From 08e0a297f3aed59e052108f87fb0dc1ec33d9471 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 13 Jul 2023 17:31:13 +0200 Subject: [PATCH 1/8] feat: new rules and updates --- .github/workflows/known-FPs.csv | 1 + ...t_win_create_evtx_non_common_locations.yml | 16 ++++----- ...nt_win_hktl_hivenightmare_file_exports.yml | 3 -- .../posh_ps_win32_nteventlogfile_usage.yml | 32 +++++++++++++++++ .../proc_creation_win_findstr_lsass.yml | 9 ++--- .../proc_creation_win_findstr_susp_parent.yml | 20 ++++++----- ...tion_win_schtasks_appdata_local_system.yml | 2 +- .../proc_creation_win_susp_eventlog_clear.yml | 9 +++-- ...creation_win_susp_nteventlogfile_usage.yml | 34 +++++++++++++++++++ ...ion_win_susp_ntfs_short_name_use_image.yml | 1 + .../proc_creation_win_susp_service_tamper.yml | 4 ++- 11 files changed, 102 insertions(+), 29 deletions(-) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index b8afda7d6..8bbadc1d7 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -58,3 +58,4 @@ a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35 87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.* 0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.* e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.* +ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;.* diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml index 23af8d1dd..9e973c66e 100644 --- a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -6,27 +6,27 @@ references: - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key author: D3F7A5105 date: 2023/01/02 +modified: 2023/07/13 tags: - attack.defense_evasion - attack.t1562.002 logsource: category: file_event product: windows - definition: 'Requirements: The ".evtx" exntesion should be monitored via a Sysmon configuration. Example: .evtx' + definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: .evtx' detection: selection: TargetFilename|endswith: '.evtx' - filter_path: + filter_main_path: TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' - filter_baseimage: + filter_main_baseimage: TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' TargetFilename|endswith: '\Windows\System32\winevt\Logs\' - filter_img: + filter_main_generic_img: Image: - 'C:\Windows\explorer.exe' - 'C:\Windows\system32\dllhost.exe' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - - Admin activity - - Backup activity -level: medium + - Administrator or backup activity +level: high diff --git a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml index becfff800..7fc13d8a6 100644 --- a/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml @@ -28,9 +28,6 @@ detection: - '\Sam.save' # PowerShell version - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Files that accidentally contain these strings level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml new file mode 100644 index 000000000..475f0df2d --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -0,0 +1,32 @@ +title: Potential Suspicious Call To Win32_NTEventlogFile Class - PSScript +id: e2812b49-bae0-4b21-b366-7c142eafcde2 +status: experimental +description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/13 +tags: + - attack.defense_evasion +logsource: + category: ps_script + product: windows + definition: bade5735-5ab0-4aa7-a642-a11be0e40872 +detection: + selection_class: + ScriptBlockText|contains: 'Win32_NTEventlogFile' + selection_function: + ScriptBlockText|contains: + - '.BackupEventlog(' + - '.ChangeSecurityPermissions(' + - '.ChangeSecurityPermissionsEx(' + - '.ClearEventLog(' + - '.Delete(' + - '.DeleteEx(' + - '.Rename(' + - '.TakeOwnerShip(' + - '.TakeOwnerShipEx(' + condition: all of selection_* +falsepositives: + - Legitimate administration and backup scripts +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index 0128723d0..e9b33ee1f 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -1,4 +1,4 @@ -title: Findstr LSASS +title: LSASS Process Reconnaissance Via Findstr.EXE id: fe63010f-8823-4864-a96b-a7b4a0f7b929 status: experimental description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID @@ -6,6 +6,7 @@ references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 author: Florian Roth (Nextron Systems) date: 2022/08/12 +modified: 2023/07/13 tags: - attack.credential_access - attack.t1552.006 @@ -20,12 +21,12 @@ detection: CommandLine|contains: 'lsass' selection_special: CommandLine|contains: - - ' /i lsass.exe' - ' /i "lsass' - - 'findstr lsass' - - 'findstr.exe lsass' + - ' /i lsass.exe' - 'findstr "lsass' + - 'findstr lsass' - 'findstr.exe "lsass' + - 'findstr.exe lsass' condition: all of selection_findstr_* or selection_special falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml index 8eaf69101..7fcb19470 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml @@ -1,14 +1,15 @@ -title: Findstr Suspicious ParentCommandLine +title: Potential Suspicious Findstr.EXE Execution id: ccb5742c-c248-4982-8c5c-5571b9275ad3 -related: +related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived status: experimental -description: Detects findstring commands with a suspicious ParentCommandLine +description: Detects execution of "findstr" as a child process of potentially suspicious parent command line. This is often the case when "findstr" is used to filter out the results of certain recon commands such as "tasklist" or "ipconfig /all" references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist author: frack113 date: 2023/07/06 +modified: 2023/07/13 tags: - attack.discovery - attack.t1057 @@ -16,14 +17,15 @@ logsource: category: process_creation product: windows detection: - selection_findstr_img: + selection_img: - Image|endswith: '\findstr.exe' - OriginalFileName: 'FINDSTR.EXE' - selection_findstr_parent: - ParentCommandLine|contains: 'tasklist' - filter_optional_httpd: - CommandLine|contains: 'httpd.exe' - condition: all of selection_findstr_* and not 1 of filter_optional_* + selection_parent_cli: + ParentCommandLine|contains: + # Note: Add additional CLI to increase and enhance coverage + - 'ipconfig ' + - 'tasklist' + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml index 2f6f2ed42..ea5e3923d 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml @@ -4,7 +4,7 @@ status: experimental description: 'Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: 'pH-T (Nextron Systems), Nasreddine Bencherchali' +author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/03/15 modified: 2022/07/28 tags: diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index 9c7c9c499..4ae532e92 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -10,7 +10,7 @@ references: - https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/ author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 date: 2019/09/26 -modified: 2023/05/31 +modified: 2023/07/13 tags: - attack.defense_evasion - attack.t1070.001 @@ -37,8 +37,11 @@ detection: - 'Remove-EventLog ' - 'Limit-EventLog ' - 'Clear-WinEvent ' - selection_other_wmic: - Image|endswith: '\wmic.exe' + selection_other_wmi: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\wmic.exe' CommandLine|contains: 'ClearEventLog' filter_msiexec: # Example seen during office update/installation: diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml new file mode 100644 index 000000000..f51203de9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -0,0 +1,34 @@ +title: Potential Suspicious Call To Win32_NTEventlogFile Class +id: caf201a9-c2ce-4a26-9c3a-2b9525413711 +related: + - id: e2812b49-bae0-4b21-b366-7c142eafcde2 + type: similar +status: experimental +description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script +references: + - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/13 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_class: + CommandLine|contains: 'Win32_NTEventlogFile' + selection_function: + CommandLine|contains: + - '.BackupEventlog(' + - '.ChangeSecurityPermissions(' + - '.ChangeSecurityPermissionsEx(' + - '.ClearEventLog(' + - '.Delete(' + - '.DeleteEx(' + - '.Rename(' + - '.TakeOwnerShip(' + - '.TakeOwnerShipEx(' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 869d1322b..fd22ee6c5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -51,3 +51,4 @@ detection: falsepositives: - Unknown level: high +enhance filter \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index c2c5eef10..3856594ab 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -17,7 +17,7 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/09/01 -modified: 2023/03/04 +modified: 2023/07/13 tags: - attack.defense_evasion - attack.t1489 @@ -145,6 +145,7 @@ detection: - 'MSOLAP$TPSAMA' - 'MSOLAPSTPS' - 'MSOLAPSTPSAMA' + - 'mssecflt' - 'MSSQ!I.SPROFXENGAGEMEHT' - 'MSSQ0SHAREPOINT' - 'MSSQ0SOPHOS' @@ -174,6 +175,7 @@ detection: - 'SAVService' - 'ScSecSvc' - 'SDRSVC' + - 'sense' - 'SentinelAgent' - 'SentinelHelperService' - 'SepMasterService' From 73f44e61d13dce190e56cc3983d8940ea8dacdb3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 20 Jul 2023 13:47:30 +0200 Subject: [PATCH 2/8] feat: add more rules --- ...e_event_win_susp_recycle_bin_fake_exec.yml | 31 +++++ ..._load_side_load_abused_dlls_susp_paths.yml | 47 +++++++ .../image_load_side_load_ccleaner_du.yml | 31 +++++ ...ge_load_side_load_ccleaner_reactivator.yml | 29 ++++ ...net_connection_win_dead_drop_resolvers.yml | 127 ++++++++++++++++-- ...n_win_cmd_ping_copy_combined_execution.yml | 31 +++++ ...on_win_cmd_ping_del_combined_execution.yml | 1 + ..._creation_win_curl_insecure_connection.yml | 24 ++++ .../proc_creation_win_netsh_fw_add_rule.yml | 4 +- .../proc_creation_win_netsh_fw_set_rule.yml | 28 ++++ ...reation_win_powershell_decrypt_pattern.yml | 39 ++++++ .../proc_creation_win_schtasks_reg_loader.yml | 36 +++-- ...eation_win_schtasks_reg_loader_encoded.yml | 42 ++++++ ...on_win_susp_recycle_bin_fake_execution.yml | 27 ++++ ...ion_win_werfault_reflect_debugger_exec.yml | 27 ++++ ...gistry_set_persistence_reflectdebugger.yml | 26 ++++ 16 files changed, 520 insertions(+), 30 deletions(-) create mode 100644 rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml create mode 100644 rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml create mode 100644 rules/windows/image_load/image_load_side_load_ccleaner_du.yml create mode 100644 rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml create mode 100644 rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml create mode 100644 rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml create mode 100644 rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml new file mode 100644 index 000000000..9a91abde2 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -0,0 +1,31 @@ +title: Suspicious File Creation Activity From Fake Recycle.Bin Folder +id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 +related: + - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 + type: derived +status: experimental +description: Detects file write event from/to a fake recycle bin folder that's often used as a staging directory for malware +references: + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.persistence + - attack.defense_evasion +logsource: + category: file_event + product: windows +detection: + selection: + - Image|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + - TargetFilename|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml new file mode 100644 index 000000000..d95044ce9 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -0,0 +1,47 @@ +title: Abusable DLL Potential Sideloading From Suspicious Location +id: 1228c958-e64e-4e71-92ad-7d429f4138ba +status: experimental +description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations +references: + - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/07/11 +tags: + - attack.execution + - attack.t1059 +logsource: + category: image_load + product: windows +detection: + selection_dll: + ImageLoaded|endswith: + # Note: Add more generic DLLs that cannot be pin-pointed to a single application + - '\coreclr.dll' + - '\facesdk.dll' + - '\HPCustPartUI.dll' + - '\libcef.dll' + - '\ZIPDLL.dll' + selection_folders_1: + ImageLoaded|contains: + - ':\Perflogs\' + - ':\Users\Public\' + - '\Temporary Internet' + - '\Windows\Temp\' + selection_folders_2: + - ImageLoaded|contains|all: + - ':\Users\' + - '\Favorites\' + - CommandLine|contains|all: + - ':\Users\' + - '\Favourites\' + - ImageLoaded|contains|all: + - ':\Users\' + - '\Contacts\' + - ImageLoaded|contains|all: + - ':\Users\' + - '\Pictures\' + condition: selection_dll and 1 of selection_folders_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml new file mode 100644 index 000000000..5a640660d --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -0,0 +1,31 @@ +title: Potential CCleanerDU.DLL Sideloading +id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 +status: experimental +description: Detects potential DLL sideloading of "CCleanerDU.dll" +references: + - https://lab52.io/blog/2344-2/ +author: X__Junior (Nextron Systems) +date: 2023/07/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\CCleanerDU.dll' + filter_main_path: + Image|startswith: + - 'C:\Program Files\CCleaner\' + - 'C:\Program Files (x86)\CCleaner\' + Image|endswith: + - '\CCleaner.exe' + - '\CCleaner64.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - False positives could occur from other custom installation paths. Apply additional filters accordingly. +level: medium diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml new file mode 100644 index 000000000..a6fe99ab9 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -0,0 +1,29 @@ +title: Potential CCleanerReactivator.DLL Sideloading +id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 +status: experimental +description: Detects potential DLL sideloading of "CCleanerReactivator.dll" +references: + - https://lab52.io/blog/2344-2/ +author: X__Junior +date: 2023/07/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\CCleanerReactivator.dll' + filter_main_path: + Image|startswith: + - 'C:\Program Files\CCleaner\' + - 'C:\Program Files (x86)\CCleaner\' + Image|endswith: '\CCleanerReactivator.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - False positives could occur from other custom installation paths. Apply additional filters accordingly. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml index e28ff5f41..75ee7c7be 100644 --- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml @@ -6,9 +6,9 @@ references: - https://content.fireeye.com/apt-41/rpt-apt41 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html -author: Sorina Ionescu +author: Sorina Ionescu, X__Junior (Nextron Systems) date: 2022/08/17 -modified: 2023/04/18 +modified: 2023/07/20 tags: - attack.command_and_control - attack.t1102 @@ -22,24 +22,48 @@ detection: DestinationHostname|endswith: - '.cloudflare.com' - '.githubusercontent.com' + - '4shared.com' + - 'anonfiles.com' - 'cdn.discordapp.com' + - 'ddns.net' + - 'discord.com/api/webhooks/' - 'docs.google.com' + - 'drive.google.com' + - 'dropbox.com' + - 'dropmefiles.com' - 'facebook.com' - 'feeds.rapidfeeds.com' - 'fotolog.com' + - 'ghostbin.co/' + - 'gist.githubusercontent.com' + - 'hastebin.com' - 'imgur.com' - 'livejournal.com' + - 'mediafire.com' + - 'mega.nz' + - 'onedrive.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' - 'pastetext.net' + - 'privatlab.com' + - 'privatlab.net' + - 'raw.githubusercontent.com' - 'reddit.com' + - 'send.exploit.in' + - 'sendspace.com' - 'steamcommunity.com' + - 'storage.googleapis.com' + - 't.me' - 'technet.microsoft.com' + - 'temp.sh' + - 'transfer.sh' - 'twitter.com' + - 'ufile.io' + - 'vimeo.com' + - 'wetransfer.com' - 'youtube.com' - filter_main_brave: - Image|endswith: '\brave.exe' + # Note: Add/Remove browsers that you don't use or those that have custom install locations filter_main_chrome: Image: - 'C:\Program Files\Google\Chrome\Application\chrome.exe' @@ -52,8 +76,6 @@ detection: Image: - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe' - 'C:\Program Files\Internet Explorer\iexplore.exe' - filter_main_maxthon: - Image|endswith: '\maxthon.exe' filter_main_edge_1: - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image|endswith: '\WindowsApps\MicrosoftEdge.exe' @@ -67,16 +89,8 @@ detection: Image|endswith: - '\msedge.exe' - '\msedgewebview2.exe' - filter_main_opera: - Image|endswith: '\opera.exe' filter_main_safari: