From d8a3ca6919318dfdb91d4bb561774c813cf57389 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 12 May 2022 23:27:48 +0100 Subject: [PATCH] Updated Rules to Use OriginalFileName --- .../proc_creation_win_esentutl_webcache.yml | 9 ++-- .../proc_creation_win_susp_vaultcmd.yml | 9 ++-- ...ation_win_susp_webdav_client_execution.yml | 10 ++-- ...proc_creation_win_susp_where_execution.yml | 4 +- .../proc_creation_win_susp_whoami.yml | 5 +- .../proc_creation_win_susp_whoami_anomaly.yml | 7 +-- ...proc_creation_win_susp_winrm_execution.yml | 10 ++-- .../proc_creation_win_susp_wmi_execution.yml | 5 +- .../proc_creation_win_susp_wsl_lolbin.yml | 10 ++-- .../proc_creation_win_susp_wuauclt.yml | 10 ++-- ...proc_creation_win_susp_wuauclt_cmdline.yml | 11 ++-- .../proc_creation_win_suspicious_ad_reco.yml | 9 ++-- .../proc_creation_win_uac_cmstp.yml | 10 ++-- .../proc_creation_win_uac_wsreset.yml | 4 +- ..._creation_win_using_sc_to_hide_sevices.yml | 4 +- ...eation_win_vmtoolsd_susp_child_process.yml | 16 +++--- .../proc_creation_win_webshell_detection.yml | 50 ++++++++++++------- .../proc_creation_win_whoami_as_priv_user.yml | 9 ++-- .../proc_creation_win_whoami_as_system.yml | 12 +++-- .../proc_creation_win_whoami_priv.yml | 9 ++-- ...roc_creation_win_win10_sched_task_0day.yml | 8 +-- ...proc_creation_win_wmi_spwns_powershell.yml | 10 ++-- .../proc_creation_win_wmic_reconnaissance.yml | 15 +++--- .../proc_creation_win_wmic_remote_command.yml | 13 +++-- .../proc_creation_win_wmic_remote_service.yml | 11 ++-- ...c_creation_win_wmic_remove_application.yml | 8 +-- 26 files changed, 171 insertions(+), 107 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 15a863b09..4e7dbfd6f 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -7,16 +7,19 @@ references: - https://redcanary.com/threat-detection-report/threats/qbot/ author: frack113 date: 2022/02/13 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \esentutl.exe + selection_img: + - Image|endswith: '\esentutl.exe' + - OriginalFileName: 'esentutl.exe' + selection_cli: CommandLine|contains|all: - '/r ' - '\Windows\WebCache' - condition: selection + condition: all of selection* falsepositives: - Legitimate use level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml index df9664b18..349e2eaef 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml @@ -4,16 +4,19 @@ status: experimental description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe author: frack113 date: 2022/04/08 +modified: 2022/05/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\VaultCmd.exe' + selection_img: + - Image|endswith: '\VaultCmd.exe' + - OriginalFileName|contains: 'VAULTCMD.EXE' + selection_cli: CommandLine|contains: '/listcreds:' - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml index 4149781b4..9b7049047 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml @@ -7,15 +7,17 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/05/15 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\rundll32.exe' + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName|contains: 'RUNDLL32.EXE' + selection_cli: CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml index e35eaa87e..26ea30cd8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml @@ -9,12 +9,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md author: frack113 date: 2021/12/13 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: where_exe: - Image|endswith: '\where.exe' + - Image|endswith: '\where.exe' + - OriginalFileName|contains: 'where.exe' where_opt: CommandLine|contains: - 'Bookmarks' diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml index 5b2ac21c6..0a08cfcc4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml @@ -7,13 +7,14 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ date: 2018/08/13 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\whoami.exe' + - Image|endswith: '\whoami.exe' + - OriginalFileName|contains: 'whoami.exe' condition: selection falsepositives: - Admin activity diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml index f802e6ef6..17442a1e2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth date: 2021/08/12 -modified: 2021/08/26 +modified: 2021/05/12 tags: - attack.discovery - attack.t1033 @@ -17,9 +17,10 @@ logsource: product: windows detection: selection: - Image|endswith: '\whoami.exe' + - Image|endswith: '\whoami.exe' + - OriginalFileName|contains: 'whoami.exe' filter1: - ParentImage|endswith: + ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' filter2: diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml index 3fc44a897..f1d4aa9ff 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml @@ -7,18 +7,20 @@ references: - https://twitter.com/bohops/status/994405551751815170 - https://redcanary.com/blog/lateral-movement-winrm-wmi/ date: 2020/10/07 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\cscript.exe' + selection_img: + - Image|endswith: '\cscript.exe' + - OriginalFileName|contains: 'cscript.exe' + selection_cli: CommandLine|contains|all: - 'winrm' - 'invoke Create wmicimv2/Win32_' - '-r:http' - condition: selection + condition: all of selection* falsepositives: - Legitimate use for administartive purposes. Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml index 1df08c0d7..893e12dad 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml @@ -8,13 +8,14 @@ references: - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ date: 2019/01/16 -modified: 2022/01/07 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\wmic.exe' + - Image|endswith: '\wmic.exe' + - OriginalFileName|contains: 'wmic.exe' selection2: CommandLine|contains|all: - 'process' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml index ca60aca3d..d64fed803 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml @@ -6,17 +6,19 @@ author: 'oscd.community, Zach Stanford @svch0st' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ date: 2020/10/05 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wsl.exe' + selection_img: + - Image|endswith: '\wsl.exe' + - OriginalFileName|contains: 'wsl.exe' + selection_cli: CommandLine|contains: - ' -e ' - ' --exec ' - condition: selection + condition: all of selection* falsepositives: - Automation and orchestration scripts may use this method execute scripts etc level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml index 47969d52a..5acea5c92 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/11/18 +modified: 2022/05/12 tags: - attack.command_and_control - attack.execution @@ -16,17 +16,19 @@ logsource: product: windows category: process_creation detection: - selection: + selection_cli: CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - '.dll' - Image|endswith: '\wuauclt.exe' + selection_img: + - Image|endswith: '\wuauclt.exe' + - OriginalFileName|contains: 'wuauclt.exe' filter: CommandLine|contains: - ' /ClassId ' - ' wuaueng.dll ' - condition: selection and not filter + condition: all of selection* and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml index 9b89cc9c4..fe0f33894 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml @@ -6,14 +6,17 @@ author: Florian Roth references: - https://redcanary.com/blog/blackbyte-ransomware/ date: 2022/02/26 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\Wuauclt.exe' - CommandLine|endswith: '\Wuauclt.exe' - condition: selection + selection_img: + - Image|endswith: '\Wuauclt.exe' + - OriginalFileName|contains: 'Wuauclt.exe' + selection_cli: + CommandLine|endswith: '\Wuauclt.exe' + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml index 9723e3670..72df4555e 100644 --- a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml @@ -9,14 +9,17 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md author: frack113 date: 2021/12/12 +modified: 2022/05/12 logsource: product: windows category: process_creation detection: - test_5: - Image|endswith: '\wmic.exe' + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains: ' group' - condition: test_5 + condition: all of selection* falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml index fcf0bf8be..6598f6956 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml @@ -7,17 +7,19 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\cmstp.exe' + selection_img: + - Image|endswith: '\cmstp.exe' + - OriginalFileName|contains: 'CMSTP.EXE' + selection_cli: CommandLine|contains: - '/s' - '/au' - condition: selection + condition: all of selection* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml index 877ffb1b4..844b99aa1 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml @@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd references: - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows @@ -14,7 +14,7 @@ detection: selection: ParentImage|endswith: '\wsreset.exe' filter: - Image|endswith: '\conhost.exe' + OriginalFileName|contains: 'CONHOST.EXE' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml index ebc8bf7af..9c9b7c07d 100644 --- a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml @@ -7,12 +7,14 @@ references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ date: 2021/12/20 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: sc: - Image|endswith: '\sc.exe' + - Image|endswith: '\sc.exe' + - OriginalFileName|contains: 'sc.exe' cli: CommandLine|contains|all: - 'sdset' diff --git a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml index cdecb338e..b9f86190a 100644 --- a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml @@ -8,7 +8,7 @@ tags: - attack.t1059 author: behops, Bhabesh Raj date: 2021/10/08 -modified: 2021/10/10 +modified: 2022/05/12 references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ fields: @@ -24,13 +24,13 @@ logsource: detection: selection: ParentImage|endswith: '\vmtoolsd.exe' - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\rundll32.exe' - - '\regsvr32.exe' - - '\wscript.exe' - - '\cscript.exe' + OriginalFileName|contains: + - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'RUNDLL32.EXE' + - 'REGSVR32.EXE' + - 'wscript.exe' + - 'cscript.exe' filter: CommandLine|contains: - '\VMware\VMware Tools\poweron-vm-default.bat' diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index 23695d2da..78dafb326 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -27,50 +27,62 @@ detection: - '\caddy.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - ParentImage|contains: + ParentImage|contains: - '-tomcat-' - '\tomcat' selection_webserver_characteristics_tomcat2: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - CommandLine|contains: + CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' susp_net_utility: - Image|endswith: - - '\net.exe' - - '\net1.exe' + OriginalFileName|contains: + - 'net.exe' + - 'net1.exe' CommandLine|contains: - ' user ' - ' use ' - ' group ' susp_ping_utility: - Image|endswith: '\ping.exe' + OriginalFileName|contains: 'ping.exe' CommandLine|contains: ' -n ' susp_change_dir: CommandLine|contains: - '&cd&echo' # china chopper web shell - 'cd /d ' # https://www.computerhope.com/cdhlp.htm susp_wmic_utility: - Image|endswith: '\wmic.exe' - CommandLine|contains: ' /node:' + OriginalFileName|contains: 'wmic.exe' + CommandLine|contains: ' /node:' susp_misc_discovery_binaries: - Image|endswith: + - Image|endswith: - '\whoami.exe' - '\systeminfo.exe' - '\quser.exe' - - '\ipconfig.exe' - - '\pathping.exe' - - '\tracert.exe' - - '\netstat.exe' - - '\schtasks.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' - - '\tasklist.exe' + - '\ipconfig.exe' + - '\pathping.exe' + - '\tracert.exe' + - '\netstat.exe' + - '\schtasks.exe' + - '\vssadmin.exe' + - '\wevtutil.exe' + - '\tasklist.exe' + - OriginalFileName|contains: + - 'whoami.exe' + - 'sysinfo.exe' + - 'quser.exe' + - 'ipconfig.exe' + - 'pathping.exe' + - 'tracert.exe' + - 'netstat.exe' + - 'schtasks.exe' + - 'VSSADMIN.EXE' + - 'wevtutil.exe' + - 'tasklist.exe' susp_misc_discovery_commands: CommandLine|contains: - ' Test-NetConnection ' diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml index 70b93cd68..6b01133ee 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml @@ -7,6 +7,7 @@ references: - https://nsudo.m2team.org/en-us/ author: Florian Roth date: 2022/01/28 +modified: 2022/05/12 tags: - attack.privilege_escalation - attack.discovery @@ -15,10 +16,12 @@ logsource: category: process_creation product: windows detection: - selection: + selection_user: User|contains: 'TrustedInstaller' - Image|endswith: '\whoami.exe' - condition: selection + selection_img: + - OriginalFileName|contains: 'whoami.exe' + - Image|endswith: '\whoami.exe' + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml index 20812efdf..20e27b851 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml @@ -6,21 +6,23 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov, Florian Roth date: 2019/10/23 -modified: 2022/01/28 +modified: 2022/05/12 tags: - attack.privilege_escalation - - attack.discovery + - attack.discovery - attack.t1033 logsource: category: process_creation product: windows detection: - selection: + selection_user: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - Image|endswith: '\whoami.exe' - condition: selection + selection_img: + - OriginalFileName|contains: 'whoami.exe' + - Image|endswith: '\whoami.exe' + condition: all of selection* falsepositives: - Possible name overlap with NT AUHTORITY substring to cover all languages level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml index 3cd02819c..fc6c57ad4 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth date: 2021/05/05 +modified: 2022/05/12 tags: - attack.privilege_escalation - attack.discovery @@ -14,10 +15,12 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\whoami.exe' + selection_img: + - Image|endswith: '\whoami.exe' + - OriginalFileName|contains: 'whoami.exe' + selection_cli: CommandLine|contains: '/priv' - condition: selection + condition: all of selection* falsepositives: - Administrative activity (rare lookups on current privileges) level: high diff --git a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml index 5627d30b2..da078ae57 100644 --- a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml @@ -6,19 +6,21 @@ author: Olaf Hartong references: - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe date: 2019/05/22 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: + selection_img: Image|endswith: '\schtasks.exe' + OriginalFileName|contains: 'schtasks.exe' + selection_cli: CommandLine|contains|all: - '/change' - '/TN' - '/RU' - '/RP' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index b82d40c70..2bf9ff4ec 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -7,19 +7,21 @@ references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis / @Karneades date: 2019/04/03 -modified: 2021/02/24 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: + selection_parent: ParentImage|endswith: '\wmiprvse.exe' - Image|endswith: '\powershell.exe' + selection_img: + - Image|endswith: '\powershell.exe' + - OriginalFileName|contains: 'PowerShell.EXE' filter_null1: CommandLine: 'null' filter_null2: # some backends need the null value in a separate expression CommandLine: null - condition: selection and not filter_null1 and not filter_null2 + condition: all of selection* and not filter_null1 and not filter_null2 falsepositives: - AppvClient - CCM diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index de1dd67a6..21d5fa6cb 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -7,20 +7,23 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/01/01 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe - CommandLine|contains: - - process + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: + CommandLine|contains: + - process - qfe filter: CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - call - - create - condition: selection and not filter + - create + condition: all of selection* and not filter falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml index f082d4db9..2eb165ae5 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml @@ -7,21 +7,24 @@ references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/03/13 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains|all: - '/node:' - process - call - - create - condition: selection + - create + condition: all of selection* falsepositives: - Unknown -level: medium +level: medium tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml index 17a29f777..eadebed2e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml @@ -7,6 +7,7 @@ description: | A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable author: frack113 +modified: 2022/05/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -15,12 +16,14 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains|all: - '/node:' - - service - condition: selection + - service + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml index a6e659657..54028776c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml @@ -10,10 +10,12 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains: call uninstall - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium