security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/SigmaHQ/sigma into pr/4367

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-08-15 10:34:11 +02:00
parent 46ce3d3270 cac07b8ecd
commit de8f7d4bbb
72 changed files with 1288 additions and 435 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml → deprecated/windows/pipe_created_psexec_pipes_artifacts.yml
+2 -2
View File
@@ -1,12 +1,12 @@
title: PsExec Pipes Artifacts
id: 9e77ed63-2ecf-4c7b-b09d-640834882028
status: test
status: deprecated
description: Detecting use PsExec via Pipe Creation/Access to pipes
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nikita Nazarov, oscd.community
date: 2020/05/10
modified: 2021/11/27
modified: 2023/08/07
tags:
- attack.lateral_movement
- attack.t1021.002
rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml → rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml
Executable → Regular
+7 -7
View File
@@ -19,13 +19,13 @@ logsource:
detection:
selection:
PipeName:
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
- '\userpipe' # ruag apt case
- '\iehelper' # ruag apt case
- '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
- '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
# - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
- '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
- '\iehelper' # ruag apt case
- '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
- '\userpipe' # ruag apt case
#- '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
condition: selection
falsepositives:
- Unknown
- Unlikely
level: critical
rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml
+28
View File
@@ -0,0 +1,28 @@
title: Dynamic .NET Compilation Via Csc.EXE - Hunting
id: acf2807c-805b-4042-aab9-f86b6ba9cb2b
related:
- id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
type: derived
status: experimental
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/02
tags:
- attack.defense_evasion
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
CommandLine|contains: '/noconfig /fullpaths @'
condition: selection
falsepositives:
- Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies
level: medium
rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml
+22
View File
@@ -0,0 +1,22 @@
title: Anomalous Token
id: 6555754e-5e7f-4a67-ad1c-4041c413a007
status: experimental
description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
references:
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token
- https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow'
date: 2023/08/07
tags:
- attack.t1528
- attack.credential_access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousToken'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml
+29
View File
@@ -0,0 +1,29 @@
title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: experimental
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023/08/03
tags:
- attack.command_and_control
- attack.persistence
- attack.t1219
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/amazon-ssm-agent'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
rules/windows/builtin/security/win_security_mal_creddumper.yml
+4 -4
View File
@@ -28,13 +28,13 @@ detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'fgexec'
- 'dumpsvc'
- 'cachedump'
- 'mimidrv'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'servpw'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml
+19 -18
View File
@@ -7,7 +7,7 @@ references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019/11/01
modified: 2023/07/31
modified: 2023/08/03
tags:
- attack.credential_access
- car.2019-04-004
@@ -41,32 +41,33 @@ detection:
- '4416'
filter_specific:
ProcessName|endswith:
- '\wmiprvse.exe'
- '\taskmgr.exe'
- '\procexp64.exe'
- '\procexp.exe'
- '\lsm.exe'
- '\csrss.exe'
- '\wininit.exe'
- '\vmtoolsd.exe'
- '\GamingServices.exe'
- '\lsm.exe'
- '\MicrosoftEdgeUpdate.exe'
- '\minionhost.exe' # Cyberreason
- '\VsTskMgr.exe' # McAfee Enterprise
- '\MRT.exe' # MS Malware Removal Tool
- '\MsMpEng.exe' # Defender
- '\perfmon.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\svchost.exe'
- '\taskmgr.exe'
- '\thor.exe' # THOR
- '\thor64.exe' # THOR
- '\MicrosoftEdgeUpdate.exe'
- '\GamingServices.exe'
- '\svchost.exe'
- '\MsMpEng.exe' # Defender
- '\MRT.exe' # MS Malware Removal Tool
- '\vmtoolsd.exe'
- '\VsTskMgr.exe' # McAfee Enterprise
- '\wininit.exe'
- '\wmiprvse.exe'
- 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
ProcessName|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\SysNative\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWow64\'
- 'C:\Windows\SysNative\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\Temp\asgard2-agent\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
filter_generic:
ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions
filter_exact:
rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml
+6 -3
View File
@@ -10,7 +10,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Ján Trenčanský, frack113
date: 2020/07/28
modified: 2022/08/01
modified: 2023/08/08
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -21,12 +21,15 @@ detection:
selection:
EventID: 7036
Provider_Name: 'Service Control Manager'
# Note: The service name and messages are localized
param1:
- 'Windows Defender Antivirus Service'
- 'Service antivirus Microsoft Defender' #French OS
param2: 'stopped'
param2:
- 'stopped'
- 'arrêté'
condition: selection
falsepositives:
- Administrator actions
- Auto updates of Windows Defender causes restarts
level: low
level: medium
rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml
+4 -4
View File
@@ -25,13 +25,13 @@ detection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'fgexec'
- 'dumpsvc'
- 'cachedump'
- 'mimidrv'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'servpw'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml
+26
View File
@@ -0,0 +1,26 @@
title: CSExec Service Installation
id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12
status: experimental
description: Detects CSExec service installation and execution events
references:
- https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/07
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ServiceName: 'csexecsvc'
- ImagePath|endswith: '\csexecsvc.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml
+16 -13
View File
@@ -1,11 +1,12 @@
title: Hacktool Service Registration or Execution
title: HackTool Service Registration or Execution
id: d26ce60c-2151-403c-9a42-49420d87b5e4
status: test
description: Detects PsExec service installation and execution events (service and Sysmon)
description: Detects installation or execution of services
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022/03/21
modified: 2023/08/07
tags:
- attack.execution
- attack.t1569.002
@@ -14,22 +15,24 @@ logsource:
product: windows
service: system
detection:
service:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID:
- 7045
- 7036
selection:
- ServiceName|contains:
- 'WCESERVICE'
- 'WCE SERVICE'
- 'winexesvc'
- 'DumpSvc'
- 'pwdump'
- 'gsecdump'
selection_service_name:
ServiceName|contains:
- 'cachedump'
- ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
condition: service and selection
- 'DumpSvc'
- 'gsecdump'
- 'pwdump'
- 'UACBypassedService'
- 'WCE SERVICE'
- 'WCESERVICE'
- 'winexesvc'
selection_service_image:
ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml
+25
View File
@@ -0,0 +1,25 @@
title: RemCom Service Installation
id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf
status: experimental
description: Detects RemCom service installation and execution events
references:
- https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/07
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ServiceName: 'RemComSvc'
- ImagePath|endswith: '\RemComSvc.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml
+5 -5
View File
@@ -5,7 +5,7 @@ description: Detects known malicious service installation that appear in cases i
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/25
tags:
- attack.execution
@@ -16,16 +16,16 @@ logsource:
product: windows
service: system
detection:
selection_id:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service1:
selection_service_1:
ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe'
selection_service2:
selection_service_2:
ServiceName:
- 'Sliver'
- 'Sliver implant'
condition: selection_id and 1 of selection_service*
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml → rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml
+8 -18
View File
@@ -1,13 +1,13 @@
title: PsExec Service Installation
id: 42c575ea-e41e-41f1-b248-8093c3e82a28
status: experimental
description: Detects PsExec service installation and execution events (service and Sysmon)
description: Detects PsExec service installation and execution events
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017/06/12
modified: 2022/10/26
modified: 2023/08/04
tags:
- attack.execution
- attack.t1569.002
@@ -16,23 +16,13 @@ logsource:
product: windows
service: system
detection:
service_installation:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName: 'PSEXESVC'
ImagePath|endswith: '\PSEXESVC.exe'
service_execution:
EventID: 7036
ServiceName: 'PSEXESVC'
condition: 1 of service_*
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
selection_service:
- ServiceName: 'PSEXESVC'
- ImagePath|endswith: '\PSEXESVC.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: low
level: medium
rules/windows/driver_load/driver_load_win_mal_creddumper.yml
+4 -4
View File
@@ -26,13 +26,13 @@ logsource:
detection:
selection:
ImageLoaded|contains:
- 'fgexec'
- 'dumpsvc'
- 'cachedump'
- 'mimidrv'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'servpw'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml
+9 -4
View File
@@ -6,8 +6,12 @@ description: |
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
author: frack113
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
- https://liberty-shell.com/sec/2020/02/25/shim-persistence/
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021/12/29
modified: 2023/08/01
tags:
- attack.persistence
- attack.t1547.009
@@ -16,9 +20,10 @@ logsource:
category: file_event
detection:
selection:
TargetFilename|endswith: '.sdb'
TargetFilename|contains: '\Windows\apppatch\Custom\'
TargetFilename|contains:
- ':\Windows\apppatch\Custom\'
- ':\Windows\apppatch\CustomSDB\'
condition: selection
falsepositives:
- Unknown
- Legitimate custom SHIM installations will also trigger this rule
level: medium
rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml
+16 -16
View File
@@ -20,32 +20,32 @@ logsource:
detection:
selection:
- TargetFilename|contains:
- '\pwdump'
- '\fgdump-log'
- '\kirbi'
- '\pwdump'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- '\fgdump-log'
- TargetFilename|endswith:
- '\test.pwd'
- '\lsremora64.dll'
- '\lsremora.dll'
- '\fgexec.exe'
- '\wceaux.dll'
- '\SAM.out'
- '\SECURITY.out'
- '\SYSTEM.out'
- '\NTDS.out'
- '\cachedump.exe'
- '\cachedump64.exe'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\cachedump64.exe'
- '\cachedump.exe'
- '\Dumpy.exe'
- '\fgexec.exe'
- '\lsremora.dll'
- '\lsremora64.dll'
- '\NTDS.out'
- '\procdump64.exe'
- '\pstgdump.exe'
- '\pwdump.exe'
- '\SAM.out'
- '\SECURITY.out'
- '\servpw.exe'
- '\servpw64.exe'
- '\pwdump.exe'
- '\procdump64.exe'
- '\Dumpy.exe'
- '\SYSTEM.out'
- '\test.pwd'
- '\wceaux.dll'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
rules/windows/file/file_event/file_event_win_csexec_service.yml
+22
View File
@@ -0,0 +1,22 @@
title: CSExec Service File Creation
id: f0e2b768-5220-47dd-b891-d57b96fc0ec1
status: test
description: Detects default CSExec service filename which indicates CSExec service installation and execution
references:
- https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/04
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\csexecsvc.exe'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/file/file_event/file_event_win_remcom_service.yml
+22
View File
@@ -0,0 +1,22 @@
title: RemCom Service File Creation
id: 7eff1a7f-dd45-4c20-877a-f21e342a7611
status: test
description: Detects default RemCom service filename which indicates RemCom service installation and execution
references:
- https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/04
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\RemComSvc.exe'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/file/file_event/file_event_win_tool_psexec.yml → rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml
-8
View File
@@ -22,14 +22,6 @@ detection:
selection:
TargetFilename|endswith: '\PSEXESVC.exe'
condition: selection
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
falsepositives:
- Unknown
level: low
rules/windows/image_load/image_load_side_load_avkkid.yml
+31
View File
@@ -0,0 +1,31 @@
title: Potential AVKkid.DLL Sideloading
id: 952ed57c-8f99-453d-aee0-53a49c22f95d
status: experimental
description: Detects potential DLL sideloading of "AVKkid.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023/08/03
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\AVKkid.dll'
filter_main_legit_path:
Image|contains:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
Image|endswith: '\AVKKid.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/image_load/image_load_side_load_eacore.yml
+28
View File
@@ -0,0 +1,28 @@
title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: experimental
description: Detects potential DLL sideloading of "EACore.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023/08/03
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\EACore.dll'
filter_main_legit_path:
Image|contains|all:
- 'C:\Program Files\Electronic Arts\EA Desktop\'
- '\EACoreServer.exe'
ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
rules/windows/image_load/image_load_side_load_mfdetours.yml
+25
View File
@@ -0,0 +1,25 @@
title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: experimental
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/03
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
rules/windows/image_load/image_load_side_load_vivaldi_elf.yml
+26
View File
@@ -0,0 +1,26 @@
title: Potential Vivaldi_elf.DLL Sideloading
id: 2092cacb-d77b-4f98-ab0d-32b32f99a054
status: experimental
description: Detects potential DLL sideloading of "vivaldi_elf.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023/08/03
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vivaldi_elf.dll'
filter_main_legit_path:
Image|endswith: '\Vivaldi\Application\vivaldi.exe'
ImageLoaded|contains: '\Vivaldi\Application\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/image_load/image_load_side_load_windows_defender.yml
+14 -9
View File
@@ -1,12 +1,15 @@
title: Microsoft Defender Loading DLL from Nondefault Path
title: Potential Mpclient.DLL Sideloading
id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
related:
- id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
type: similar
status: experimental
description: Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022/08/02
modified: 2022/08/17
modified: 2023/08/04
tags:
- attack.defense_evasion
- attack.t1574.002
@@ -15,16 +18,18 @@ logsource:
category: image_load
detection:
selection:
ImageLoaded|endswith: '\mpclient.dll'
Image|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
ImageLoaded|endswith: '\mpclient.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files\Windows Defender\'
filter_main_known_locations:
Image|startswith:
- 'C:\Program Files (x86)\Windows Defender\'
- 'C:\Program Files\Microsoft Security Client\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
condition: selection and not filter
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Very unlikely
- Unlikely
level: high
rules/windows/image_load/image_load_wmi_module_load.yml
-65
View File
@@ -1,65 +0,0 @@
title: WMI Modules Loaded
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
status: test
description: Detects non wmiprvse loading WMI modules
references:
- https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
modified: 2022/01/12
tags:
- attack.execution
- attack.t1047
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\wmiclnt.dll'
- '\WmiApRpl.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\WMINet_Utils.dll'
- '\wbemsvc.dll'
- '\fastprox.dll'
filter:
Image|endswith:
- '\WmiPrvSE.exe'
- '\WmiApSrv.exe'
- '\svchost.exe'
- '\DeviceCensus.exe'
- '\CompatTelRunner.exe'
- '\sdiagnhost.exe'
- '\SIHClient.exe'
- '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe
- '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe
- '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
- '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871
- 'C:\Windows\Sysmon64.exe'
- 'C:\Windows\Sysmon.exe'
- 'C:\Windows\System32\wbem\unsecapp.exe'
- '\logman.exe'
- '\systeminfo.exe'
- '\nvcontainer.exe'
- 'C:\Windows\System32\wbem\WMIC.exe'
- '\explorer.exe'
- '\opera_autoupdate.exe'
- '\MsMpEng.exe'
- '\thor64.exe'
- '\thor.exe'
filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not filter and not filter_generic
fields:
- ComputerName
- User
- Image
- ImageLoaded
falsepositives:
- Unknown
level: informational
rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml
+85
View File
@@ -0,0 +1,85 @@
title: WMI Module Loaded By Non Uncommon Process
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
status: test
description: Detects a WMI modules being loaded by an uncommon process
references:
- https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/08/10
modified: 2023/08/08
tags:
- attack.execution
- attack.t1047
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\fastprox.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\WmiApRpl.dll'
- '\wmiclnt.dll'
- '\WMINet_Utils.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
filter_optional_generic:
Image|contains:
- ':\Microsoft\Teams\current\Teams.exe'
- ':\Microsoft\Teams\Update.exe'
- ':\Windows\\explorer.exe'
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
- ':\Windows\System32\CompatTelRunner.exe'
- ':\Windows\System32\DeviceCensus.exe'
- ':\Windows\System32\dfsrs.exe'
- ':\Windows\System32\dispdiag.exe'
- ':\Windows\System32\dxdiag.exe'
- ':\Windows\System32\gpresult.exe'
- ':\Windows\System32\logman.exe'
- ':\Windows\System32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least
- ':\Windows\System32\sdiagnhost.exe'
- ':\Windows\System32\SecurityHealthService.exe'
- ':\Windows\System32\ServerManager.exe'
- ':\Windows\System32\SIHClient.exe'
- ':\Windows\System32\svchost.exe'
- ':\Windows\System32\systeminfo.exe'
- ':\Windows\System32\taskhostw.exe' # c:\windows\system32\taskhostw.exe
- ':\Windows\System32\tasklist.exe'
- ':\Windows\System32\vds.exe'
- ':\Windows\System32\wbem\unsecapp.exe'
- ':\Windows\System32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871
- ':\Windows\System32\wbem\WmiApSrv.exe'
- ':\Windows\System32\wbem\WMIC.exe'
- ':\Windows\System32\wbem\WmiPrvSE.exe'
- ':\Windows\SysWOW64\explorer.exe'
- ':\Windows\SysWOW64\logman.exe'
- ':\Windows\SysWOW64\sdiagnhost.exe'
- ':\Windows\SysWOW64\svchost.exe'
- ':\Windows\SysWOW64\systeminfo.exe'
- ':\Windows\SysWOW64\wbem\WmiPrvSE.exe'
filter_optional_other:
Image|endswith:
- '\WindowsAzureGuestAgent.exe'
- '\WaAppAgent.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_defender:
Image|endswith: '\MsMpEng.exe'
filter_optional_dotnet:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
Image|endswith: '\ngentask.exe'
filter_optional_programfiles:
Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low
rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml
+28
View File
@@ -0,0 +1,28 @@
title: CSExec Default Named Pipe
id: f318b911-ea88-43f4-9281-0de23ede628e
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsoletes
status: test
description: Detects default CSExec pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/malcomvetter/CSExec
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/07
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\csexecsvc'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml → rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml
+5
View File
@@ -1,5 +1,10 @@
title: CobaltStrike Named Pipe
id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
related:
- id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
type: similar
- id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
type: similar
status: test
description: Detects the creation of a named pipe as used by CobaltStrike
references:
rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml → rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml
+5
View File
@@ -1,5 +1,10 @@
title: CobaltStrike Named Pipe Pattern Regex
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
related:
- id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
type: similar
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
type: similar
status: test
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
references:
rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml → rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml
+24 -19
View File
@@ -1,5 +1,10 @@
title: CobaltStrike Named Pipe Patterns
id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
related:
- id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
type: similar
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
type: similar
status: test
description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
references:
@@ -7,7 +12,7 @@ references:
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2021/07/30
modified: 2022/10/09
modified: 2023/08/07
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -17,35 +22,35 @@ logsource:
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection_malleable_profiles:
selection_malleable_profile_generic:
- PipeName|startswith:
- '\DserNamePipe'
- '\f4c3'
- '\f53f'
- '\fullduplex_'
- '\mojo.5688.8052.183894939787088877'
- '\mojo.5688.8052.35780273329370473'
- '\MsFteWds'
- '\msrpc_'
- '\mypipe-f'
- '\mypipe-h'
- '\ntsvcs'
- '\scerpc'
- '\win_svc'
- '\spoolss'
- '\msrpc_'
- '\win\msrpc_'
- '\wkssvc'
- '\f53f'
- '\windows.update.manager'
- '\SearchTextHarvester'
- '\DserNamePipe'
- '\PGMessagePipe'
- '\MsFteWds'
- '\f4c3'
- '\fullduplex_'
- '\rpc_'
- '\scerpc'
- '\SearchTextHarvester'
- '\spoolss'
- '\win_svc'
- '\win\msrpc_'
- '\windows.update.manager'
- '\wkssvc'
- PipeName:
- '\demoagent_11'
- '\demoagent_22'
selection_malleable_profile_CatalogChangeListener:
selection_malleable_profile_catalog_change_listener:
PipeName|startswith: '\Winsock2\CatalogChangeListener-'
PipeName|endswith: '-0,'
filter:
filter_main_generic:
PipeName:
- '\wkssvc'
- '\spoolss'
@@ -54,7 +59,7 @@ detection:
- '\SearchTextHarvester'
- '\PGMessagePipe'
- '\MsFteWds'
condition: 1 of selection_malleable_profile* and not filter
condition: 1 of selection_malleable_profile_* and not 1 of filter_main_*
falsepositives:
- Chrome instances using the exact same pipe name "mojo.something"
- Chrome instances using the exact same pipe name "mojo.xxx"
level: high
rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml → rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml
+3 -2
View File
@@ -1,11 +1,12 @@
title: DiagTrackEoP Default Named Pipe
title: HackTool - DiagTrackEoP Default Named Pipe
id: 1f7025a6-e747-4130-aac4-961eb47015f1
status: experimental
description: Detects creation of default named pipe used by the DiagTrackEoP POC
description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
references:
- https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/03
modified: 2023/08/07
tags:
- attack.privilege_escalation
logsource:
rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml → rules/windows/pipe_created/pipe_created_hktl_efspotato.yml
+6 -6
View File
@@ -1,13 +1,13 @@
title: EfsPotato Named Pipe
title: HackTool - EfsPotato Named Pipe Creation
id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
status: experimental
description: Detects the pattern of a pipe name as used by the tool EfsPotato
description: Detects the pattern of a pipe name as used by the hacktool EfsPotato
references:
- https://twitter.com/SBousseaden/status/1429530155291193354?s=20
- https://github.com/zcgonvh/EfsPotato
author: Florian Roth (Nextron Systems)
date: 2021/08/23
modified: 2022/06/20
modified: 2023/08/07
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -20,10 +20,10 @@ detection:
selection:
PipeName|contains:
- '\pipe\'
- '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives)
filter:
- '\pipe\srvsvc' # more specific version (use only this one if the other causes too many false positives)
filter_optional_ctx:
PipeName|contains: '\CtxShare'
condition: selection and not filter
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml → rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml
+5 -4
View File
@@ -1,12 +1,13 @@
title: Cred Dump-Tools Named Pipes
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipes
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019/11/01
modified: 2021/11/27
modified: 2023/08/07
tags:
- attack.credential_access
- attack.t1003.001
@@ -20,8 +21,8 @@ logsource:
detection:
selection:
PipeName|contains:
- '\lsadump'
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
rules/windows/pipe_created/pipe_created_koh_default_pipe.yml → rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml
+2 -1
View File
@@ -1,4 +1,4 @@
title: Koh Default Named Pipes
title: HackTool - Koh Default Named Pipe
id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
status: experimental
description: Detects creation of default named pipes used by the Koh tool
@@ -6,6 +6,7 @@ references:
- https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/08
modified: 2023/08/07
tags:
- attack.privilege_escalation
- attack.credential_access
rules/windows/pipe_created/pipe_created_mal_namedpipes.yml
+24 -24
View File
@@ -1,7 +1,7 @@
title: Malicious Named Pipe
title: Malicious Named Pipe Created
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: test
description: Detects the creation of a named pipe used by known APT malware
description: Detects the creation of a named pipe seen used by known APTs or malware.
references:
- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
- https://securelist.com/faq-the-projectsauron-apt/75533/
@@ -17,7 +17,7 @@ references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
date: 2017/11/06
modified: 2022/03/15
modified: 2023/08/07
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -29,34 +29,34 @@ logsource:
detection:
selection:
PipeName:
- '\isapi_http' # Uroburos Malware
- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron
- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware
- '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake
- '\9f81f59bc58452127884ce513865ed20' # Project Sauron
- '\adschemerpc' # Turla HyperStack
- '\ahexec' # Sofacy group malware
- '\AnonymousPipe' # Hidden Cobra Hoplight
- '\bc31a7' # Pacifier
- '\bc367' # Pacifier
- '\bizkaz' # Snatch Ransomware
- '\csexecsvc' #CSEXEC default
- '\dce_3d' #Qbot
- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron
- '\gruntsvc' # Covenant default
- '\isapi_dg' # Uroburos Malware
- '\isapi_dg2' # Uroburos Malware
- '\sdlrpc' # Cobra Trojan
- '\ahexec' # Sofacy group malware
- '\winsession' # Wild Neutron APT malware
- '\isapi_http' # Uroburos Malware
- '\jaccdpqnvbrrxlaf' #PoshC2 default
- '\lsassw' # Wild Neutron APT malware
- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron
- '\9f81f59bc58452127884ce513865ed20' # Project Sauron
- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron
- '\rpchlp_3' # Project Sauron
- '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves
- '\pcheap_reuse' # Pipe used by Equation Group malware
- '\gruntsvc' # Covenant default
# - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253
- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware
- '\bizkaz' # Snatch Ransomware
- '\svcctl' #Crackmapexec smbexec default
- '\Posh*' #PoshC2 default
- '\jaccdpqnvbrrxlaf' #PoshC2 default
- '\csexecsvc' #CSEXEC default
- '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake
- '\adschemerpc' # Turla HyperStack
- '\AnonymousPipe' # Hidden Cobra Hoplight
- '\bc367' # Pacifier
- '\bc31a7' # Pacifier
- '\rpchlp_3' # Project Sauron
- '\sdlrpc' # Cobra Trojan
- '\svcctl' #Crackmapexec smbexec default
- '\testPipe' # Emissary Panda Hyperbro
- '\dce_3d' #Qbot
- '\winsession' # Wild Neutron APT malware
# - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253
condition: selection
falsepositives:
- Unknown
rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml → rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml
View File
rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml
+28
View File
@@ -0,0 +1,28 @@
title: RemCom Default Named Pipe
id: d36f87ea-c403-44d2-aa79-1a0ac7c24456
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsoletes
status: test
description: Detects default RemCom pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/kavika13/RemCom
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/07
tags:
- attack.lateral_movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\RemCom'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml → rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml
View File
rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml → rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml
+1 -9
View File
@@ -4,7 +4,7 @@ related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: test
description: Detects PsExec service installation and execution events (service and Sysmon)
description: Detects PsExec service default pipe creation
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
@@ -23,14 +23,6 @@ detection:
selection:
PipeName: '\PSEXESVC'
condition: selection
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
falsepositives:
- Unknown
level: low
rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml → rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml
+4 -11
View File
@@ -10,6 +10,7 @@ references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/04
modified: 2023/08/07
tags:
- attack.execution
- attack.t1569.002
@@ -22,20 +23,12 @@ detection:
selection:
PipeName: '\PSEXESVC'
Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env
- 'C:\Users\Public\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\AppData\Local\Temp\'
- 'C:\Windows\Temp\'
condition: selection
fields:
- EventID
- CommandLine
- ParentCommandLine
- ServiceName
- ServiceFileName
- TargetFilename
- PipeName
falsepositives:
- Rare legitimate use of psexec from the locations mentioned above
level: high
rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml
+51
View File
@@ -0,0 +1,51 @@
title: Dynamic .NET Compilation Via Csc.EXE
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
status: test
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Florian Roth (Nextron Systems)
date: 2019/08/24
modified: 2023/08/02
tags:
- attack.defense_evasion
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
CommandLine|contains:
- '\AppData\Local\Temp\' # User execution
- '\Windows\Temp\' # Admin execution
filter_main_programfiles:
# Note: this is a generic filter. You could baseline execution in your env for a more robust rule
ParentImage|startswith:
- 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
- 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_sdiagnhost:
ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_w3p:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
filter_optional_chocolatey:
ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
filter_optional_defender:
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
filter_optional_ansible:
# Note: As ansible is widely used we exclude it with this generic filter.
# A better option would be to filter based on script content basis or other marker while hunting
ParentCommandLine|contains:
# '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
- 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
- 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
- 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
- Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
- Ansible
level: medium
rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml
-36
View File
@@ -1,36 +0,0 @@
title: Suspicious Csc.exe Source File Folder
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
status: test
description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Florian Roth (Nextron Systems)
date: 2019/08/24
modified: 2022/10/09
tags:
- attack.defense_evasion
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
CommandLine|contains:
- '\AppData\'
- '\Windows\Temp\'
filter:
- ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897
- ParentImage|endswith:
- '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
- '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
- '\choco.exe' # Chocolatey https://chocolatey.org/
- ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
condition: selection and not filter
falsepositives:
- Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
- Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
level: medium
rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml
+46 -9
View File
@@ -1,12 +1,13 @@
title: Suspicious Parent of Csc.exe
title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
- https://twitter.com/SBousseaden/status/1094924091256176641
author: Florian Roth (Nextron Systems)
- https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
- https://reaqta.com/2017/11/short-journey-darkvnc/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019/02/11
modified: 2022/01/07
modified: 2023/08/02
tags:
- attack.execution
- attack.t1059.005
@@ -18,13 +19,49 @@ logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
selection_img:
- Image|endswith: '\csc.exe'
- OriginalFileName: 'csc.exe'
selection_parent_generic:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
condition: selection
- '\winword.exe'
- '\wscript.exe'
selection_parent_powershell:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentCommandLine|contains:
- '-Encoded '
- 'FromBase64String'
selection_parent_susp_location:
- ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
- ParentCommandLine|contains:
- ':\Users\Public\'
- ':\PerfLogs\'
- '\Temporary Internet'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
filter_optional_ansible:
# Note: As ansible is widely used we exclude it with this generic filter.
# A better option would be to filter based on script content basis or other marker while hunting
ParentCommandLine|contains:
# '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
- 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
- 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
- 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
condition: selection_img and 1 of selection_parent_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml
+29
View File
@@ -0,0 +1,29 @@
title: File Decryption Using Gpg4win
id: 037dcd71-33a8-4392-bb01-293c94663e5a
status: experimental
description: Detects usage of Gpg4win to decrypt files
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.gpg4win.de/documentation.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Description: 'GnuPGs OpenPGP tool'
selection_cli:
CommandLine|contains|all:
- ' -d '
- 'passphrase'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml
+29
View File
@@ -0,0 +1,29 @@
title: File Encryption Using Gpg4win
id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd
status: experimental
description: Detects usage of Gpg4win to encrypt files
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.gpg4win.de/documentation.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Description: 'GnuPGs OpenPGP tool'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'passphrase'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml
+30
View File
@@ -0,0 +1,30 @@
title: Portable Gpg.EXE Execution
id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
status: experimental
description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
references:
- https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
- https://securelist.com/locked-out/68960/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/06
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- OriginalFileName: 'gpg.exe'
- Description: 'GnuPGs OpenPGP tool'
filter_main_legit_location:
Image|contains:
- ':\Program Files (x86)\GnuPG\bin\'
- ':\Program Files (x86)\GNU\GnuPG\bin\'
- ':\Program Files (x86)\Gpg4win\bin\'
condition: selection and not 1 of filter_main_*
level: high
rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml
+36
View File
@@ -0,0 +1,36 @@
title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
status: experimental
description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022/11/30
modified: 2023/08/09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Product: 'GNU Privacy Guard (GnuPG)'
- Description: 'GnuPGs OpenPGP tool'
selection_cli:
CommandLine|contains: '-passphrase'
selection_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml
-31
View File
@@ -1,31 +0,0 @@
title: Gpg4Win Decrypt Files From Suspicious Locations
id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
status: experimental
description: Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022/11/30
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith: '\gpg2.exe'
- Product: 'GNU Privacy Guard (GnuPG)'
- Company: 'g10 Code GmbH'
selection_cli:
CommandLine|contains: '-passphrase'
selection_paths:
CommandLine|contains:
- '\AppData\Roaming\'
- 'C:\Perflogs\'
- 'C:\Windows\Temp\'
- 'C:\temp'
condition: all of selection_*
falsepositives:
- Legitimate use
level: medium
rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml
+5 -6
View File
@@ -1,12 +1,12 @@
title: LOLBIN Execution Of The FTP.EXE Binary
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
status: test
description: Detects execution of ftp.exe script execution with the "-s" flag and any child processes ran by ftp.exe
description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020/10/09
modified: 2022/11/10
modified: 2023/08/11
tags:
- attack.execution
- attack.t1059
@@ -22,11 +22,10 @@ detection:
- Image|endswith: '\ftp.exe'
- OriginalFileName: 'ftp.exe'
selection_ftp_cli:
CommandLine|contains: '-s:'
CommandLine|contains:
- '-s:'
- '/s:'
condition: selection_parent or all of selection_ftp_*
fields:
- CommandLine
- ParentImage
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml
-28
View File
@@ -1,28 +0,0 @@
title: Use of Mftrace.exe
id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
status: experimental
description: The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/06/09
tags:
- attack.defense_evasion
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mftrace.exe'
- OriginalFileName: 'mftrace.exe'
selection_cli:
# This assumes that when someone use mftrace to launch an ".exe" he will add a space and the binary launched will end with ".exe"
CommandLine|contains: '.exe '
