diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index b8afda7d6..dc9a50d74 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -58,3 +58,4 @@ a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35 87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.* 0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.* e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.* +ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 23af8d1dd..9e973c66e 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -6,27 +6,27 @@ references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 date: 2023/01/02 +modified: 2023/07/13 tags: - attack.defense_evasion - attack.t1562.002 logsource: category: file_event product: windows - definition: 'Requirements: The ".evtx" exntesion should be monitored via a Sysmon configuration. Example: .evtx' + definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: .evtx' detection: selection: TargetFilename|endswith: '.evtx' - filter_path: + filter_main_path: TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' - filter_baseimage: + filter_main_baseimage: TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' - filter_img: + filter_main_generic_img: Image: - 'C:\Windows\explorer.exe' - 'C:\Windows\system32\dllhost.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - - Admin activity - - Backup activity -level: medium + - Administrator or backup activity +level: high diff --git a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml index becfff800..7fc13d8a6 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml @@ -28,9 +28,6 @@ detection: - '\Sam.save' # PowerShell version - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Files that accidentally contain these strings level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml new file mode 100644 index 000000000..687d2721a --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -0,0 +1,31 @@ +title: Suspicious File Creation Activity From Fake Recycle.Bin Folder +id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca +related: + - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 + type: derived +status: experimental +description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware +references: + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.persistence + - attack.defense_evasion +logsource: + category: file_event + product: windows +detection: + selection: + - Image|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + - TargetFilename|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml new file mode 100644 index 000000000..4546a4b9d --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -0,0 +1,47 @@ +title: Abusable DLL Potential Sideloading From Suspicious Location +id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a +status: experimental +description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations +references: + - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/07/11 +tags: + - attack.execution + - attack.t1059 +logsource: + category: image_load + product: windows +detection: + selection_dll: + ImageLoaded|endswith: + # Note: Add more generic DLLs that cannot be pin-pointed to a single application + - '\coreclr.dll' + - '\facesdk.dll' + - '\HPCustPartUI.dll' + - '\libcef.dll' + - '\ZIPDLL.dll' + selection_folders_1: + ImageLoaded|contains: + - ':\Perflogs\' + - ':\Users\Public\' + - '\Temporary Internet' + - '\Windows\Temp\' + selection_folders_2: + - ImageLoaded|contains|all: + - ':\Users\' + - '\Favorites\' + - ImageLoaded|contains|all: + - ':\Users\' + - '\Favourites\' + - ImageLoaded|contains|all: + - ':\Users\' + - '\Contacts\' + - ImageLoaded|contains|all: + - ':\Users\' + - '\Pictures\' + condition: selection_dll and 1 of selection_folders_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml new file mode 100644 index 000000000..3f765ec96 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -0,0 +1,31 @@ +title: Potential CCleanerDU.DLL Sideloading +id: 1fbc0671-5596-4e17-8682-f020a0b995dc +status: experimental +description: Detects potential DLL sideloading of "CCleanerDU.dll" +references: + - https://lab52.io/blog/2344-2/ +author: X__Junior (Nextron Systems) +date: 2023/07/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\CCleanerDU.dll' + filter_main_path: + Image|startswith: + - 'C:\Program Files\CCleaner\' + - 'C:\Program Files (x86)\CCleaner\' + Image|endswith: + - '\CCleaner.exe' + - '\CCleaner64.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - False positives could occur from other custom installation paths. Apply additional filters accordingly. +level: medium diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml new file mode 100644 index 000000000..08ceb5132 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -0,0 +1,29 @@ +title: Potential CCleanerReactivator.DLL Sideloading +id: 3735d5ac-d770-4da0-99ff-156b180bc600 +status: experimental +description: Detects potential DLL sideloading of "CCleanerReactivator.dll" +references: + - https://lab52.io/blog/2344-2/ +author: X__Junior +date: 2023/07/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\CCleanerReactivator.dll' + filter_main_path: + Image|startswith: + - 'C:\Program Files\CCleaner\' + - 'C:\Program Files (x86)\CCleaner\' + Image|endswith: '\CCleanerReactivator.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - False positives could occur from other custom installation paths. Apply additional filters accordingly. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml index e28ff5f41..75ee7c7be 100644 --- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml @@ -6,9 +6,9 @@ references: - https://content.fireeye.com/apt-41/rpt-apt41 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html -author: Sorina Ionescu +author: Sorina Ionescu, X__Junior (Nextron Systems) date: 2022/08/17 -modified: 2023/04/18 +modified: 2023/07/20 tags: - attack.command_and_control - attack.t1102 @@ -22,24 +22,48 @@ detection: DestinationHostname|endswith: - '.cloudflare.com' - '.githubusercontent.com' + - '4shared.com' + - 'anonfiles.com' - 'cdn.discordapp.com' + - 'ddns.net' + - 'discord.com/api/webhooks/' - 'docs.google.com' + - 'drive.google.com' + - 'dropbox.com' + - 'dropmefiles.com' - 'facebook.com' - 'feeds.rapidfeeds.com' - 'fotolog.com' + - 'ghostbin.co/' + - 'gist.githubusercontent.com' + - 'hastebin.com' - 'imgur.com' - 'livejournal.com' + - 'mediafire.com' + - 'mega.nz' + - 'onedrive.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'privatlab.com' + - 'privatlab.net' + - 'raw.githubusercontent.com' - 'reddit.com' + - 'send.exploit.in' + - 'sendspace.com' - 'steamcommunity.com' + - 'storage.googleapis.com' + - 't.me' - 'technet.microsoft.com' + - 'temp.sh' + - 'transfer.sh' - 'twitter.com' + - 'ufile.io' + - 'vimeo.com' + - 'wetransfer.com' - 'youtube.com' - filter_main_brave: - Image|endswith: '\brave.exe' + # Note: Add/Remove browsers that you don't use or those that have custom install locations filter_main_chrome: Image: - 'C:\Program Files\Google\Chrome\Application\chrome.exe' @@ -52,8 +76,6 @@ detection: Image: - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe' - 'C:\Program Files\Internet Explorer\iexplore.exe' - filter_main_maxthon: - Image|endswith: '\maxthon.exe' filter_main_edge_1: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' @@ -67,16 +89,8 @@ detection: Image|endswith: - '\msedge.exe' - '\msedgewebview2.exe' - filter_main_opera: - Image|endswith: '\opera.exe' filter_main_safari: Image|endswith: '\safari.exe' - filter_main_seamonkey: - Image|endswith: '\seamonkey.exe' - filter_main_vivaldi: - Image|endswith: '\vivaldi.exe' - filter_main_whale: - Image|endswith: '\whale.exe' filter_optional_defender: Image|endswith: - '\MsMpEng.exe' #Microsoft Defender executable @@ -85,6 +99,91 @@ detection: Image|endswith: '\PRTG Probe.exe' #Paessler's PRTG Network Monitor filter_optional_qlik: Image|endswith: '\Engine.exe' #Process from qlik.com app + filter_main_brave: + Image|endswith: '\brave.exe' + Image|startswith: 'C:\Program Files\BraveSoftware\' + filter_main_maxthon: + Image|contains: '\AppData\Local\Maxthon\' + Image|endswith: '\maxthon.exe' + filter_main_opera: + Image|contains: '\AppData\Local\Programs\Opera\' + Image|endswith: '\opera.exe' + filter_main_seamonkey: + Image|startswith: + - 'C:\Program Files\SeaMonkey\' + - 'C:\Program Files (x86)\SeaMonkey\' + Image|endswith: '\seamonkey.exe' + filter_main_vivaldi: + Image|contains: '\AppData\Local\Vivaldi\' + Image|endswith: '\vivaldi.exe' + filter_main_whale: + Image|startswith: + - 'C:\Program Files\Naver\Naver Whale\' + - 'C:\Program Files (x86)\Naver\Naver Whale\' + Image|endswith: '\whale.exe' + filter_main_tor: + Image|contains: '\Tor Browser\' + filter_main_whaterfox: + Image|startswith: + - 'C:\Program Files\Waterfox\' + - 'C:\Program Files (x86)\Waterfox\' + Image|endswith: '\Waterfox.exe' + filter_main_midori: + Image|contains: '\AppData\Local\Programs\midori-ng\' + Image|endswith: '\Midori Next Generation.exe' + filter_main_slimbrowser: + Image|startswith: + - 'C:\Program Files\SlimBrowser\' + - 'C:\Program Files (x86)\SlimBrowser\' + Image|endswith: '\slimbrowser.exe' + filter_main_flock: + Image|contains: '\AppData\Local\Flock\' + Image|endswith: '\Flock.exe' + filter_main_phoebe: + Image|contains: '\AppData\Local\Phoebe\' + Image|endswith: '\Phoebe.exe' + filter_main_falkon: + Image|startswith: + - 'C:\Program Files\Falkon\' + - 'C:\Program Files (x86)\Falkon\' + Image|endswith: '\falkon.exe' + filter_main_qtweb: + Image|startswith: + - 'C:\Program Files (x86)\QtWeb\' + - 'C:\Program Files\QtWeb\' + Image|endswith: '\QtWeb.exe' + filter_main_avant: + Image|startswith: + - 'C:\Program Files (x86)\Avant Browser\' + - 'C:\Program Files\Avant Browser\' + Image|endswith: '\avant.exe' + filter_main_whatsapp: + Image|startswith: + - 'C:\Program Files (x86)\WindowsApps\' + - 'C:\Program Files\WindowsApps\' + Image|endswith: 'WhatsApp.exe' + filter_main_telegram: + Image|contains: '\AppData\Roaming\Telegram Desktop\' + Image|endswith: '\Telegram.exe' + filter_main_onedrive: + Image|contains: '\AppData\Local\Microsoft\OneDrive\' + Image|endswith: '\OneDrive.exe' + filter_main_dropbox: + Image|startswith: + - 'C:\Program Files (x86)\Dropbox\Client\' + - 'C:\Program Files\Dropbox\Client\' + Image|endswith: '\Dropbox.exe' + filter_main_mega: + Image|contains: '\AppData\Local\MEGAsync\' + Image|endswith: 'MEGAsync.exe' + filter_main_googledrive: + Image|startswith: + - 'C:\Program Files\Google\Drive File Stream\' + - 'C:\Program Files (x86)\Google\Drive File Stream\' + Image|endswith: 'GoogleDriveFS.exe' + filter_main_discord: + Image|contains: '\AppData\Local\Discord\' + Image|endswith: '\Discord.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml new file mode 100644 index 000000000..db275c86f --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -0,0 +1,32 @@ +title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript +id: e2812b49-bae0-4b21-b366-7c142eafcde2 +status: experimental +description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/13 +tags: + - attack.defense_evasion +logsource: + category: ps_script + product: windows + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection_class: + ScriptBlockText|contains: 'Win32_NTEventlogFile' + selection_function: + ScriptBlockText|contains: + - '.BackupEventlog(' + - '.ChangeSecurityPermissions(' + - '.ChangeSecurityPermissionsEx(' + - '.ClearEventLog(' + - '.Delete(' + - '.DeleteEx(' + - '.Rename(' + - '.TakeOwnerShip(' + - '.TakeOwnerShipEx(' + condition: all of selection_* +falsepositives: + - Legitimate administration and backup scripts +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml new file mode 100644 index 000000000..ce960abcb --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -0,0 +1,31 @@ +title: Suspicious Ping/Copy Command Combination +id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 +status: experimental +description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + category: process_creation + product: windows +detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 + selection_cmd: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.Exe' + selection_cli: + CommandLine|contains: # Count + - ' -n ' + - ' /n ' + CommandLine|contains|all: + - 'ping' # Covers "ping" and "ping.exe" + - 'copy ' + - ' /y ' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 1392aff46..7657e3ab4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -17,6 +17,7 @@ logsource: category: process_creation product: windows detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 # Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe". selection_count: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml new file mode 100644 index 000000000..b7363a7ec --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -0,0 +1,24 @@ +title: Insecure Transfer Via Curl.EXE +id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec +status: experimental +description: Detects execution of "curl.exe" with the "--insecure" flag. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\curl.exe' + - OriginalFileName: 'curl.exe' + selection_cli: + - CommandLine|re: '\s-k\s' + - CommandLine|contains: '--insecure' + condition: all of selection_* +falsepositives: + - Access to badly maintained internal or development systems +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 0128723d0..e9b33ee1f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -1,4 +1,4 @@ -title: Findstr LSASS +title: LSASS Process Reconnaissance Via Findstr.EXE id: fe63010f-8823-4864-a96b-a7b4a0f7b929 status: experimental description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID @@ -6,6 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 +modified: 2023/07/13 tags: - attack.credential_access - attack.t1552.006 @@ -20,12 +21,12 @@ detection: CommandLine|contains: 'lsass' selection_special: CommandLine|contains: - - ' /i lsass.exe' - ' /i "lsass' - - 'findstr lsass' - - 'findstr.exe lsass' + - ' /i lsass.exe' - 'findstr "lsass' + - 'findstr lsass' - 'findstr.exe "lsass' + - 'findstr.exe lsass' condition: all of selection_findstr_* or selection_special falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml index 8eaf69101..ee2b569a4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml @@ -1,14 +1,15 @@ -title: Findstr Suspicious ParentCommandLine +title: Potentially Suspicious Findstr.EXE Execution id: ccb5742c-c248-4982-8c5c-5571b9275ad3 -related: +related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived status: experimental -description: Detects findstring commands with a suspicious ParentCommandLine +description: Detects execution of "findstr" as a child process of potentially suspicious parent command lines. This is often the case when "findstr" is used to filter out the results of certain reconnaissance commands such as "tasklist" or "ipconfig /all" references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist author: frack113 date: 2023/07/06 +modified: 2023/07/13 tags: - attack.discovery - attack.t1057 @@ -16,14 +17,15 @@ logsource: category: process_creation product: windows detection: - selection_findstr_img: + selection_img: - Image|endswith: '\findstr.exe' - OriginalFileName: 'FINDSTR.EXE' - selection_findstr_parent: - ParentCommandLine|contains: 'tasklist' - filter_optional_httpd: - CommandLine|contains: 'httpd.exe' - condition: all of selection_findstr_* and not 1 of filter_optional_* + selection_parent_cli: + ParentCommandLine|contains: + # Note: Add additional CLI to increase and enhance coverage + - 'ipconfig ' + - 'tasklist' + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 078e5046f..7bae271de 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -3,7 +3,6 @@ id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c status: test description: Detects the addition of a new rule to the Windows firewall via netsh references: - - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf author: Markus Neis, Sander Wiebing date: 2019/01/29 @@ -11,6 +10,7 @@ modified: 2023/02/10 tags: - attack.defense_evasion - attack.t1562.004 + - attack.s0246 logsource: category: process_creation product: windows @@ -33,5 +33,5 @@ detection: condition: all of selection_* and not 1 of filter_* falsepositives: - Legitimate administration activity - - Software installations and removal + - Software installations level: medium diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml new file mode 100644 index 000000000..67a576899 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -0,0 +1,28 @@ +title: Firewall Rule Update Via Netsh.EXE +id: a70dcb37-3bee-453a-99df-d0c683151be6 +status: test +description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule +references: + - https://ss64.com/nt/netsh.html +author: X__Junior (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\netsh.exe' + - OriginalFileName: 'netsh.exe' + selection_cli: + CommandLine|contains|all: + # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes" + # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes" + - ' firewall ' + - ' set ' + condition: all of selection_* +falsepositives: + - Legitimate administration activity + - Software installations and removal +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml new file mode 100644 index 000000000..551845bcd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -0,0 +1,43 @@ +title: PowerShell Execution With Potential Decryption Capabilities +id: 434c08ba-8406-4d15-8b24-782cb071a691 +status: experimental +description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. +references: + - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli_dir: + CommandLine|contains: + - "Get-ChildItem " + - "dir " + - "gci " + - "ls " + selection_cli_gc: + CommandLine|contains: + - "Get-Content " + - "gc " + - 'cat ' + - 'type ' + selection_cli_specific: + CommandLine|contains|all: + - ' ^| ' + - '\*.lnk' + - '-Recurse' + - '-Skip ' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 2f6f2ed42..ea5e3923d 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -4,7 +4,7 @@ status: experimental description: 'Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: 'pH-T (Nextron Systems), Nasreddine Bencherchali' +author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/03/15 modified: 2022/07/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index d5b98d9a4..9a3e9a0a2 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -1,12 +1,14 @@ -title: Scheduled Task Executing Powershell Encoded Payload from Registry -id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 -status: test -description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. +title: Scheduled Task Executing Payload from Registry +id: 86588b36-c6d3-465f-9cee-8f9093e07798 +related: + - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 + type: derived +status: experimental +description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -date: 2022/02/12 -modified: 2023/02/04 +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/18 tags: - attack.execution - attack.persistence @@ -20,17 +22,23 @@ detection: # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 - Image|endswith: '\schtasks.exe' - OriginalFileName: 'schtasks.exe' - selection_cli: - CommandLine|contains|all: - - '/Create' - - 'FromBase64String' + selection_cli_create: + CommandLine|contains: '/Create' + selection_cli_get: + CommandLine|contains: - 'Get-ItemProperty' + - ' gp ' # Alias + selection_cli_hive: CommandLine|contains: - 'HKCU:' - 'HKLM:' - 'registry::' - 'HKEY_' - condition: all of selection_* + filter_main_encoding: + CommandLine|contains: + - 'FromBase64String' + - 'encodedcommand' + condition: all of selection_* and not 1 of filter_* falsepositives: - - Unlikely -level: high + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml new file mode 100644 index 000000000..b5af7a3d4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -0,0 +1,42 @@ +title: Scheduled Task Executing Encoded Payload from Registry +id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 +status: test +description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. +references: + - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2022/02/12 +modified: 2023/02/04 +tags: + - attack.execution + - attack.persistence + - attack.t1053.005 + - attack.t1059.001 +logsource: + product: windows + category: process_creation +detection: + selection_img: + # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_cli_create: + CommandLine|contains: '/Create' + selection_cli_encoding: + CommandLine|contains: + - 'FromBase64String' + - 'encodedcommand' + selection_cli_get: + CommandLine|contains: + - 'Get-ItemProperty' + - ' gp ' # Alias + selection_cli_hive: + CommandLine|contains: + - 'HKCU:' + - 'HKLM:' + - 'registry::' + - 'HKEY_' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index 9c7c9c499..4ae532e92 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -10,7 +10,7 @@ references: - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/ author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 date: 2019/09/26 -modified: 2023/05/31 +modified: 2023/07/13 tags: - attack.defense_evasion - attack.t1070.001 @@ -37,8 +37,11 @@ detection: - 'Remove-EventLog ' - 'Limit-EventLog ' - 'Clear-WinEvent ' - selection_other_wmic: - Image|endswith: '\wmic.exe' + selection_other_wmi: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\wmic.exe' CommandLine|contains: 'ClearEventLog' filter_msiexec: # Example seen during office update/installation: diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml new file mode 100644 index 000000000..7fef7623c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -0,0 +1,34 @@ +title: Potentially Suspicious Call To Win32_NTEventlogFile Class +id: caf201a9-c2ce-4a26-9c3a-2b9525413711 +related: + - id: e2812b49-bae0-4b21-b366-7c142eafcde2 + type: similar +status: experimental +description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/13 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_class: + CommandLine|contains: 'Win32_NTEventlogFile' + selection_function: + CommandLine|contains: + - '.BackupEventlog(' + - '.ChangeSecurityPermissions(' + - '.ChangeSecurityPermissionsEx(' + - '.ClearEventLog(' + - '.Delete(' + - '.DeleteEx(' + - '.Rename(' + - '.TakeOwnerShip(' + - '.TakeOwnerShipEx(' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 869d1322b..cb59f01fa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/06 -modified: 2023/07/05 +modified: 2023/07/20 tags: - attack.defense_evasion - attack.t1564.004 @@ -21,33 +21,37 @@ logsource: detection: selection: Image|contains: - - '~1.exe' - '~1.bat' + - '~1.dll' + - '~1.exe' + - '~1.hta' + - '~1.js' - '~1.msi' + - '~1.ps1' + - '~1.tmp' - '~1.vbe' - '~1.vbs' - - '~1.dll' - - '~1.ps1' - - '~1.js' - - '~1.hta' - - '~2.exe' - '~2.bat' + - '~2.dll' + - '~2.exe' + - '~2.hta' + - '~2.js' - '~2.msi' + - '~2.ps1' + - '~2.tmp' - '~2.vbe' - '~2.vbs' - - '~2.dll' - - '~2.ps1' - - '~2.js' - - '~2.hta' - filter: - - ParentImage: 'C:\Windows\explorer.exe' - - ParentImage|endswith: - - '\WebEx\WebexHost.exe' - - '\thor\thor64.exe' - - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe - - Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE' - - Image|contains: '\vcredi' - condition: selection and not filter + filter_main_generic_parent: + ParentImage: 'C:\Windows\explorer.exe' + filter_optional_webex: + ParentImage|endswith: '\WebEx\WebexHost.exe' + filter_optional_thor: + ParentImage|endswith: '\thor\thor64.exe' + filter_optional_winzip: + Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE' + filter_optional_vcred: + Image|endswith: '\VCREDI~1.EXE' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Unknown -level: high + - Software Installers +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml new file mode 100644 index 000000000..fafa963f9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -0,0 +1,27 @@ +title: Suspicious Process Execution From Fake Recycle.Bin Folder +id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 +related: + - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca + type: derived +status: experimental +description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. +references: + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.persistence + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index c2c5eef10..3856594ab 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -17,7 +17,7 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/09/01 -modified: 2023/03/04 +modified: 2023/07/13 tags: - attack.defense_evasion - attack.t1489 @@ -145,6 +145,7 @@ detection: - 'MSOLAP$TPSAMA' - 'MSOLAPSTPS' - 'MSOLAPSTPSAMA' + - 'mssecflt' - 'MSSQ!I.SPROFXENGAGEMEHT' - 'MSSQ0SHAREPOINT' - 'MSSQ0SOPHOS' @@ -174,6 +175,7 @@ detection: - 'SAVService' - 'ScSecSvc' - 'SDRSVC' + - 'sense' - 'SentinelAgent' - 'SentinelHelperService' - 'SepMasterService' diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml new file mode 100644 index 000000000..e0e058805 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -0,0 +1,29 @@ +title: Potential ReflectDebugger Content Execution Via WerFault.EXE +id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd +related: + - id: 0cf2e1c6-8d10-4273-8059-738778f981ad + type: derived +status: experimental +description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow +references: + - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html + - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +author: X__Junior (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1036 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\WerFault.exe' + - OriginalFileName: 'WerFault.exe' + selection_cli: + CommandLine|contains: ' -pr ' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml new file mode 100644 index 000000000..791736e43 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -0,0 +1,26 @@ +title: Potential WerFault ReflectDebugger Registry Value Abuse +id: 0cf2e1c6-8d10-4273-8059-738778f981ad +related: + - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd + type: derived +status: experimental +description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. +references: + - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html + - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +author: X__Junior +date: 2023/05/18 +tags: + - attack.defense_evasion + - attack.t1036.003 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: 'SetValue' + TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger' + condition: selection +falsepositives: + - Unknown +level: high