diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml index 6059a577c..e78d699f1 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml @@ -22,5 +22,5 @@ falsepositives: - Certain software or administrative tasks may trigger false positives. level: low tags: - - attack.peripheral_device_discovery + - attack.discovery - attack.t1120 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml index 177e320df..126fc2b86 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml @@ -3,22 +3,20 @@ id: 575dce0c-8139-4e30-9295-1ee75969f7fe description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target status: experimental references: - - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs + - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs author: blueteamer8699 date: 2022/01/03 tags: - attack.discovery - - attack.group_policy_discovery - attack.execution - - attack.command_and_scripting_interpreter - - attack.visual_basic + - attack.t1615 - attack.t1059.005 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'cscript.exe' - 'gatherNetworkInfo.vbs' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml index 00ad7170e..afafb0bb6 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml @@ -4,49 +4,49 @@ status: test description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. author: Florian Roth, oscd.community, Jonhnathan Ribeiro references: - - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer - - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ - - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ - - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ + - https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer + - https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/ + - https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/ + - https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ date: 2019/09/30 -modified: 2021/11/27 +modified: 2022/10/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: + selection1: # Parent command line should not contain a space value # This avoids false positives not caused by process injection # e.g. wscript.exe /B sysmon-install.vbs - ParentCommandLine|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - ParentCommandLine|endswith: '.exe' - selection2: - - CommandLine|contains|all: - - '/c' - - 'del' - - 'C:\Users\' - - '\AppData\Local\Temp\' - - CommandLine|contains|all: - - '/c' - - 'del' - - 'C:\Users\' - - '\Desktop\' - - CommandLine|contains|all: - - '/C' - - 'type nul >' - - 'C:\Users\' - - '\Desktop\' - selection3: - CommandLine|endswith: '.exe' - condition: selection and selection2 and selection3 + ParentCommandLine|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + ParentCommandLine|endswith: '.exe' + selection2: + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\AppData\Local\Temp\' + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\Desktop\' + - CommandLine|contains|all: + - '/C' + - 'type nul >' + - 'C:\Users\' + - '\Desktop\' + selection3: + CommandLine|endswith: '.exe' + condition: all of selection* fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.develop_capabilities - - attack.t1587.001 + - attack.resource_development + - attack.t1587.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml b/rules/windows/process_creation/proc_creation_win_susp_csexec.yml index 1334a3a15..c8592afa3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_csexec.yml @@ -20,7 +20,7 @@ falsepositives: - Unknown level: high tags: - - attack.develop_capabilities + - attack.resource_development - attack.t1587.001 - attack.execution - attack.t1569.002 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml index 972ce610d..36bed23c8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml @@ -1,4 +1,4 @@ -title: PsExec/PAExec Flags +title: PsExec/PAExec Flags id: 207b0396-3689-42d9-8399-4222658efc99 status: experimental description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line @@ -8,30 +8,32 @@ references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth date: 2021/05/22 -modified: 2021/11/23 +modified: 2022/10/06 logsource: category: process_creation product: windows detection: - selection_flags_1: # Escalation to LOCAL_SYSTEM - CommandLine|endswith: + selection_flags_1: + # Escalation to LOCAL_SYSTEM + CommandLine|endswith: - ' -s cmd.exe' - ' -s -i cmd.exe' selection_flags_2: - CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks + # Accepting EULA in commandline - often used in automated attacks + CommandLine|contains|all: - 'accepteula' - ' -u ' - ' -p ' - ' \\' filter: - CommandLine|contains: + CommandLine|contains: - 'paexec' - 'PsExec' - condition: ( selection_flags_1 or selection_flags_2 ) and not filter + condition: 1 of selection_flags_* and not filter falsepositives: - Weird admins that rename their tools - - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing + - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing level: high tags: - - attack.develop_capabilities + - attack.resource_development - attack.t1587.001 \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml index 768c43705..cd2eb1610 100644 --- a/rules/windows/sysmon/sysmon_process_hollowing.yml +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -6,10 +6,11 @@ author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S date: 2022/01/25 modified: 2022/02/01 references: - - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 - - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ + - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 + - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ tags: - - attack.process_injection + - attack.defense_evasion + - attack.privilege_escalation - attack.t1055.012 logsource: product: windows @@ -18,7 +19,7 @@ detection: selection: Type: Image is replaced filters: - Image|contains: + Image|contains: - ':\Program Files\' - ':\Program Files (x86)' Image|endswith: