03/08 author: Sreeman -tags: - - attack.t1211 - - attack.t1059 - - attack.defense_evasion - - attack.persistence logsource: product: windows category: process_creation detection: - selection1: - CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\\\Windows\\\\Fonts\\\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*' - condition: selection1 + selection_1: + CommandLine|contains: + - 'echo' + - 'copy' + - 'type' + - 'file createnew' + - 'cacls' + selection_2: + CommandLine|contains: 'C:\Windows\Fonts\' + selection_3: + CommandLine|contains: + - '.sh' + - '.exe' + - '.dll' + - '.bin' + - '.bat' + - '.cmd' + - '.js' + - '.msh' + - '.reg' + - '.scr' + - '.ps' + - '.vb' + - '.jar' + - '.pl' + - '.inf' + - '.cpl' + - '.hta' + - '.msi' + - '.vbs' + condition: all of selection_* fields: - CommandLine - ParentProcess - CommandLine falsepositives: - unknown -level: medium \ No newline at end of file +level: medium +tags: + - attack.t1211 + - attack.t1059 + - attack.defense_evasion + - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml index 2e8ff0f8d..5b1769ac8 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml @@ -6,13 +6,19 @@ author: Nikita Nazarov, oscd.community references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) date: 2020/10/08 -modified: 2021/11/27 -logsource: +modified: 2022/03/08 +logsource:/ category: process_creation product: windows detection: selection: - CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + CommandLine|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml index 484a553d9..a4892354d 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml @@ -6,13 +6,22 @@ author: Nikita Nazarov, oscd.community references: - https://github.com/Neo23x0/sigma/issues/1009 date: 2019/10/08 -modified: 2021/11/27 +modified: 2022/03/08 logsource: category: process_creation product: windows detection: selection: - CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + CommandLine|contains|all: + - '&&' + - 'rundll32' + - 'shell32.dll' + - 'shellexec_rundll' + CommandLine|contains: + - 'value' + - 'invoke' + - 'comspec' + - 'iex' condition: selection falsepositives: - Unknown From c6d37d4a783c4da6950287edcc14787c14429f55 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 8 Mar 2022 19:14:46 +0100 Subject: [PATCH 2/2] fix yaml --- .../posh_ps_invoke_obfuscation_via_compress.yml | 2 +- .../proc_creation_win_invoke_obfuscation_via_use_mhsta.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 95479368b..ade15a001 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -19,7 +19,7 @@ detection: ScriptBlockText|contains: - 'system.io.compression.deflatestream' - 'system.io.streamreader' - ScriptBlockText|endswitch: 'readtoend' + ScriptBlockText|endswith: 'readtoend' condition: selection_4104 falsepositives: - unknown diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml index 5b1769ac8..c8fa2a698 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml @@ -7,7 +7,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) date: 2020/10/08 modified: 2022/03/08 -logsource:/ +logsource: category: process_creation product: windows detection: