From 0d92b047ff7362c3da746372c89767074d99ade6 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 12:11:33 +0200 Subject: [PATCH 01/17] Update proc_creation_win_susp_powershell_webclient_casing.yml --- .../proc_creation_win_susp_powershell_webclient_casing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml index 9be7d753c..121072559 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml @@ -1,7 +1,7 @@ title: Net WebClient Casing Anomalies id: c86133ad-4725-4bd0-8170-210788e0a7ba status: experimental -description: Detects PowerShell command line contents that include a suspicious anormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques +description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques author: Florian Roth references: - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ From 7b0eb71563ab5b9e8a3ea64c74632c0869a8a3a8 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:44:19 +0200 Subject: [PATCH 02/17] Update proc_creation_win_vmtoolsd_susp_child_process.yml --- .../proc_creation_win_vmtoolsd_susp_child_process.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml index 983f106e4..a6680c84f 100644 --- a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml @@ -46,5 +46,5 @@ fields: - ParentCommandLine - Details falsepositives: - - Legitimate use by adminstrator -level: high \ No newline at end of file + - Legitimate use by administrator +level: high From 86876adad454097386fa9b0c978b8c40bd2becd7 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:45:00 +0200 Subject: [PATCH 03/17] Update proc_creation_win_cmd_dosfuscation.yml --- .../process_creation/proc_creation_win_cmd_dosfuscation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index 9606d2246..a4b11d9c2 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -1,7 +1,7 @@ title: Suspicious Dosfuscation Character in Commandline id: a77c1610-fc73-4019-8e29-0f51efc04a51 status: experimental -description: Posssible Payload Obfuscation +description: Possible Payload Obfuscation references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf author: frack113 From eb572e8b0cbe3dd0a517007ad7af981239fea4e2 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:45:49 +0200 Subject: [PATCH 04/17] Update proc_creation_win_wpbbin_persistence.yml --- .../process_creation/proc_creation_win_wpbbin_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml b/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml index 46cd7039d..a011b951a 100644 --- a/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml @@ -1,7 +1,7 @@ title: UEFI Persistence Via Wpbbin - ProcessCreation id: 4abc0ec4-db5a-412f-9632-26659cddf145 status: experimental -description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the refernece section +description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section author: Nasreddine Bencherchali date: 2022/07/18 references: From 6494e185cfacb6ff8fbe177acc0588002e148566 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:46:34 +0200 Subject: [PATCH 05/17] Update image_load_vmware_xfer_load_dll_from_nondefault_path.yml --- .../image_load_vmware_xfer_load_dll_from_nondefault_path.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml index f9f83f2cb..ad050897f 100644 --- a/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml +++ b/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml @@ -1,7 +1,7 @@ title: VMware Xfer Loading DLL from Nondefault Path id: 9313dc13-d04c-46d8-af4a-a930cc55d93b status: experimental -description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitary DLL +description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL author: Nasreddine Bencherchali date: 2022/08/02 references: From 7c0bd62e9f885c4608197408c6d07c98f77b6a77 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:47:44 +0200 Subject: [PATCH 06/17] Update proc_creation_win_cmd_redirection_susp_folder.yml --- .../proc_creation_win_cmd_redirection_susp_folder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index f3b809227..734fa9286 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -1,7 +1,7 @@ title: Suspicious CMD Shell Redirect id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 status: experimental -description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicous location +description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location author: Nasreddine Bencherchali references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ From 351d8bcc4003af37739c1b6d98f7efa7ad4176f1 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:48:29 +0200 Subject: [PATCH 07/17] Update proc_creation_win_wmic_unquoted_service_search.yml --- .../proc_creation_win_wmic_unquoted_service_search.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml index d4bef6f01..246f3dd1e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml @@ -1,7 +1,7 @@ title: WMIC Unquoted Services Path Lookup id: 68bcd73b-37ef-49cb-95fc-edc809730be6 status: experimental -description: Detects wmic known recon method to look for unquoted serivce paths, often used by pentest and attackers enum scripts +description: Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts author: Nasreddine Bencherchali references: - https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py From 86b448b71539897b11247fff377f9b1aaf2b29d4 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:49:17 +0200 Subject: [PATCH 08/17] Update proc_creation_win_lolbin_register_app.yml --- .../process_creation/proc_creation_win_lolbin_register_app.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml index da9b987dc..fea4425d8 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml @@ -19,5 +19,5 @@ detection: - '-register' condition: selection falsepositives: - - Legitimate usage of the script. Always investigate what's being registred to confirm if it's benign + - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign level: medium From 8a9d63bba1319e389cf0d43a13a848d6be083aea Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:50:04 +0200 Subject: [PATCH 09/17] Update proc_creation_win_wmic_remote_service.yml --- .../process_creation/proc_creation_win_wmic_remote_service.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml index 0b43dc39f..f9811671d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml @@ -5,7 +5,7 @@ description: | An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. - A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable + A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md From cb4f834845d470fe827199f62110020e2b5f1ccc Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 18:53:22 +0200 Subject: [PATCH 10/17] Update posh_ps_nishang_malicious_commandlets.yml Typo in detection : https://github.com/samratashok/nishang/blob/master/Utility/Add-Persistence.ps1 --- .../posh_ps_nishang_malicious_commandlets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index d3da6ecfd..e0aabdbb1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -3,7 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 -modified: 2021/10/16 +modified: 2022/08/29 references: - https://github.com/samratashok/nishang tags: @@ -66,7 +66,7 @@ detection: - Invoke-PSGcat - Invoke-PsGcatAgent - Remove-PoshRat - - Add-Persistance + - Add-Persistence - ExetoText - Invoke-Decode - Invoke-Encode From 63ea4d7fb6303bb6a731d4693e5189210da725d7 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 20:10:25 +0200 Subject: [PATCH 11/17] Update registry_set_fax_dll_persistance.yml --- .../registry/registry_set/registry_set_fax_dll_persistance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml index 0cc577013..7b1dd6c2c 100644 --- a/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml +++ b/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml @@ -1,6 +1,6 @@ title: Change the Fax Dll id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513 -description: Detect possible persistance using Fax DLL load when service restart +description: Detect possible persistence using Fax DLL load when service restart status: experimental references: - https://twitter.com/dottor_morte/status/1544652325570191361 From 277032b460bc6e8488b779413cadbe780869c62f Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 20:11:29 +0200 Subject: [PATCH 12/17] Update registry_set_mpnotify_persistence.yml --- .../registry/registry_set/registry_set_mpnotify_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml index 2a49eed33..07e929f64 100644 --- a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml @@ -16,7 +16,7 @@ detection: TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify' condition: selection falsepositives: - - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurence in an environment and should be investigated either way + - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way level: high tags: - attack.persistence From a693e181ff8d75a7881e97885b955e76382d8ede Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 20:12:10 +0200 Subject: [PATCH 13/17] Update registry_set_disable_uac_registry.yml --- .../registry/registry_set/registry_set_disable_uac_registry.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml index 9c24bb969..99a22abb6 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,6 +1,6 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 -description: Detects when an attacker tries to disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 +description: Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 author: frack113 date: 2022/01/05 modified: 2022/08/06 From 691aae2638666ff2a1c621af0203bcfa7f4e5c7f Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 20:13:14 +0200 Subject: [PATCH 14/17] Update proc_creation_win_ntfs_short_name_path_use_image.yml --- .../proc_creation_win_ntfs_short_name_path_use_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml index caf2feb2b..dae3b3927 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -4,7 +4,7 @@ related: - id: 349d891d-fef0-4fe4-bc53-eee623a15969 type: similar status: experimental -description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection author: frack113, Nasreddine Bencherchali references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ From 8dbeedf7282c70e3368ff8f396cb232803147366 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 20:14:47 +0200 Subject: [PATCH 15/17] Update file_event_win_powershell_startup_shortcuts.yml --- .../file_event/file_event_win_powershell_startup_shortcuts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml index 4a4f81d67..066435f42 100644 --- a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -24,5 +24,5 @@ detection: condition: selection falsepositives: - Unknown - - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware. + - Depending on your environment accepted applications may leverage this at times. It is recomended to search for recommended inidicative of malware. level: high From 6c42bfb64bdb214919644c404cb1d29eb388bb2e Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 20:15:54 +0200 Subject: [PATCH 16/17] Update file_event_win_powershell_startup_shortcuts.yml --- .../file_event/file_event_win_powershell_startup_shortcuts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml index 066435f42..621b861c0 100644 --- a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -24,5 +24,5 @@ detection: condition: selection falsepositives: - Unknown - - Depending on your environment accepted applications may leverage this at times. It is recomended to search for recommended inidicative of malware. + - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware. level: high From 9db9d25b6821c5ec109aa2468b298c45b7d3996e Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Mon, 29 Aug 2022 20:16:41 +0200 Subject: [PATCH 17/17] Update file_event_win_susp_winword_startup.yml --- .../windows/file_event/file_event_win_susp_winword_startup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_susp_winword_startup.yml b/rules/windows/file_event/file_event_win_susp_winword_startup.yml index d14ac6027..996f384f5 100644 --- a/rules/windows/file_event/file_event_win_susp_winword_startup.yml +++ b/rules/windows/file_event/file_event_win_susp_winword_startup.yml @@ -1,4 +1,4 @@ -title: Creation In User Word Statup Folder +title: Creation In User Word Startup Folder id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d status: experimental description: Detects the creation of an file in user Word Startup