Image|endswith: '\safari.exe' - filter_main_seamonkey: - Image|endswith: '\seamonkey.exe' - filter_main_vivaldi: - Image|endswith: '\vivaldi.exe' - filter_main_whale: - Image|endswith: '\whale.exe' filter_optional_defender: Image|endswith: - '\MsMpEng.exe' #Microsoft Defender executable @@ -85,6 +99,91 @@ detection: Image|endswith: '\PRTG Probe.exe' #Paessler's PRTG Network Monitor filter_optional_qlik: Image|endswith: '\Engine.exe' #Process from qlik.com app + filter_main_brave: + Image|endswith: '\brave.exe' + Image|startswith: 'C:\Program Files\BraveSoftware\' + filter_main_maxthon: + Image|contains: '\AppData\Local\Maxthon\' + Image|endswith: '\maxthon.exe' + filter_main_opera: + Image|contains: '\AppData\Local\Programs\Opera\' + Image|endswith: '\opera.exe' + filter_main_seamonkey: + Image|startswith: + - 'C:\Program Files\SeaMonkey\' + - 'C:\Program Files (x86)\SeaMonkey\' + Image|endswith: '\seamonkey.exe' + filter_main_vivaldi: + Image|contains: '\AppData\Local\Vivaldi\' + Image|endswith: '\vivaldi.exe' + filter_main_whale: + Image|startswith: + - 'C:\Program Files\Naver\Naver Whale\' + - 'C:\Program Files (x86)\Naver\Naver Whale\' + Image|endswith: '\whale.exe' + filter_main_tor: + Image|contains: '\Tor Browser\' + filter_main_whaterfox: + Image|startswith: + - 'C:\Program Files\Waterfox\' + - 'C:\Program Files (x86)\Waterfox\' + Image|endswith: '\Waterfox.exe' + filter_main_midori: + Image|contains: '\AppData\Local\Programs\midori-ng\' + Image|endswith: '\Midori Next Generation.exe' + filter_main_slimbrowser: + Image|startswith: + - 'C:\Program Files\SlimBrowser\' + - 'C:\Program Files (x86)\SlimBrowser\' + Image|endswith: '\slimbrowser.exe' + filter_main_flock: + Image|contains: '\AppData\Local\Flock\' + Image|endswith: '\Flock.exe' + filter_main_phoebe: + Image|contains: '\AppData\Local\Phoebe\' + Image|endswith: '\Phoebe.exe' + filter_main_falkon: + Image|startswith: + - 'C:\Program Files\Falkon\' + - 'C:\Program Files (x86)\Falkon\' + Image|endswith: '\falkon.exe' + filter_main_qtweb: + Image|startswith: + - 'C:\Program Files (x86)\QtWeb\' + - 'C:\Program Files\QtWeb\' + Image|endswith: '\QtWeb.exe' + filter_main_avant: + Image|startswith: + - 'C:\Program Files (x86)\Avant Browser\' + - 'C:\Program Files\Avant Browser\' + Image|endswith: '\avant.exe' + filter_main_whatsapp: + Image|startswith: + - 'C:\Program Files (x86)\WindowsApps\' + - 'C:\Program Files\WindowsApps\' + Image|endswith: 'WhatsApp.exe' + filter_main_telegram: + Image|contains: '\AppData\Roaming\Telegram Desktop\' + Image|endswith: '\Telegram.exe' + filter_main_onedrive: + Image|contains: '\AppData\Local\Microsoft\OneDrive\' + Image|endswith: '\OneDrive.exe' + filter_main_dropbox: + Image|startswith: + - 'C:\Program Files (x86)\Dropbox\Client\' + - 'C:\Program Files\Dropbox\Client\' + Image|endswith: '\Dropbox.exe' + filter_main_mega: + Image|contains: '\AppData\Local\MEGAsync\' + Image|endswith: 'MEGAsync.exe' + filter_main_googledrive: + Image|startswith: + - 'C:\Program Files\Google\Drive File Stream\' + - 'C:\Program Files (x86)\Google\Drive File Stream\' + Image|endswith: 'GoogleDriveFS.exe' + filter_main_discord: + Image|contains: '\AppData\Local\Discord\' + Image|endswith: '\Discord.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml new file mode 100644 index 000000000..1dd1d2956 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -0,0 +1,31 @@ +title: Suspicious Ping/Del Command Combination +id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 +status: experimental +description: Detects uncommon one liner command having ping and copy at the same time usually used by malware. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion + - attack.t1070.004 +logsource: + category: process_creation + product: windows +detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 + selection_cmd: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.Exe' + selection_cli: + CommandLine|contains: # Count + - ' -n ' + - ' /n ' + CommandLine|contains|all: + - 'ping' # Covers "ping" and "ping.exe" + - 'copy ' + - ' /y ' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 1392aff46..7657e3ab4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -17,6 +17,7 @@ logsource: category: process_creation product: windows detection: + # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 # Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe". selection_count: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml new file mode 100644 index 000000000..8c1c4314e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -0,0 +1,24 @@ +title: Insecure Transfer Via Curl.EXE +id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec +status: experimental +description: Detects execution of "curl.exe" with the "--insecure" flag. +references: + - Internal Research +author: X__Junior (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\curl.exe' + - OriginalFileName: 'curl.exe' + selection_cli: + - CommandLine|re: '\s-k\s' + - CommandLine|contains: '--insecure' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml index 078e5046f..7bae271de 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_rule.yml @@ -3,7 +3,6 @@ id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c status: test description: Detects the addition of a new rule to the Windows firewall via netsh references: - - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf author: Markus Neis, Sander Wiebing date: 2019/01/29 @@ -11,6 +10,7 @@ modified: 2023/02/10 tags: - attack.defense_evasion - attack.t1562.004 + - attack.s0246 logsource: category: process_creation product: windows @@ -33,5 +33,5 @@ detection: condition: all of selection_* and not 1 of filter_* falsepositives: - Legitimate administration activity - - Software installations and removal + - Software installations level: medium diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml new file mode 100644 index 000000000..52f6125c0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -0,0 +1,28 @@ +title: Firewall Rule Update Via Netsh.EXE +id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c +status: test +description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule +references: + - https://ss64.com/nt/netsh.html +author: X__Junior (Nextron Systems) +date: 2023/07/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\netsh.exe' + - OriginalFileName: 'netsh.exe' + selection_cli: + CommandLine|contains|all: + # Example 1: netsh advfirewall firewall set rule "group=\"Network Discovery\" " new enable=Yes" + # Example 2: netsh advfirewall firewall set rule "group=\"File and Printer Sharing\" " new enable=Yes" + - ' firewall ' + - ' set ' + condition: all of selection_* +falsepositives: + - Legitimate administration activity + - Software installations and removal +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml new file mode 100644 index 000000000..dae6f0106 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -0,0 +1,39 @@ +title: PowerShell Execution With Potential Decryption Capabilities +id: 434c08ba-8406-4d15-8b24-782cb071a691 +status: experimental +description: Detects powershell command that decrypts an ".LNK" "file to drop next stage of the malware. +references: + - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli_dir: + CommandLine|contains: + - "Get-ChildItem " + - "dir " + selection_cli_gc: + CommandLine|contains: + - "Get-Content " + - "gc " + selection_cli_specific: + CommandLine|contains|all: + - ' ^| ' + - '\*.lnk' + - '-Recurse' + - '-Skip ' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index d5b98d9a4..9a3e9a0a2 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -1,12 +1,14 @@ -title: Scheduled Task Executing Powershell Encoded Payload from Registry -id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 -status: test -description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. +title: Scheduled Task Executing Payload from Registry +id: 86588b36-c6d3-465f-9cee-8f9093e07798 +related: + - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 + type: derived +status: experimental +description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ -author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport -date: 2022/02/12 -modified: 2023/02/04 +author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/07/18 tags: - attack.execution - attack.persistence @@ -20,17 +22,23 @@ detection: # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 - Image|endswith: '\schtasks.exe' - OriginalFileName: 'schtasks.exe' - selection_cli: - CommandLine|contains|all: - - '/Create' - - 'FromBase64String' + selection_cli_create: + CommandLine|contains: '/Create' + selection_cli_get: + CommandLine|contains: - 'Get-ItemProperty' + - ' gp ' # Alias + selection_cli_hive: CommandLine|contains: - 'HKCU:' - 'HKLM:' - 'registry::' - 'HKEY_' - condition: all of selection_* + filter_main_encoding: + CommandLine|contains: + - 'FromBase64String' + - 'encodedcommand' + condition: all of selection_* and not 1 of filter_* falsepositives: - - Unlikely -level: high + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml new file mode 100644 index 000000000..b5af7a3d4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader_encoded.yml @@ -0,0 +1,42 @@ +title: Scheduled Task Executing Encoded Payload from Registry +id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 +status: test +description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. +references: + - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +author: pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2022/02/12 +modified: 2023/02/04 +tags: + - attack.execution + - attack.persistence + - attack.t1053.005 + - attack.t1059.001 +logsource: + product: windows + category: process_creation +detection: + selection_img: + # schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30 + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_cli_create: + CommandLine|contains: '/Create' + selection_cli_encoding: + CommandLine|contains: + - 'FromBase64String' + - 'encodedcommand' + selection_cli_get: + CommandLine|contains: + - 'Get-ItemProperty' + - ' gp ' # Alias + selection_cli_hive: + CommandLine|contains: + - 'HKCU:' + - 'HKLM:' + - 'registry::' + - 'HKEY_' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml new file mode 100644 index 000000000..f9c7854c1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -0,0 +1,27 @@ +title: Suspicious Process Execution From Fake Recycle.Bin Folder +id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 +related: + - id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 + type: derived +status: experimental +description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. +references: + - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets +author: X__Junior (Nextron Systems) +date: 2023/07/12 +tags: + - attack.persistence + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - ':\RECYCLERS.BIN\' + - ':\RECYCLER.BIN\' + - ':\RECYCLE.BIN\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml new file mode 100644 index 000000000..9dcdba70e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -0,0 +1,27 @@ +title: Potential ReflectDebugger Content Execution Via WerFault.EXE +id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd +related: + - id: 0cf2e1c6-8d10-4273-8059-738778f981ad + type: derived +status: experimental +description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in ReflectDebugger key which could be store malware path +references: + - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html + - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +author: X__Junior (Nextron Systems) +date: 2023/06/30 +tags: + - attack.execution +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\WerFault.exe' + - OriginalFileName: 'WerFault.exe' + selection_cli: + CommandLine|contains: ' -pr ' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml new file mode 100644 index 000000000..a11cc6107 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -0,0 +1,26 @@ +title: Potential WerFault ReflectDebugger Registry Value Abuse +id: 0cf2e1c6-8d10-4273-8059-738778f981ad +related: + - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd + type: derived +status: experimental +description: Detects Potential WerFault "ReflectDebugger" registry value abuse for persistence. +references: + - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html + - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ +author: X__Junior +date: 2023/05/18 +tags: + - attack.defense_evasion + - attack.t1036.003 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: 'SetValue' + TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger' + condition: selection +falsepositives: + - Unknown +level: high From 1ed5629eb284d683c0419eaa42949ff356d26cc6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 20 Jul 2023 14:01:35 +0200 Subject: [PATCH 3/8] feat: update filter --- ...ion_win_susp_ntfs_short_name_use_image.yml | 54 +++++++++++-------- 1 file changed, 31 insertions(+), 23 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index fd22ee6c5..12ca905aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/06 -modified: 2023/07/05 +modified: 2023/07/20 tags: - attack.defense_evasion - attack.t1564.004 @@ -21,34 +21,42 @@ logsource: detection: selection: Image|contains: - - '~1.exe' - '~1.bat' + - '~1.dll' + - '~1.exe' + - '~1.hta' + - '~1.js' - '~1.msi' + - '~1.ps1' + - '~1.tmp' - '~1.vbe' - '~1.vbs' - - '~1.dll' - - '~1.ps1' - - '~1.js' - - '~1.hta' - - '~2.exe' - '~2.bat' + - '~2.dll' + - '~2.exe' + - '~2.hta' + - '~2.js' - '~2.msi' + - '~2.ps1' + - '~2.tmp' - '~2.vbe' - '~2.vbs' - - '~2.dll' - - '~2.ps1' - - '~2.js' - - '~2.hta' - filter: - - ParentImage: 'C:\Windows\explorer.exe' - - ParentImage|endswith: - - '\WebEx\WebexHost.exe' - - '\thor\thor64.exe' - - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe - - Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE' - - Image|contains: '\vcredi' - condition: selection and not filter + filter_main_generic_parent: + ParentImage: 'C:\Windows\explorer.exe' + filter_optional_webex: + ParentImage|endswith: '\WebEx\WebexHost.exe' + filter_optional_thor: + ParentImage|endswith: '\thor\thor64.exe' + filter_optional_winzip: + Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE' + filter_optional_vstudio: + Image|startswith: + - 'C:\Program Files (x86)\Microsoft Visual Studio\' + - 'C:\Program Files\Microsoft Visual Studio\' + Image|endswith: + - '\vcredist_x64.exe' + - '\vcredist_x86.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Unknown -level: high -enhance filter \ No newline at end of file + - Software Installers +level: medium From db9214e8d209607f5425a57d14ae8d85a53d9b75 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 20 Jul 2023 14:13:13 +0200 Subject: [PATCH 4/8] fix: typos --- .../file_event/file_event_win_susp_recycle_bin_fake_exec.yml | 2 +- .../image_load/image_load_side_load_abused_dlls_susp_paths.yml | 2 +- .../image_load/image_load_side_load_ccleaner_reactivator.yml | 2 +- .../proc_creation_win_cmd_ping_copy_combined_execution.yml | 2 +- .../process_creation/proc_creation_win_netsh_fw_set_rule.yml | 2 +- .../proc_creation_win_powershell_decrypt_pattern.yml | 2 +- .../proc_creation_win_susp_recycle_bin_fake_execution.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index 9a91abde2..e09b1a744 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -1,5 +1,5 @@ title: Suspicious File Creation Activity From Fake Recycle.Bin Folder -id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 +id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca related: - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 type: derived diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml index d95044ce9..4ab414cb0 100644 --- a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -1,5 +1,5 @@ title: Abusable DLL Potential Sideloading From Suspicious Location -id: 1228c958-e64e-4e71-92ad-7d429f4138ba +id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a status: experimental description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations references: diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml index a6fe99ab9..08ceb5132 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml @@ -1,5 +1,5 @@ title: Potential CCleanerReactivator.DLL Sideloading -id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 +id: 3735d5ac-d770-4da0-99ff-156b180bc600 status: experimental description: Detects potential DLL sideloading of "CCleanerReactivator.dll" references: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index 1dd1d2956..8c905459c 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,4 +1,4 @@ -title: Suspicious Ping/Del Command Combination +title: Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 status: experimental description: Detects uncommon one liner command having ping and copy at the same time usually used by malware. diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml index 52f6125c0..67a576899 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_set_rule.yml @@ -1,5 +1,5 @@ title: Firewall Rule Update Via Netsh.EXE -id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c +id: a70dcb37-3bee-453a-99df-d0c683151be6 status: test description: Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule references: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index dae6f0106..7c7e6f8ba 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -33,7 +33,7 @@ detection: - '\*.lnk' - '-Recurse' - '-Skip ' - condition: selection + condition: all of selection_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml index f9c7854c1..fafa963f9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml @@ -1,7 +1,7 @@ title: Suspicious Process Execution From Fake Recycle.Bin Folder id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 related: - - id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27 + - id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca type: derived status: experimental description: Detects process execution from a fake recycle bin folder, often used to avoid security solution. From a97c96aacca712627222081491db6e6b71ecaf2c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 24 Jul 2023 11:01:02 +0200 Subject: [PATCH 5/8] fix: fp --- .../image_load/image_load_side_load_ccleaner_du.yml | 2 +- .../proc_creation_win_susp_ntfs_short_name_use_image.yml | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml index 5a640660d..3f765ec96 100644 --- a/rules/windows/image_load/image_load_side_load_ccleaner_du.yml +++ b/rules/windows/image_load/image_load_side_load_ccleaner_du.yml @@ -1,5 +1,5 @@ title: Potential CCleanerDU.DLL Sideloading -id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57 +id: 1fbc0671-5596-4e17-8682-f020a0b995dc status: experimental description: Detects potential DLL sideloading of "CCleanerDU.dll" references: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 12ca905aa..2da8f1014 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -49,13 +49,8 @@ detection: ParentImage|endswith: '\thor\thor64.exe' filter_optional_winzip: Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE' - filter_optional_vstudio: - Image|startswith: - - 'C:\Program Files (x86)\Microsoft Visual Studio\' - - 'C:\Program Files\Microsoft Visual Studio\' - Image|endswith: - - '\vcredist_x64.exe' - - '\vcredist_x86.exe' + filter_optional_vcred: + Image|endswith: '\vcredist\VCREDI~1.EXE' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Software Installers From 72b658b4c2204522c5d0e84dac2551c37801c7f9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 24 Jul 2023 11:44:59 +0200 Subject: [PATCH 6/8] Update proc_creation_win_susp_ntfs_short_name_use_image.yml --- .../proc_creation_win_susp_ntfs_short_name_use_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml index 2da8f1014..cb59f01fa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml @@ -50,7 +50,7 @@ detection: filter_optional_winzip: Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE' filter_optional_vcred: - Image|endswith: '\vcredist\VCREDI~1.EXE' + Image|endswith: '\VCREDI~1.EXE' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Software Installers From ad0d3f58ac3e13f3fbbdcd7d337beef92de9ee47 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 24 Jul 2023 12:35:11 +0200 Subject: [PATCH 7/8] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../file_event_win_susp_recycle_bin_fake_exec.yml | 2 +- .../posh_ps_win32_nteventlogfile_usage.yml | 2 +- .../proc_creation_win_cmd_ping_copy_combined_execution.yml | 2 +- .../proc_creation_win_curl_insecure_connection.yml | 2 +- .../proc_creation_win_findstr_susp_parent.yml | 4 ++-- .../proc_creation_win_powershell_decrypt_pattern.yml | 6 +++++- .../proc_creation_win_susp_nteventlogfile_usage.yml | 2 +- .../proc_creation_win_werfault_reflect_debugger_exec.yml | 4 +++- .../registry_set_persistence_reflectdebugger.yml | 2 +- 9 files changed, 16 insertions(+), 10 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml index e09b1a744..687d2721a 100644 --- a/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml +++ b/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml @@ -4,7 +4,7 @@ related: - id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0 type: derived status: experimental -description: Detects file write event from/to a fake recycle bin folder that's often used as a staging directory for malware +description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware references: - https://www.mandiant.com/resources/blog/infected-usb-steal-secrets author: X__Junior (Nextron Systems) diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml index 475f0df2d..db275c86f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml @@ -1,4 +1,4 @@ -title: Potential Suspicious