Dev

rules/windows/file_event/file_event_win_wmiexec_default_filename.yml

@@ -0,0 +1,21 @@
+title: Wmiexec Default Output File
+id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
+status: experimental
+description: Detects the creation of the default output filename used by the wmicexec tool
+author: Nasreddine Bencherchali
+date: 2022/06/02
+references:
+    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
+tags:
+    - attack.lateral_movement
+    - attack.t1047
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection:
+        TargetFilename|re: '__\d{10}\.\d{1,7}'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: critical

rules/windows/file_event/file_event_win_writing_local_admin_share.yml

@@ -2,8 +2,8 @@ title: Writing Local Admin Share
 id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
 status: experimental
 description: |
-  Aversaries may use to interact with a remote network share using Server Message Block (SMB).
-  This technique is used by post-exploitation frameworks.
+    Aversaries may use to interact with a remote network share using Server Message Block (SMB).
+    This technique is used by post-exploitation frameworks.
 author: frack113
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share

rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml

@@ -1,29 +1,31 @@
 title: WMIExec VBS Script
 id: 966e4016-627f-44f7-8341-f394905c361f
 status: test
-description: Detects suspicious file execution by wscript and cscript
+description: Detects wmiexec vbs version execution by wscript or cscript
 author: Florian Roth
 references:
-  - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 date: 2017/04/07
-modified: 2021/11/27
+modified: 2022/09/08
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    Image|endswith: '\cscript.exe'
-    CommandLine|contains|all:
-      - '.vbs'
-      - '/shell'
-  condition: selection
+    selection:
+        Image|endswith:
+            - '\cscript.exe'
+            - '\wscript.exe'
+        CommandLine|contains|all:
+            - '.vbs'
+            - '/shell'
+    condition: selection
 fields:
-  - CommandLine
-  - ParentCommandLine
+    - CommandLine
+    - ParentCommandLine
 falsepositives:
-  - Unlikely
+    - Unlikely
 level: high
 tags:
-  - attack.execution
-  - attack.g0045
-  - attack.t1059.005
+    - attack.execution
+    - attack.g0045
+    - attack.t1059.005

rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml

@@ -4,8 +4,8 @@ status: test
 description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
 author: pH-T
 related:
-  - id: 6385697e-9f1b-40bd-8817-f4a91f40508e
-    type: similar
+    - id: 6385697e-9f1b-40bd-8817-f4a91f40508e
+      type: similar
 date: 2022/05/31
 tags:
     - attack.execution
@@ -15,26 +15,26 @@ tags:
 references:
     - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    CommandLine|contains:
-      # Invoke-BloodHound
-      - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
-      - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
-      - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
-      # Invoke-Mimikatz
-      - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
-      - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
-      - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
-      # Invoke-WMIExec
-      - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
-      - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
-      - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
-  condition: selection
+    selection:
+        CommandLine|contains:
+            # Invoke-BloodHound
+            - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
+            - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
+            - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
+            # Invoke-Mimikatz
+            - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
+            - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
+            - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
+            # Invoke-WMIExec
+            - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
+            - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
+            - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
+    condition: selection
 fields:
-  - CommandLine
+    - CommandLine
 falsepositives:
-  - Unlikely
-level: high
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml

@@ -4,8 +4,8 @@ status: test
 description: Detects base64 encoded powershell 'Invoke-' call
 author: pH-T
 related:
-  - id: fd6e2919-3936-40c9-99db-0aa922c356f7
-    type: similar
+    - id: fd6e2919-3936-40c9-99db-0aa922c356f7
+      type: similar
 date: 2022/05/20
 tags:
     - attack.execution
@@ -15,32 +15,32 @@ tags:
 references:
     - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    CommandLine|contains:
-      # Invoke-
-      - 'SQBuAHYAbwBrAGUALQ'
-      - 'kAbgB2AG8AawBlAC0A'
-      - 'JAG4AdgBvAGsAZQAtA'
-  filter_other_rule:  # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7
-    CommandLine|contains:
-      # Invoke-BloodHound
-      - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
-      - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
-      - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
-      # Invoke-Mimikatz
-      - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
-      - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
-      - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
-      # Invoke-WMIExec
-      - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
-      - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
-      - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
-  condition: selection and not 1 of filter*
+    selection:
+        CommandLine|contains:
+            # Invoke-
+            - 'SQBuAHYAbwBrAGUALQ'
+            - 'kAbgB2AG8AawBlAC0A'
+            - 'JAG4AdgBvAGsAZQAtA'
+    filter_other_rule:  # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7
+        CommandLine|contains:
+            # Invoke-BloodHound
+            - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA'
+            - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA'
+            - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA'
+            # Invoke-Mimikatz
+            - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA'
+            - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A'
+            - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg'
+            # Invoke-WMIExec
+            - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA'
+            - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw'
+            - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA'
+    condition: selection and not 1 of filter*
 fields:
-  - CommandLine
+    - CommandLine
 falsepositives:
-  - Unlikely
-level: high
+    - Unlikely
+level: high

rules/windows/process_creation/proc_creation_win_susp_reg_add.yml

@@ -1,13 +1,13 @@
-title: Reg Add Suspicious Path To AppDataLow
+title: Reg Add Suspicious Paths
 id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
 status: experimental
-description: Detects when an adversary uses the 'AppDataLow' subkeys as a place to store data as seen in the URSNIF phishing campaign
+description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
     - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
-author: frack113
+author: frack113, Nasreddine Bencherchali
 date: 2022/08/19
-modified: 2022/08/20
+modified: 2022/09/08
 logsource:
     category: process_creation
     product: windows
@@ -17,9 +17,10 @@ detection:
         - OriginalFileName: 'reg.exe'
     selection_path:
         CommandLine|contains:
-            - '\Software\AppDataLow\Software\Microsoft\'
-            - '\Software\Policies\Microsoft\Windows\OOBE'
-            - '\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
+            - '\AppDataLow\Software\Microsoft\'
+            - '\Policies\Microsoft\Windows\OOBE'
+            - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
+            - '\CurrentControlSet\Control\SecurityProviders\WDigest'
     condition: all of selection_*
 falsepositives:
     - Legitimate use

rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml

@@ -0,0 +1,27 @@
+title: Suspicious Get Local Groups Information with WMIC
+id: 164eda96-11b2-430b-85ff-6a265c15bf32
+status: experimental
+description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc.
+references:
+    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
+author: Nasreddine Bencherchali
+date: 2022/09/08
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\wmic.exe'
+        - OriginalFileName: 'wmic.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' computersystem '
+            - ' get '
+    condition: all of selection*
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.discovery
+    - attack.execution
+    - attack.t1047