CommandLine|endswith: '.exe'
parent:
ParentImage|endswith: '\mftrace.exe'
condition: all of selection* or parent
falsepositives:
- Legitimate use for tracing purposes
level: medium
rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml
-25
View File
@@ -1,25 +0,0 @@
title: Suspicious OfflineScannerShell.exe Execution From Another Folder
id: 02b18447-ea83-4b1b-8805-714a8a34546a
status: test
description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory
references:
- https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
author: frack113
date: 2022/03/06
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
lolbas:
Image|endswith: '\OfflineScannerShell.exe'
filter_correct:
CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
filter_missing:
CurrentDirectory: null
condition: lolbas and not 1 of filter_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml
+22
View File
@@ -0,0 +1,22 @@
title: Potential Mftrace.EXE Abuse
id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
status: experimental
description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/06/09
modified: 2023/08/03
tags:
- attack.defense_evasion
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mftrace.exe'
condition: selection
falsepositives:
- Legitimate use for tracing purposes
level: medium
rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml
+16 -10
View File
@@ -1,12 +1,15 @@
title: DLL Sideloading by Microsoft Defender
title: Potential Mpclient.DLL Sideloading Via Defender Binaries
id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
related:
- id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
type: similar
status: experimental
description: Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022/08/01
modified: 2022/08/09
modified: 2023/08/04
tags:
- attack.defense_evasion
- attack.t1574.002
@@ -15,14 +18,17 @@ logsource:
category: process_creation
detection:
selection:
Image|endswith: '\MpCmdRun.exe'
legit_path:
Image|startswith: # MpCmdRun resides in two locations
Image|endswith:
- '\MpCmdRun.exe'
- '\NisSrv.exe'
filter_main_known_locations:
Image|startswith:
- 'C:\Program Files (x86)\Windows Defender\'
- 'C:\Program Files\Microsoft Security Client\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\winsxs\'
- 'C:\Program Files\Microsoft Security Client\MpCmdRun.exe' # found on Win7 i386
condition: selection and not legit_path
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
- Unlikely
level: high
rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml
+31
View File
@@ -0,0 +1,31 @@
title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
id: 02b18447-ea83-4b1b-8805-714a8a34546a
status: test
description: |
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
references:
- https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
author: frack113
date: 2022/03/06
modified: 2023/08/03
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\OfflineScannerShell.exe'
- OriginalFileName: 'OfflineScannerShell.exe'
filter_main_legit_dir:
CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
filter_main_empty:
CurrentDirectory: ''
filter_main_null:
CurrentDirectory: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml
+50
View File
@@ -0,0 +1,50 @@
title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
related:
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: experimental
description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023/08/08
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\provlaunch.exe'
filter_main_covered_children:
# Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml
+49
View File
@@ -0,0 +1,49 @@
title: Suspicious Provlaunch.EXE Child Process
id: f9999590-1f94-4a34-a91e-951e47bedefd
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: experimental
description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/08
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\provlaunch.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml
+29
View File
@@ -0,0 +1,29 @@
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: experimental
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023/08/08
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml
+23
View File
@@ -0,0 +1,23 @@
title: Renamed Gpg.EXE Execution
id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592
status: experimental
description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
references:
- https://securelist.com/locked-out/68960/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023/08/09
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'gpg.exe'
filter_main_img:
Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
condition: selection and not 1 of filter_main_*
level: high
rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml
+18 -10
View File
@@ -1,12 +1,17 @@
title: Possible Shim Database Persistence via sdbinst.exe
title: Potential Shim Database Persistence via Sdbinst.EXE
id: 517490a7-115a-48c6-8862-1a481504d5a8
related:
- id: 18ee686c-38a3-4f65-9f44-48a077141f42
type: similar
status: test
description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
description: |
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
author: Markus Neis
date: 2019/01/16
modified: 2022/10/09
modified: 2023/08/01
tags:
- attack.persistence
- attack.privilege_escalation
@@ -15,12 +20,15 @@ logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sdbinst.exe'
selection_img:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
selection_cli:
CommandLine|contains: '.sdb'
filter:
CommandLine|contains: 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
condition: selection and not filter
filter_optional_iis:
ParentImage|endswith: '\msiexec.exe'
CommandLine|contains: 'iisexpressshim.sdb' # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
level: medium
rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml
+30
View File
@@ -0,0 +1,30 @@
title: Suspicious Shim Database Installation via Sdbinst.EXE
id: 18ee686c-38a3-4f65-9f44-48a077141f42
related:
- id: 517490a7-115a-48c6-8862-1a481504d5a8
type: derived
status: test
description: |
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/01
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.011
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
filter_main_legit_ext:
CommandLine|contains: '.sdb'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml
+29
View File
@@ -0,0 +1,29 @@
title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: experimental
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023/08/02
tags:
- attack.command_and_control
- attack.persistence
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\amazon-ssm-agent.exe'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml → rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml
View File
rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml
+3 -3
View File
@@ -17,7 +17,7 @@ references:
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022/09/01
modified: 2023/07/13
modified: 2023/08/07
tags:
- attack.defense_evasion
- attack.t1489
@@ -93,7 +93,7 @@ detection:
- 'FirebirdGuardianDefaultInstance'
- 'FirebirdServerDefaultInstance'
- 'HealthTLService'
- 'HISSQLFDLauncherSSHAREPOINIT'
- 'MSSQLFDLauncher$' # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc.
- 'hmpalertsvc'
- 'HMS'
- 'IISAdmin'
@@ -221,7 +221,7 @@ detection:
- 'UI0Detect'
- 'UTODetect'
- 'Veeam'
- 'VeemaDep/oySvc'
- 'VeeamDeploySvc'
- 'Veritas System Recovery'
- 'VSApiNt'
- 'VSS'
rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml
+28
View File
@@ -0,0 +1,28 @@
title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
id: ac1c92b4-ac81-405a-9978-4604d78cc47e
status: experimental
description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
references:
- https://twitter.com/0xBoku/status/1679200664013135872
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/03
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VSDiagnostics.exe'
- OriginalFileName: 'VSDiagnostics.exe'
selection_cli_start:
CommandLine|contains: 'start'
selection_cli_launch:
CommandLine|contains:
- ' /launch:'
- ' -launch:'
condition: all of selection_*
falsepositives:
- Legitimate usage for tracing and diagnostics purposes
level: medium
rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml
+3 -1
View File
@@ -7,7 +7,7 @@ references:
- https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021/01/10
modified: 2023/06/28
modified: 2023/08/11
tags:
- attack.t1137.006
- attack.persistence
@@ -34,6 +34,8 @@ detection:
- '\integrator.exe'
- '\OfficeClickToRun.exe'
- '\winword.exe'
filter_teams:
Image|endswith: '\Teams.exe'
filter_avg:
Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml → rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml
+8 -7
View File
@@ -7,9 +7,10 @@ description: |
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113
date: 2021/12/30
modified: 2023/01/10
modified: 2023/08/01
tags:
- attack.persistence
- attack.t1546.011
@@ -18,13 +19,13 @@ logsource:
product: windows
detection:
selection:
TargetObject|startswith:
- 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
EventType: SetValue
filter:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
filter_main_empty:
Details: ''
condition: selection and not filter
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
- Legitimate custom SHIM installations will also trigger this rule
level: medium
rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml
+32
View File
@@ -0,0 +1,32 @@
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: experimental
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/01
tags:
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|endswith:
# Note: add other application to increase coverage
- '\csrss.exe'
- '\dllhost.exe'
- '\explorer.exe'
- '\services.exe'
- '\svchost.exe'
- '\taskhostw.exe'
- '\winlogon.exe'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml
+28
View File
@@ -0,0 +1,28 @@
title: Potential Persistence Via Shim Database In Uncommon Location
id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
status: experimental
description: Detects the installation of a new shim database where the file is located in a non-default location
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
- https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/08/01
tags:
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\DatabasePath'
filter_main_known_locations:
Details|contains: ':\Windows\AppPatch\Custom'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml
+31
View File
@@ -0,0 +1,31 @@
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
id: 7021255e-5db3-4946-a8b9-0ba7a4644a69
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
status: experimental
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Swachchhanda Shrawan Poudel
date: 2023/08/02
tags:
- attack.defense_evasion
- attack.t1218
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored'
detection:
selection:
EventType: SetValue
TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml
+13 -13
View File
@@ -5,7 +5,7 @@ related:
type: obsoletes
status: test
description: |
Detects potential persistence behaviour using the windows telemetry registry key.
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
@@ -13,7 +13,7 @@ references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Lednyov Alexey, oscd.community, Sreeman
date: 2020/10/16
modified: 2022/12/19
modified: 2023/08/01
tags:
- attack.persistence
- attack.t1053.005
@@ -27,24 +27,24 @@ detection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
TargetObject|endswith: '\Command'
Details|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.bin'
- '.cmd'
- '.js'
- '.ps'
- '.vb'
- '.jar'
- '.dat'
- '.dll'
- '.exe'
- '.hta'
- '.jar'
- '.js'
- '.msi'
- '.vbs'
filter:
- '.ps'
- '.sh'
- '.vb'
filter_main_generic:
Details|contains:
- '\system32\CompatTelRunner.exe'
- '\system32\DeviceCensus.exe'
condition: selection and not filter
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
tests/logsource.json
+1
View File
@@ -281,6 +281,7 @@
"auditlogs":[],
"azureactivity":[],
"microsoft365portal":[],
"riskdetection":[],
"signinlogs":[]
}
},