Call To Win32_NTEventlogFile Class - PSScript +title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript id: e2812b49-bae0-4b21-b366-7c142eafcde2 status: experimental description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index 8c905459c..ce960abcb 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,7 +1,7 @@ title: Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 status: experimental -description: Detects uncommon one liner command having ping and copy at the same time usually used by malware. +description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. references: - Internal Research author: X__Junior (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml index 8c1c4314e..b7363a7ec 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml @@ -20,5 +20,5 @@ detection: - CommandLine|contains: '--insecure' condition: all of selection_* falsepositives: - - Unknown + - Access to badly maintained internal or development systems level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml index 7fcb19470..ee2b569a4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_susp_parent.yml @@ -1,10 +1,10 @@ -title: Potential Suspicious Findstr.EXE Execution +title: Potentially Suspicious Findstr.EXE Execution id: ccb5742c-c248-4982-8c5c-5571b9275ad3 related: - id: fe63010f-8823-4864-a96b-a7b4a0f7b929 type: derived status: experimental -description: Detects execution of "findstr" as a child process of potentially suspicious parent command line. This is often the case when "findstr" is used to filter out the results of certain recon commands such as "tasklist" or "ipconfig /all" +description: Detects execution of "findstr" as a child process of potentially suspicious parent command lines. This is often the case when "findstr" is used to filter out the results of certain reconnaissance commands such as "tasklist" or "ipconfig /all" references: - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml index 7c7e6f8ba..551845bcd 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_decrypt_pattern.yml @@ -1,7 +1,7 @@ title: PowerShell Execution With Potential Decryption Capabilities id: 434c08ba-8406-4d15-8b24-782cb071a691 status: experimental -description: Detects powershell command that decrypts an ".LNK" "file to drop next stage of the malware. +description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. references: - https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) @@ -23,10 +23,14 @@ detection: CommandLine|contains: - "Get-ChildItem " - "dir " + - "gci " + - "ls " selection_cli_gc: CommandLine|contains: - "Get-Content " - "gc " + - 'cat ' + - 'type ' selection_cli_specific: CommandLine|contains|all: - ' ^| ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml index f51203de9..7fef7623c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml @@ -1,4 +1,4 @@ -title: Potential Suspicious Call To Win32_NTEventlogFile Class +title: Potentially Suspicious Call To Win32_NTEventlogFile Class id: caf201a9-c2ce-4a26-9c3a-2b9525413711 related: - id: e2812b49-bae0-4b21-b366-7c142eafcde2 diff --git a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml index 9dcdba70e..e0e058805 100644 --- a/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml @@ -4,7 +4,7 @@ related: - id: 0cf2e1c6-8d10-4273-8059-738778f981ad type: derived status: experimental -description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in ReflectDebugger key which could be store malware path +description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ @@ -12,6 +12,8 @@ author: X__Junior (Nextron Systems) date: 2023/06/30 tags: - attack.execution + - attack.defense_evasion + - attack.t1036 logsource: product: windows category: process_creation diff --git a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml index a11cc6107..791736e43 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml @@ -4,7 +4,7 @@ related: - id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd type: derived status: experimental -description: Detects Potential WerFault "ReflectDebugger" registry value abuse for persistence. +description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. references: - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html - https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ From e1d07780b384e649d4432759eedd124a158421b4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 24 Jul 2023 14:08:45 +0200 Subject: [PATCH 8/8] fix: fp --- .github/workflows/known-FPs.csv | 2 +- .../image_load/image_load_side_load_abused_dlls_susp_paths.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 8bbadc1d7..dc9a50d74 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -58,4 +58,4 @@ a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35 87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.* 0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.* e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.* -ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;.* +ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe diff --git a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml index 4ab414cb0..4546a4b9d 100644 --- a/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml +++ b/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml @@ -32,7 +32,7 @@ detection: - ImageLoaded|contains|all: - ':\Users\' - '\Favorites\' - - CommandLine|contains|all: + - ImageLoaded|contains|all: - ':\Users\' - '\Favourites\' - ImageLoaded|contains|all: