diff --git a/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml new file mode 100644 index 000000000..e65d0b42c --- /dev/null +++ b/rules/windows/file_event/file_event_win_wmiexec_default_filename.yml @@ -0,0 +1,21 @@ +title: Wmiexec Default Output File +id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb +status: experimental +description: Detects the creation of the default output filename used by the wmicexec tool +author: Nasreddine Bencherchali +date: 2022/06/02 +references: + - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/ +tags: + - attack.lateral_movement + - attack.t1047 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|re: '__\d{10}\.\d{1,7}' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml index 380927c1f..70d5d569f 100644 --- a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml @@ -2,8 +2,8 @@ title: Writing Local Admin Share id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f status: experimental description: | - Aversaries may use to interact with a remote network share using Server Message Block (SMB). - This technique is used by post-exploitation frameworks. + Aversaries may use to interact with a remote network share using Server Message Block (SMB). + This technique is used by post-exploitation frameworks. author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share diff --git a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml index 3cf033ac6..f59435e26 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml @@ -1,29 +1,31 @@ title: WMIExec VBS Script id: 966e4016-627f-44f7-8341-f394905c361f status: test -description: Detects suspicious file execution by wscript and cscript +description: Detects wmiexec vbs version execution by wscript or cscript author: Florian Roth references: - - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf + - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf date: 2017/04/07 -modified: 2021/11/27 +modified: 2022/09/08 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\cscript.exe' - CommandLine|contains|all: - - '.vbs' - - '/shell' - condition: selection + selection: + Image|endswith: + - '\cscript.exe' + - '\wscript.exe' + CommandLine|contains|all: + - '.vbs' + - '/shell' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.execution - - attack.g0045 - - attack.t1059.005 + - attack.execution + - attack.g0045 + - attack.t1059.005 diff --git a/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml index 7aa6fba00..a23d17ab2 100644 --- a/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml @@ -4,8 +4,8 @@ status: test description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets author: pH-T related: - - id: 6385697e-9f1b-40bd-8817-f4a91f40508e - type: similar + - id: 6385697e-9f1b-40bd-8817-f4a91f40508e + type: similar date: 2022/05/31 tags: - attack.execution @@ -15,26 +15,26 @@ tags: references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - # Invoke-BloodHound - - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' - - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' - - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' - # Invoke-Mimikatz - - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' - - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' - - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' - # Invoke-WMIExec - - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' - - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' - - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' - condition: selection + selection: + CommandLine|contains: + # Invoke-BloodHound + - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' + - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' + - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' + # Invoke-Mimikatz + - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' + - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' + - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' + # Invoke-WMIExec + - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' + - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' + - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unlikely -level: high \ No newline at end of file + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml index 4a1fc1312..e5b7452db 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml @@ -4,8 +4,8 @@ status: test description: Detects base64 encoded powershell 'Invoke-' call author: pH-T related: - - id: fd6e2919-3936-40c9-99db-0aa922c356f7 - type: similar + - id: fd6e2919-3936-40c9-99db-0aa922c356f7 + type: similar date: 2022/05/20 tags: - attack.execution @@ -15,32 +15,32 @@ tags: references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains: - # Invoke- - - 'SQBuAHYAbwBrAGUALQ' - - 'kAbgB2AG8AawBlAC0A' - - 'JAG4AdgBvAGsAZQAtA' - filter_other_rule: # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7 - CommandLine|contains: - # Invoke-BloodHound - - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' - - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' - - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' - # Invoke-Mimikatz - - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' - - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' - - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' - # Invoke-WMIExec - - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' - - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' - - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' - condition: selection and not 1 of filter* + selection: + CommandLine|contains: + # Invoke- + - 'SQBuAHYAbwBrAGUALQ' + - 'kAbgB2AG8AawBlAC0A' + - 'JAG4AdgBvAGsAZQAtA' + filter_other_rule: # already covered in fd6e2919-3936-40c9-99db-0aa922c356f7 + CommandLine|contains: + # Invoke-BloodHound + - 'SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA' + - 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA' + - 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA' + # Invoke-Mimikatz + - 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA' + - 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A' + - 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg' + # Invoke-WMIExec + - 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA' + - 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw' + - 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA' + condition: selection and not 1 of filter* fields: - - CommandLine + - CommandLine falsepositives: - - Unlikely -level: high \ No newline at end of file + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index e0764e923..483e68900 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -1,13 +1,13 @@ -title: Reg Add Suspicious Path To AppDataLow +title: Reg Add Suspicious Paths id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829 status: experimental -description: Detects when an adversary uses the 'AppDataLow' subkeys as a place to store data as seen in the URSNIF phishing campaign +description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md -author: frack113 +author: frack113, Nasreddine Bencherchali date: 2022/08/19 -modified: 2022/08/20 +modified: 2022/09/08 logsource: category: process_creation product: windows @@ -17,9 +17,10 @@ detection: - OriginalFileName: 'reg.exe' selection_path: CommandLine|contains: - - '\Software\AppDataLow\Software\Microsoft\' - - '\Software\Policies\Microsoft\Windows\OOBE' - - '\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' + - '\AppDataLow\Software\Microsoft\' + - '\Policies\Microsoft\Windows\OOBE' + - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' + - '\CurrentControlSet\Control\SecurityProviders\WDigest' condition: all of selection_* falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml new file mode 100644 index 000000000..a78ba6588 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml @@ -0,0 +1,27 @@ +title: Suspicious Get Local Groups Information with WMIC +id: 164eda96-11b2-430b-85ff-6a265c15bf32 +status: experimental +description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ +author: Nasreddine Bencherchali +date: 2022/09/08 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName: 'wmic.exe' + selection_cli: + CommandLine|contains|all: + - ' computersystem ' + - ' get ' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.execution + - attack.t1047