diff --git a/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml b/deprecated/windows/pipe_created_psexec_pipes_artifacts.yml similarity index 96% rename from rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml rename to deprecated/windows/pipe_created_psexec_pipes_artifacts.yml index a0429bc59..c3f2566f7 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml +++ b/deprecated/windows/pipe_created_psexec_pipes_artifacts.yml @@ -1,12 +1,12 @@ title: PsExec Pipes Artifacts id: 9e77ed63-2ecf-4c7b-b09d-640834882028 -status: test +status: deprecated description: Detecting use PsExec via Pipe Creation/Access to pipes references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nikita Nazarov, oscd.community date: 2020/05/10 -modified: 2021/11/27 +modified: 2023/08/07 tags: - attack.lateral_movement - attack.t1021.002 diff --git a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml old mode 100755 new mode 100644 similarity index 64% rename from rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml rename to rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml index 452bdbb65..fbffedc59 --- a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml +++ b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml @@ -19,13 +19,13 @@ logsource: detection: selection: PipeName: - - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection - - '\userpipe' # ruag apt case - - '\iehelper' # ruag apt case - - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra - - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra - # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 + - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection + - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - '\iehelper' # ruag apt case + - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - '\userpipe' # ruag apt case + #- '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 condition: selection falsepositives: - - Unknown + - Unlikely level: critical diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml new file mode 100644 index 000000000..aa1cba381 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -0,0 +1,28 @@ +title: Dynamic .NET Compilation Via Csc.EXE - Hunting +id: acf2807c-805b-4042-aab9-f86b6ba9cb2b +related: + - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 + type: derived +status: experimental +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +references: + - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ + - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf + - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ + - https://twitter.com/gN3mes1s/status/1206874118282448897 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1027.004 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\csc.exe' + CommandLine|contains: '/noconfig /fullpaths @' + condition: selection +falsepositives: + - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies +level: medium diff --git a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml new file mode 100644 index 000000000..7e28e0337 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml @@ -0,0 +1,22 @@ +title: Anomalous Token +id: 6555754e-5e7f-4a67-ad1c-4041c413a007 +status: experimental +description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow' +date: 2023/08/07 +tags: + - attack.t1528 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'anomalousToken' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml new file mode 100644 index 000000000..a3d35a929 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -0,0 +1,29 @@ +title: Potential Linux Amazon SSM Agent Hijacking +id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 +status: experimental +description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport. +references: + - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan + - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ + - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ +author: Muhammad Faisal +date: 2023/08/03 +tags: + - attack.command_and_control + - attack.persistence + - attack.t1219 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/amazon-ssm-agent' + CommandLine|contains|all: + - '-register ' + - '-code ' + - '-id ' + - '-region ' + condition: selection +falsepositives: + - Legitimate activity of system administrators +level: medium diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index 262e53b24..f5e9ec665 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -28,13 +28,13 @@ detection: selection: EventID: 4697 ServiceFileName|contains: - - 'fgexec' - - 'dumpsvc' - 'cachedump' - - 'mimidrv' + - 'dumpsvc' + - 'fgexec' - 'gsecdump' - - 'servpw' + - 'mimidrv' - 'pwdump' + - 'servpw' condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml index 8ce6bc8d2..4cb088516 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -7,7 +7,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2023/07/31 +modified: 2023/08/03 tags: - attack.credential_access - car.2019-04-004 @@ -41,32 +41,33 @@ detection: - '4416' filter_specific: ProcessName|endswith: - - '\wmiprvse.exe' - - '\taskmgr.exe' - - '\procexp64.exe' - - '\procexp.exe' - - '\lsm.exe' - '\csrss.exe' - - '\wininit.exe' - - '\vmtoolsd.exe' + - '\GamingServices.exe' + - '\lsm.exe' + - '\MicrosoftEdgeUpdate.exe' - '\minionhost.exe' # Cyberreason - - '\VsTskMgr.exe' # McAfee Enterprise + - '\MRT.exe' # MS Malware Removal Tool + - '\MsMpEng.exe' # Defender + - '\perfmon.exe' + - '\procexp.exe' + - '\procexp64.exe' + - '\svchost.exe' + - '\taskmgr.exe' - '\thor.exe' # THOR - '\thor64.exe' # THOR - - '\MicrosoftEdgeUpdate.exe' - - '\GamingServices.exe' - - '\svchost.exe' - - '\MsMpEng.exe' # Defender - - '\MRT.exe' # MS Malware Removal Tool + - '\vmtoolsd.exe' + - '\VsTskMgr.exe' # McAfee Enterprise + - '\wininit.exe' + - '\wmiprvse.exe' - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff ProcessName|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Windows\SysNative\' - 'C:\Windows\System32\' - 'C:\Windows\SysWow64\' - - 'C:\Windows\SysNative\' - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - 'C:\Windows\Temp\asgard2-agent\' - - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' filter_generic: ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions filter_exact: diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index b060b3d02..3835102e5 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/08/01 +modified: 2023/08/08 tags: - attack.defense_evasion - attack.t1562.001 @@ -21,12 +21,15 @@ detection: selection: EventID: 7036 Provider_Name: 'Service Control Manager' + # Note: The service name and messages are localized param1: - 'Windows Defender Antivirus Service' - 'Service antivirus Microsoft Defender' #French OS - param2: 'stopped' + param2: + - 'stopped' + - 'arrêté' condition: selection falsepositives: - Administrator actions - Auto updates of Windows Defender causes restarts -level: low +level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml index f30c790c3..1a631f9fb 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml @@ -25,13 +25,13 @@ detection: Provider_Name: 'Service Control Manager' EventID: 7045 ImagePath|contains: - - 'fgexec' - - 'dumpsvc' - 'cachedump' - - 'mimidrv' + - 'dumpsvc' + - 'fgexec' - 'gsecdump' - - 'servpw' + - 'mimidrv' - 'pwdump' + - 'servpw' condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml new file mode 100644 index 000000000..e4333da73 --- /dev/null +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -0,0 +1,26 @@ +title: CSExec Service Installation +id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12 +status: experimental +description: Detects CSExec service installation and execution events +references: + - https://github.com/malcomvetter/CSExec +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection_eid: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ServiceName: 'csexecsvc' + - ImagePath|endswith: '\csexecsvc.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: medium + diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml index 4e9779c3d..37789edc5 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml @@ -1,11 +1,12 @@ -title: Hacktool Service Registration or Execution +title: HackTool Service Registration or Execution id: d26ce60c-2151-403c-9a42-49420d87b5e4 status: test -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects installation or execution of services references: - Internal Research author: Florian Roth (Nextron Systems) date: 2022/03/21 +modified: 2023/08/07 tags: - attack.execution - attack.t1569.002 @@ -14,22 +15,24 @@ logsource: product: windows service: system detection: - service: + selection_eid: Provider_Name: 'Service Control Manager' EventID: - 7045 - 7036 - selection: - - ServiceName|contains: - - 'WCESERVICE' - - 'WCE SERVICE' - - 'winexesvc' - - 'DumpSvc' - - 'pwdump' - - 'gsecdump' + selection_service_name: + ServiceName|contains: - 'cachedump' - - ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 - condition: service and selection + - 'DumpSvc' + - 'gsecdump' + - 'pwdump' + - 'UACBypassedService' + - 'WCE SERVICE' + - 'WCESERVICE' + - 'winexesvc' + selection_service_image: + ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 + condition: selection_eid and 1 of selection_service_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml new file mode 100644 index 000000000..44590237d --- /dev/null +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -0,0 +1,25 @@ +title: RemCom Service Installation +id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf +status: experimental +description: Detects RemCom service installation and execution events +references: + - https://github.com/kavika13/RemCom/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection_eid: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ServiceName: 'RemComSvc' + - ImagePath|endswith: '\RemComSvc.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml index c4c54a6f3..d3cbccac0 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -5,7 +5,7 @@ description: Detects known malicious service installation that appear in cases i references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/08/25 tags: - attack.execution @@ -16,16 +16,16 @@ logsource: product: windows service: system detection: - selection_id: + selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 - selection_service1: + selection_service_1: ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe' - selection_service2: + selection_service_2: ServiceName: - 'Sliver' - 'Sliver implant' - condition: selection_id and 1 of selection_service* + condition: selection_eid and 1 of selection_service_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml similarity index 58% rename from rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml rename to rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index 887eabc37..1c1bee909 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -1,13 +1,13 @@ title: PsExec Service Installation id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects PsExec service installation and execution events references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke date: 2017/06/12 -modified: 2022/10/26 +modified: 2023/08/04 tags: - attack.execution - attack.t1569.002 @@ -16,23 +16,13 @@ logsource: product: windows service: system detection: - service_installation: + selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 - ServiceName: 'PSEXESVC' - ImagePath|endswith: '\PSEXESVC.exe' - service_execution: - EventID: 7036 - ServiceName: 'PSEXESVC' - condition: 1 of service_* -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName + selection_service: + - ServiceName: 'PSEXESVC' + - ImagePath|endswith: '\PSEXESVC.exe' + condition: all of selection_* falsepositives: - Unknown -level: low +level: medium diff --git a/rules/windows/driver_load/driver_load_win_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml index 593bfeae4..18f583465 100644 --- a/rules/windows/driver_load/driver_load_win_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml @@ -26,13 +26,13 @@ logsource: detection: selection: ImageLoaded|contains: - - 'fgexec' - - 'dumpsvc' - 'cachedump' - - 'mimidrv' + - 'dumpsvc' + - 'fgexec' - 'gsecdump' - - 'servpw' + - 'mimidrv' - 'pwdump' + - 'servpw' condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 8295ab9a4..79daa3125 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -6,8 +6,12 @@ description: | The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory -author: frack113 + - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence + - https://liberty-shell.com/sec/2020/02/25/shim-persistence/ + - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021/12/29 +modified: 2023/08/01 tags: - attack.persistence - attack.t1547.009 @@ -16,9 +20,10 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: '.sdb' - TargetFilename|contains: '\Windows\apppatch\Custom\' + TargetFilename|contains: + - ':\Windows\apppatch\Custom\' + - ':\Windows\apppatch\CustomSDB\' condition: selection falsepositives: - - Unknown + - Legitimate custom SHIM installations will also trigger this rule level: medium diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index 6089b9e4c..de54c089e 100755 --- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -20,32 +20,32 @@ logsource: detection: selection: - TargetFilename|contains: - - '\pwdump' + - '\fgdump-log' - '\kirbi' + - '\pwdump' - '\pwhashes' - '\wce_ccache' - '\wce_krbtkts' - - '\fgdump-log' - TargetFilename|endswith: - - '\test.pwd' - - '\lsremora64.dll' - - '\lsremora.dll' - - '\fgexec.exe' - - '\wceaux.dll' - - '\SAM.out' - - '\SECURITY.out' - - '\SYSTEM.out' - - '\NTDS.out' + - '\cachedump.exe' + - '\cachedump64.exe' - '\DumpExt.dll' - '\DumpSvc.exe' - - '\cachedump64.exe' - - '\cachedump.exe' + - '\Dumpy.exe' + - '\fgexec.exe' + - '\lsremora.dll' + - '\lsremora64.dll' + - '\NTDS.out' + - '\procdump64.exe' - '\pstgdump.exe' + - '\pwdump.exe' + - '\SAM.out' + - '\SECURITY.out' - '\servpw.exe' - '\servpw64.exe' - - '\pwdump.exe' - - '\procdump64.exe' - - '\Dumpy.exe' + - '\SYSTEM.out' + - '\test.pwd' + - '\wceaux.dll' condition: selection falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/rules/windows/file/file_event/file_event_win_csexec_service.yml b/rules/windows/file/file_event/file_event_win_csexec_service.yml new file mode 100644 index 000000000..33f9fce2a --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_csexec_service.yml @@ -0,0 +1,22 @@ +title: CSExec Service File Creation +id: f0e2b768-5220-47dd-b891-d57b96fc0ec1 +status: test +description: Detects default CSExec service filename which indicates CSExec service installation and execution +references: + - https://github.com/malcomvetter/CSExec +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/04 +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\csexecsvc.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/file/file_event/file_event_win_remcom_service.yml b/rules/windows/file/file_event/file_event_win_remcom_service.yml new file mode 100644 index 000000000..7aee299ac --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_remcom_service.yml @@ -0,0 +1,22 @@ +title: RemCom Service File Creation +id: 7eff1a7f-dd45-4c20-877a-f21e342a7611 +status: test +description: Detects default RemCom service filename which indicates RemCom service installation and execution +references: + - https://github.com/kavika13/RemCom/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/04 +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\RemComSvc.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/file/file_event/file_event_win_tool_psexec.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml similarity index 84% rename from rules/windows/file/file_event/file_event_win_tool_psexec.yml rename to rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml index 09dc46ef3..70adaaad4 100644 --- a/rules/windows/file/file_event/file_event_win_tool_psexec.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml @@ -22,14 +22,6 @@ detection: selection: TargetFilename|endswith: '\PSEXESVC.exe' condition: selection -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName falsepositives: - Unknown level: low diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml new file mode 100644 index 000000000..1fb23bd40 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -0,0 +1,31 @@ +title: Potential AVKkid.DLL Sideloading +id: 952ed57c-8f99-453d-aee0-53a49c22f95d +status: experimental +description: Detects potential DLL sideloading of "AVKkid.dll" +references: + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\AVKkid.dll' + filter_main_legit_path: + Image|contains: + - 'C:\Program Files (x86)\G DATA\' + - 'C:\Program Files\G DATA\' + Image|endswith: '\AVKKid.exe' + ImageLoaded|startswith: + - 'C:\Program Files (x86)\G DATA\' + - 'C:\Program Files\G DATA\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml new file mode 100644 index 000000000..fa652280f --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -0,0 +1,28 @@ +title: Potential EACore.DLL Sideloading +id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5 +status: experimental +description: Detects potential DLL sideloading of "EACore.dll" +references: + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\EACore.dll' + filter_main_legit_path: + Image|contains|all: + - 'C:\Program Files\Electronic Arts\EA Desktop\' + - '\EACoreServer.exe' + ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml new file mode 100644 index 000000000..e9f7437af --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -0,0 +1,25 @@ +title: Potential Mfdetours.DLL Sideloading +id: d2605a99-2218-4894-8fd3-2afb7946514d +status: experimental +description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. +references: + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\mfdetours.dll' + filter_main_legit_path: + ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml new file mode 100644 index 000000000..44a5dcf5f --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -0,0 +1,26 @@ +title: Potential Vivaldi_elf.DLL Sideloading +id: 2092cacb-d77b-4f98-ab0d-32b32f99a054 +status: experimental +description: Detects potential DLL sideloading of "vivaldi_elf.dll" +references: + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\vivaldi_elf.dll' + filter_main_legit_path: + Image|endswith: '\Vivaldi\Application\vivaldi.exe' + ImageLoaded|contains: '\Vivaldi\Application\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index ab39de622..2ce295c43 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -1,12 +1,15 @@ -title: Microsoft Defender Loading DLL from Nondefault Path +title: Potential Mpclient.DLL Sideloading id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc +related: + - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 + type: similar status: experimental -description: Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL +description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/02 -modified: 2022/08/17 +modified: 2023/08/04 tags: - attack.defense_evasion - attack.t1574.002 @@ -15,16 +18,18 @@ logsource: category: image_load detection: selection: + ImageLoaded|endswith: '\mpclient.dll' Image|endswith: - '\MpCmdRun.exe' - '\NisSrv.exe' - ImageLoaded|endswith: '\mpclient.dll' - filter: - ImageLoaded|startswith: - - 'C:\Program Files\Windows Defender\' + filter_main_known_locations: + Image|startswith: - 'C:\Program Files (x86)\Windows Defender\' + - 'C:\Program Files\Microsoft Security Client\' + - 'C:\Program Files\Windows Defender\' - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - condition: selection and not filter + - 'C:\Windows\WinSxS\' + condition: selection and not 1 of filter_main_* falsepositives: - - Very unlikely + - Unlikely level: high diff --git a/rules/windows/image_load/image_load_wmi_module_load.yml b/rules/windows/image_load/image_load_wmi_module_load.yml deleted file mode 100755 index 0aeb91378..000000000 --- a/rules/windows/image_load/image_load_wmi_module_load.yml +++ /dev/null @@ -1,65 +0,0 @@ -title: WMI Modules Loaded -id: 671bb7e3-a020-4824-a00e-2ee5b55f385e -status: test -description: Detects non wmiprvse loading WMI modules -references: - - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html -author: Roberto Rodriguez @Cyb3rWard0g -date: 2019/08/10 -modified: 2022/01/12 -tags: - - attack.execution - - attack.t1047 -logsource: - category: image_load - product: windows -detection: - selection: - ImageLoaded|endswith: - - '\wmiclnt.dll' - - '\WmiApRpl.dll' - - '\wmiprov.dll' - - '\wmiutils.dll' - - '\wbemcomn.dll' - - '\wbemprox.dll' - - '\WMINet_Utils.dll' - - '\wbemsvc.dll' - - '\fastprox.dll' - filter: - Image|endswith: - - '\WmiPrvSE.exe' - - '\WmiApSrv.exe' - - '\svchost.exe' - - '\DeviceCensus.exe' - - '\CompatTelRunner.exe' - - '\sdiagnhost.exe' - - '\SIHClient.exe' - - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe - - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least - - '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 - - 'C:\Windows\Sysmon64.exe' - - 'C:\Windows\Sysmon.exe' - - 'C:\Windows\System32\wbem\unsecapp.exe' - - '\logman.exe' - - '\systeminfo.exe' - - '\nvcontainer.exe' - - 'C:\Windows\System32\wbem\WMIC.exe' - - '\explorer.exe' - - '\opera_autoupdate.exe' - - '\MsMpEng.exe' - - '\thor64.exe' - - '\thor.exe' - filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter and not filter_generic -fields: - - ComputerName - - User - - Image - - ImageLoaded -falsepositives: - - Unknown -level: informational diff --git a/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml new file mode 100644 index 000000000..a1a6777d2 --- /dev/null +++ b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml @@ -0,0 +1,85 @@ +title: WMI Module Loaded By Non Uncommon Process +id: 671bb7e3-a020-4824-a00e-2ee5b55f385e +status: test +description: Detects a WMI modules being loaded by an uncommon process +references: + - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html +author: Roberto Rodriguez @Cyb3rWard0g +date: 2019/08/10 +modified: 2023/08/08 +tags: + - attack.execution + - attack.t1047 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\fastprox.dll' + - '\wbemcomn.dll' + - '\wbemprox.dll' + - '\wbemsvc.dll' + - '\WmiApRpl.dll' + - '\wmiclnt.dll' + - '\WMINet_Utils.dll' + - '\wmiprov.dll' + - '\wmiutils.dll' + filter_optional_generic: + Image|contains: + - ':\Microsoft\Teams\current\Teams.exe' + - ':\Microsoft\Teams\Update.exe' + - ':\Windows\\explorer.exe' + - ':\Windows\Sysmon.exe' + - ':\Windows\Sysmon64.exe' + - ':\Windows\System32\CompatTelRunner.exe' + - ':\Windows\System32\DeviceCensus.exe' + - ':\Windows\System32\dfsrs.exe' + - ':\Windows\System32\dispdiag.exe' + - ':\Windows\System32\dxdiag.exe' + - ':\Windows\System32\gpresult.exe' + - ':\Windows\System32\logman.exe' + - ':\Windows\System32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least + - ':\Windows\System32\sdiagnhost.exe' + - ':\Windows\System32\SecurityHealthService.exe' + - ':\Windows\System32\ServerManager.exe' + - ':\Windows\System32\SIHClient.exe' + - ':\Windows\System32\svchost.exe' + - ':\Windows\System32\systeminfo.exe' + - ':\Windows\System32\taskhostw.exe' # c:\windows\system32\taskhostw.exe + - ':\Windows\System32\tasklist.exe' + - ':\Windows\System32\vds.exe' + - ':\Windows\System32\wbem\unsecapp.exe' + - ':\Windows\System32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 + - ':\Windows\System32\wbem\WmiApSrv.exe' + - ':\Windows\System32\wbem\WMIC.exe' + - ':\Windows\System32\wbem\WmiPrvSE.exe' + - ':\Windows\SysWOW64\explorer.exe' + - ':\Windows\SysWOW64\logman.exe' + - ':\Windows\SysWOW64\sdiagnhost.exe' + - ':\Windows\SysWOW64\svchost.exe' + - ':\Windows\SysWOW64\systeminfo.exe' + - ':\Windows\SysWOW64\wbem\WmiPrvSE.exe' + filter_optional_other: + Image|endswith: + - '\WindowsAzureGuestAgent.exe' + - '\WaAppAgent.exe' + filter_optional_thor: + Image|endswith: + - '\thor.exe' + - '\thor64.exe' + filter_optional_defender: + Image|endswith: '\MsMpEng.exe' + filter_optional_dotnet: + Image|contains: + - ':\Windows\Microsoft.NET\Framework\' + - ':\Windows\Microsoft.NET\Framework64\' + Image|endswith: '\ngentask.exe' + filter_optional_programfiles: + Image|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + condition: selection and not 1 of filter_optional_* +falsepositives: + - Unknown +level: low diff --git a/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml new file mode 100644 index 000000000..f4c4da6dc --- /dev/null +++ b/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml @@ -0,0 +1,28 @@ +title: CSExec Default Named Pipe +id: f318b911-ea88-43f4-9281-0de23ede628e +related: + - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 + type: obsoletes +status: test +description: Detects default CSExec pipe creation +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view + - https://github.com/malcomvetter/CSExec +author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.execution + - attack.t1569.002 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' +detection: + selection: + PipeName|contains: '\csexecsvc' + condition: selection +falsepositives: + - Legitimate Administrator activity +level: medium diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml similarity index 93% rename from rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml rename to rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml index 9ca006e3f..6648ba357 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml @@ -1,5 +1,10 @@ title: CobaltStrike Named Pipe id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 +related: + - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns + type: similar + - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex + type: similar status: test description: Detects the creation of a named pipe as used by CobaltStrike references: diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml similarity index 93% rename from rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml rename to rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml index 040265dd5..92d3ffa90 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml @@ -1,5 +1,10 @@ title: CobaltStrike Named Pipe Pattern Regex id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a +related: + - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns + type: similar + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic + type: similar status: test description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles references: diff --git a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml similarity index 84% rename from rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml rename to rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index f9760d37f..31747b587 100644 --- a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -1,5 +1,10 @@ title: CobaltStrike Named Pipe Patterns id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 +related: + - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex + type: similar + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic + type: similar status: test description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles references: @@ -7,7 +12,7 @@ references: - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2021/07/30 -modified: 2022/10/09 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.privilege_escalation @@ -17,35 +22,35 @@ logsource: category: pipe_created definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection_malleable_profiles: + selection_malleable_profile_generic: - PipeName|startswith: + - '\DserNamePipe' + - '\f4c3' + - '\f53f' + - '\fullduplex_' - '\mojo.5688.8052.183894939787088877' - '\mojo.5688.8052.35780273329370473' + - '\MsFteWds' + - '\msrpc_' - '\mypipe-f' - '\mypipe-h' - '\ntsvcs' - - '\scerpc' - - '\win_svc' - - '\spoolss' - - '\msrpc_' - - '\win\msrpc_' - - '\wkssvc' - - '\f53f' - - '\windows.update.manager' - - '\SearchTextHarvester' - - '\DserNamePipe' - '\PGMessagePipe' - - '\MsFteWds' - - '\f4c3' - - '\fullduplex_' - '\rpc_' + - '\scerpc' + - '\SearchTextHarvester' + - '\spoolss' + - '\win_svc' + - '\win\msrpc_' + - '\windows.update.manager' + - '\wkssvc' - PipeName: - '\demoagent_11' - '\demoagent_22' - selection_malleable_profile_CatalogChangeListener: + selection_malleable_profile_catalog_change_listener: PipeName|startswith: '\Winsock2\CatalogChangeListener-' PipeName|endswith: '-0,' - filter: + filter_main_generic: PipeName: - '\wkssvc' - '\spoolss' @@ -54,7 +59,7 @@ detection: - '\SearchTextHarvester' - '\PGMessagePipe' - '\MsFteWds' - condition: 1 of selection_malleable_profile* and not filter + condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* falsepositives: - - Chrome instances using the exact same pipe name "mojo.something" + - Chrome instances using the exact same pipe name "mojo.xxx" level: high diff --git a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml similarity index 89% rename from rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml rename to rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml index 3ae653567..f6017cdbd 100644 --- a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml @@ -1,11 +1,12 @@ -title: DiagTrackEoP Default Named Pipe +title: HackTool - DiagTrackEoP Default Named Pipe id: 1f7025a6-e747-4130-aac4-961eb47015f1 status: experimental -description: Detects creation of default named pipe used by the DiagTrackEoP POC +description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege. references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/03 +modified: 2023/08/07 tags: - attack.privilege_escalation logsource: diff --git a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml similarity index 80% rename from rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml rename to rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index 957e4104f..cc2dee084 100644 --- a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -1,13 +1,13 @@ -title: EfsPotato Named Pipe +title: HackTool - EfsPotato Named Pipe Creation id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 status: experimental -description: Detects the pattern of a pipe name as used by the tool EfsPotato +description: Detects the pattern of a pipe name as used by the hacktool EfsPotato references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - https://github.com/zcgonvh/EfsPotato author: Florian Roth (Nextron Systems) date: 2021/08/23 -modified: 2022/06/20 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.privilege_escalation @@ -20,10 +20,10 @@ detection: selection: PipeName|contains: - '\pipe\' - - '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives) - filter: + - '\pipe\srvsvc' # more specific version (use only this one if the other causes too many false positives) + filter_optional_ctx: PipeName|contains: '\CtxShare' - condition: selection and not filter + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml similarity index 82% rename from rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml rename to rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml index 374c1b428..abf6b6a52 100644 --- a/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml @@ -1,12 +1,13 @@ -title: Cred Dump-Tools Named Pipes +title: HackTool - Credential Dumping Tools Named Pipe Created id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e status: test -description: Detects well-known credential dumping tools execution via specific named pipes +description: Detects well-known credential dumping tools execution via specific named pipe creation references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799 author: Teymur Kheirkhabarov, oscd.community date: 2019/11/01 -modified: 2021/11/27 +modified: 2023/08/07 tags: - attack.credential_access - attack.t1003.001 @@ -20,8 +21,8 @@ logsource: detection: selection: PipeName|contains: - - '\lsadump' - '\cachedump' + - '\lsadump' - '\wceservicepipe' condition: selection falsepositives: diff --git a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml similarity index 95% rename from rules/windows/pipe_created/pipe_created_koh_default_pipe.yml rename to rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index 6a9e10ab4..3042597df 100644 --- a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -1,4 +1,4 @@ -title: Koh Default Named Pipes +title: HackTool - Koh Default Named Pipe id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a status: experimental description: Detects creation of default named pipes used by the Koh tool @@ -6,6 +6,7 @@ references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/08 +modified: 2023/08/07 tags: - attack.privilege_escalation - attack.credential_access diff --git a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml index c92637a41..8d7029c32 100644 --- a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml @@ -1,7 +1,7 @@ -title: Malicious Named Pipe +title: Malicious Named Pipe Created id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a status: test -description: Detects the creation of a named pipe used by known APT malware +description: Detects the creation of a named pipe seen used by known APTs or malware. references: - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/ - https://securelist.com/faq-the-projectsauron-apt/75533/ @@ -17,7 +17,7 @@ references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: Florian Roth (Nextron Systems), blueteam0ps, elhoim date: 2017/11/06 -modified: 2022/03/15 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.privilege_escalation @@ -29,34 +29,34 @@ logsource: detection: selection: PipeName: - - '\isapi_http' # Uroburos Malware + - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron + - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware + - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake + - '\9f81f59bc58452127884ce513865ed20' # Project Sauron + - '\adschemerpc' # Turla HyperStack + - '\ahexec' # Sofacy group malware + - '\AnonymousPipe' # Hidden Cobra Hoplight + - '\bc31a7' # Pacifier + - '\bc367' # Pacifier + - '\bizkaz' # Snatch Ransomware + - '\csexecsvc' #CSEXEC default + - '\dce_3d' #Qbot + - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron + - '\gruntsvc' # Covenant default - '\isapi_dg' # Uroburos Malware - '\isapi_dg2' # Uroburos Malware - - '\sdlrpc' # Cobra Trojan - - '\ahexec' # Sofacy group malware - - '\winsession' # Wild Neutron APT malware + - '\isapi_http' # Uroburos Malware + - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\lsassw' # Wild Neutron APT malware - - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron - - '\9f81f59bc58452127884ce513865ed20' # Project Sauron - - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron - - '\rpchlp_3' # Project Sauron - '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves - '\pcheap_reuse' # Pipe used by Equation Group malware - - '\gruntsvc' # Covenant default - # - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253 - - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware - - '\bizkaz' # Snatch Ransomware - - '\svcctl' #Crackmapexec smbexec default - '\Posh*' #PoshC2 default - - '\jaccdpqnvbrrxlaf' #PoshC2 default - - '\csexecsvc' #CSEXEC default - - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake - - '\adschemerpc' # Turla HyperStack - - '\AnonymousPipe' # Hidden Cobra Hoplight - - '\bc367' # Pacifier - - '\bc31a7' # Pacifier + - '\rpchlp_3' # Project Sauron + - '\sdlrpc' # Cobra Trojan + - '\svcctl' #Crackmapexec smbexec default - '\testPipe' # Emissary Panda Hyperbro - - '\dce_3d' #Qbot + - '\winsession' # Wild Neutron APT malware + # - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253 condition: selection falsepositives: - Unknown diff --git a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml similarity index 100% rename from rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml rename to rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml diff --git a/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml b/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml new file mode 100644 index 000000000..8e819e72c --- /dev/null +++ b/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml @@ -0,0 +1,28 @@ +title: RemCom Default Named Pipe +id: d36f87ea-c403-44d2-aa79-1a0ac7c24456 +related: + - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 + type: obsoletes +status: test +description: Detects default RemCom pipe creation +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view + - https://github.com/kavika13/RemCom +author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.execution + - attack.t1569.002 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' +detection: + selection: + PipeName|contains: '\RemCom' + condition: selection +falsepositives: + - Legitimate Administrator activity +level: medium diff --git a/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml similarity index 100% rename from rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml rename to rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml similarity index 83% rename from rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml rename to rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml index 2fbbeba1d..e0f10faeb 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml @@ -4,7 +4,7 @@ related: - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 type: derived status: test -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects PsExec service default pipe creation references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -23,14 +23,6 @@ detection: selection: PipeName: '\PSEXESVC' condition: selection -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName falsepositives: - Unknown level: low diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml similarity index 88% rename from rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml rename to rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index 41fa2e118..27725e574 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -10,6 +10,7 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/04 +modified: 2023/08/07 tags: - attack.execution - attack.t1569.002 @@ -22,20 +23,12 @@ detection: selection: PipeName: '\PSEXESVC' Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env - - 'C:\Users\Public\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' - '\Desktop\' - '\Downloads\' - - '\AppData\Local\Temp\' - - 'C:\Windows\Temp\' condition: selection -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName falsepositives: - Rare legitimate use of psexec from the locations mentioned above level: high diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml new file mode 100644 index 000000000..2e411584e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml @@ -0,0 +1,51 @@ +title: Dynamic .NET Compilation Via Csc.EXE +id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 +status: test +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +references: + - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ + - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf + - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ + - https://twitter.com/gN3mes1s/status/1206874118282448897 +author: Florian Roth (Nextron Systems) +date: 2019/08/24 +modified: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1027.004 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\csc.exe' + CommandLine|contains: + - '\AppData\Local\Temp\' # User execution + - '\Windows\Temp\' # Admin execution + filter_main_programfiles: + # Note: this is a generic filter. You could baseline execution in your env for a more robust rule + ParentImage|startswith: + - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897 + - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897 + filter_main_sdiagnhost: + ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 + filter_main_w3p: + ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 + filter_optional_chocolatey: + ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/ + filter_optional_defender: + ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' + filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting + ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' + - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw' + - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA' + - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 + - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 + - Ansible +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml deleted file mode 100644 index 434a6afda..000000000 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Suspicious Csc.exe Source File Folder -id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 -status: test -description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) -references: - - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ - - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf - - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ - - https://twitter.com/gN3mes1s/status/1206874118282448897 -author: Florian Roth (Nextron Systems) -date: 2019/08/24 -modified: 2022/10/09 -tags: - - attack.defense_evasion - - attack.t1027.004 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\csc.exe' - CommandLine|contains: - - '\AppData\' - - '\Windows\Temp\' - filter: - - ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - ParentImage|endswith: - - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 - - '\choco.exe' # Chocolatey https://chocolatey.org/ - - ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' - condition: selection and not filter -falsepositives: - - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 - - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 2dd763878..1f5e3cb53 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -1,12 +1,13 @@ -title: Suspicious Parent of Csc.exe +title: Csc.EXE Execution Form Potentially Suspicious Parent id: b730a276-6b63-41b8-bcf8-55930c8fc6ee status: test -description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery +description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. references: - - https://twitter.com/SBousseaden/status/1094924091256176641 -author: Florian Roth (Nextron Systems) + - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing + - https://reaqta.com/2017/11/short-journey-darkvnc/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019/02/11 -modified: 2022/01/07 +modified: 2023/08/02 tags: - attack.execution - attack.t1059.005 @@ -18,13 +19,49 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\csc.exe' + selection_img: + - Image|endswith: '\csc.exe' + - OriginalFileName: 'csc.exe' + selection_parent_generic: ParentImage|endswith: - - '\wscript.exe' - '\cscript.exe' - '\mshta.exe' - condition: selection + - '\winword.exe' + - '\wscript.exe' + selection_parent_powershell: + ParentImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' + ParentCommandLine|contains: + - '-Encoded ' + - 'FromBase64String' + selection_parent_susp_location: + - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$' + - ParentCommandLine|contains: + - ':\Users\Public\' + - ':\PerfLogs\' + - '\Temporary Internet' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Favorites\' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Favourites\' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Contacts\' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Pictures\' + filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting + ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' + - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw' + - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA' + - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA' + condition: selection_img and 1 of selection_parent_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml new file mode 100644 index 000000000..856b5a3d7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -0,0 +1,29 @@ +title: File Decryption Using Gpg4win +id: 037dcd71-33a8-4392-bb01-293c94663e5a +status: experimental +description: Detects usage of Gpg4win to decrypt files +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://www.gpg4win.de/documentation.html + - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/09 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - Description: 'GnuPG’s OpenPGP tool' + selection_cli: + CommandLine|contains|all: + - ' -d ' + - 'passphrase' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml new file mode 100644 index 000000000..3691d1022 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -0,0 +1,29 @@ +title: File Encryption Using Gpg4win +id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd +status: experimental +description: Detects usage of Gpg4win to encrypt files +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://www.gpg4win.de/documentation.html + - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/09 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - Description: 'GnuPG’s OpenPGP tool' + selection_cli: + CommandLine|contains|all: + - ' -c ' + - 'passphrase' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml new file mode 100644 index 000000000..1101f32c3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -0,0 +1,30 @@ +title: Portable Gpg.EXE Execution +id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 +status: experimental +description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. +references: + - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a + - https://securelist.com/locked-out/68960/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/06 +tags: + - attack.impact + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - OriginalFileName: 'gpg.exe' + - Description: 'GnuPG’s OpenPGP tool' + filter_main_legit_location: + Image|contains: + - ':\Program Files (x86)\GnuPG\bin\' + - ':\Program Files (x86)\GNU\GnuPG\bin\' + - ':\Program Files (x86)\Gpg4win\bin\' + condition: selection and not 1 of filter_main_* +level: high diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml new file mode 100644 index 000000000..24f49c3c5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -0,0 +1,36 @@ +title: File Encryption/Decryption Via Gpg4win From Suspicious Locations +id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d +status: experimental +description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2022/11/30 +modified: 2023/08/09 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - Product: 'GNU Privacy Guard (GnuPG)' + - Description: 'GnuPG’s OpenPGP tool' + selection_cli: + CommandLine|contains: '-passphrase' + selection_paths: + CommandLine|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml deleted file mode 100644 index f8d2e371a..000000000 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Gpg4Win Decrypt Files From Suspicious Locations -id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d -status: experimental -description: Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI -references: - - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html -author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/11/30 -tags: - - attack.command_and_control - - attack.t1219 -logsource: - category: process_creation - product: windows -detection: - selection_metadata: - - Image|endswith: '\gpg2.exe' - - Product: 'GNU Privacy Guard (GnuPG)' - - Company: 'g10 Code GmbH' - selection_cli: - CommandLine|contains: '-passphrase' - selection_paths: - CommandLine|contains: - - '\AppData\Roaming\' - - 'C:\Perflogs\' - - 'C:\Windows\Temp\' - - 'C:\temp' - condition: all of selection_* -falsepositives: - - Legitimate use -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml index 93f7abf93..23af4f593 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml @@ -1,12 +1,12 @@ title: LOLBIN Execution Of The FTP.EXE Binary id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e status: test -description: Detects execution of ftp.exe script execution with the "-s" flag and any child processes ran by ftp.exe +description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ author: Victor Sergeev, oscd.community date: 2020/10/09 -modified: 2022/11/10 +modified: 2023/08/11 tags: - attack.execution - attack.t1059 @@ -22,11 +22,10 @@ detection: - Image|endswith: '\ftp.exe' - OriginalFileName: 'ftp.exe' selection_ftp_cli: - CommandLine|contains: '-s:' + CommandLine|contains: + - '-s:' + - '/s:' condition: selection_parent or all of selection_ftp_* -fields: - - CommandLine - - ParentImage falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml deleted file mode 100644 index 5cb82525a..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Use of Mftrace.exe -id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e -status: experimental -description: The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 -tags: - - attack.defense_evasion - - attack.t1127 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\mftrace.exe' - - OriginalFileName: 'mftrace.exe' - selection_cli: - # This assumes that when someone use mftrace to launch an ".exe" he will add a space and the binary launched will end with ".exe" - CommandLine|contains: '.exe ' - CommandLine|endswith: '.exe' - parent: - ParentImage|endswith: '\mftrace.exe' - condition: all of selection* or parent -falsepositives: - - Legitimate use for tracing purposes -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml deleted file mode 100644 index 05030298e..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Suspicious OfflineScannerShell.exe Execution From Another Folder -id: 02b18447-ea83-4b1b-8805-714a8a34546a -status: test -description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory -references: - - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ -author: frack113 -date: 2022/03/06 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - lolbas: - Image|endswith: '\OfflineScannerShell.exe' - filter_correct: - CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' - filter_missing: - CurrentDirectory: null - condition: lolbas and not 1 of filter_* -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml new file mode 100644 index 000000000..77eedc781 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml @@ -0,0 +1,22 @@ +title: Potential Mftrace.EXE Abuse +id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e +status: experimental +description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/06/09 +modified: 2023/08/03 +tags: + - attack.defense_evasion + - attack.t1127 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\mftrace.exe' + condition: selection +falsepositives: + - Legitimate use for tracing purposes +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index 6e6de4fdc..9d898c282 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -1,12 +1,15 @@ -title: DLL Sideloading by Microsoft Defender +title: Potential Mpclient.DLL Sideloading Via Defender Binaries id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 +related: + - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc + type: similar status: experimental -description: Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL +description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/01 -modified: 2022/08/09 +modified: 2023/08/04 tags: - attack.defense_evasion - attack.t1574.002 @@ -15,14 +18,17 @@ logsource: category: process_creation detection: selection: - Image|endswith: '\MpCmdRun.exe' - legit_path: - Image|startswith: # MpCmdRun resides in two locations + Image|endswith: + - '\MpCmdRun.exe' + - '\NisSrv.exe' + filter_main_known_locations: + Image|startswith: + - 'C:\Program Files (x86)\Windows Defender\' + - 'C:\Program Files\Microsoft Security Client\' - 'C:\Program Files\Windows Defender\' - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - - 'C:\Windows\winsxs\' - - 'C:\Program Files\Microsoft Security Client\MpCmdRun.exe' # found on Win7 i386 - condition: selection and not legit_path + - 'C:\Windows\WinSxS\' + condition: selection and not 1 of filter_main_* falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml new file mode 100644 index 000000000..bc5067a80 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml @@ -0,0 +1,31 @@ +title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution +id: 02b18447-ea83-4b1b-8805-714a8a34546a +status: test +description: | + Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. + The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory. +references: + - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ +author: frack113 +date: 2022/03/06 +modified: 2023/08/03 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\OfflineScannerShell.exe' + - OriginalFileName: 'OfflineScannerShell.exe' + filter_main_legit_dir: + CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' + filter_main_empty: + CurrentDirectory: '' + filter_main_null: + CurrentDirectory: null + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml new file mode 100644 index 000000000..c9732a038 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -0,0 +1,50 @@ +title: Potential Provlaunch.EXE Binary Proxy Execution Abuse +id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c +related: + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar +status: experimental +description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/08/08 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\provlaunch.exe' + filter_main_covered_children: + # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd + - Image|endswith: + - '\calc.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + - Image|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\AppData\Temp\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' + - '\Windows\Temp\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml new file mode 100644 index 000000000..69c18763e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -0,0 +1,49 @@ +title: Suspicious Provlaunch.EXE Child Process +id: f9999590-1f94-4a34-a91e-951e47bedefd +related: + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar +status: experimental +description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/08 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\provlaunch.exe' + selection_child: + - Image|endswith: + - '\calc.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + - Image|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\AppData\Temp\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' + - '\Windows\Temp\' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml new file mode 100644 index 000000000..9c6e44ecc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -0,0 +1,29 @@ +title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution +id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 +related: + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar +status: experimental +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/08/08 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml new file mode 100644 index 000000000..bf29e2ae3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -0,0 +1,23 @@ +title: Renamed Gpg.EXE Execution +id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592 +status: experimental +description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. +references: + - https://securelist.com/locked-out/68960/ +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2023/08/09 +tags: + - attack.impact + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'gpg.exe' + filter_main_img: + Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + condition: selection and not 1 of filter_main_* +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index b8af7e3e4..ecdca9000 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -1,12 +1,17 @@ -title: Possible Shim Database Persistence via sdbinst.exe +title: Potential Shim Database Persistence via Sdbinst.EXE id: 517490a7-115a-48c6-8862-1a481504d5a8 +related: + - id: 18ee686c-38a3-4f65-9f44-48a077141f42 + type: similar status: test -description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. +description: | + Detects installation of a new shim using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims references: - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence author: Markus Neis date: 2019/01/16 -modified: 2022/10/09 +modified: 2023/08/01 tags: - attack.persistence - attack.privilege_escalation @@ -15,12 +20,15 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\sdbinst.exe' + selection_img: + - Image|endswith: '\sdbinst.exe' + - OriginalFileName: 'sdbinst.exe' + selection_cli: CommandLine|contains: '.sdb' - filter: - CommandLine|contains: 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) - condition: selection and not filter + filter_optional_iis: + ParentImage|endswith: '\msiexec.exe' + CommandLine|contains: 'iisexpressshim.sdb' # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml new file mode 100644 index 000000000..d048ac839 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -0,0 +1,30 @@ +title: Suspicious Shim Database Installation via Sdbinst.EXE +id: 18ee686c-38a3-4f65-9f44-48a077141f42 +related: + - id: 517490a7-115a-48c6-8862-1a481504d5a8 + type: derived +status: test +description: | + Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims +references: + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/01 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.011 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\sdbinst.exe' + - OriginalFileName: 'sdbinst.exe' + filter_main_legit_ext: + CommandLine|contains: '.sdb' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml new file mode 100644 index 000000000..c5e93f434 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -0,0 +1,29 @@ +title: Potential Amazon SSM Agent Hijacking +id: d20ee2f4-822c-4827-9e15-41500b1fff10 +status: experimental +description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport. +references: + - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan + - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ + - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ +author: Muhammad Faisal +date: 2023/08/02 +tags: + - attack.command_and_control + - attack.persistence + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\amazon-ssm-agent.exe' + CommandLine|contains|all: + - '-register ' + - '-code ' + - '-id ' + - '-region ' + condition: selection +falsepositives: + - Legitimate activity of system administrators +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml rename to rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 3856594ab..7b3d10c71 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -17,7 +17,7 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/09/01 -modified: 2023/07/13 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.t1489 @@ -93,7 +93,7 @@ detection: - 'FirebirdGuardianDefaultInstance' - 'FirebirdServerDefaultInstance' - 'HealthTLService' - - 'HISSQLFDLauncherSSHAREPOINIT' + - 'MSSQLFDLauncher$' # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc. - 'hmpalertsvc' - 'HMS' - 'IISAdmin' @@ -221,7 +221,7 @@ detection: - 'UI0Detect' - 'UTODetect' - 'Veeam' - - 'VeemaDep/oySvc' + - 'VeeamDeploySvc' - 'Veritas System Recovery' - 'VSApiNt' - 'VSS' diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml new file mode 100644 index 000000000..c3716f59a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -0,0 +1,28 @@ +title: Potential Binary Proxy Execution Via VSDiagnostics.EXE +id: ac1c92b4-ac81-405a-9978-4604d78cc47e +status: experimental +description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. +references: + - https://twitter.com/0xBoku/status/1679200664013135872 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\VSDiagnostics.exe' + - OriginalFileName: 'VSDiagnostics.exe' + selection_cli_start: + CommandLine|contains: 'start' + selection_cli_launch: + CommandLine|contains: + - ' /launch:' + - ' -launch:' + condition: all of selection_* +falsepositives: + - Legitimate usage for tracing and diagnostics purposes +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index 76bec65c2..bb303830e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -7,7 +7,7 @@ references: - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj date: 2021/01/10 -modified: 2023/06/28 +modified: 2023/08/11 tags: - attack.t1137.006 - attack.persistence @@ -34,6 +34,8 @@ detection: - '\integrator.exe' - '\OfficeClickToRun.exe' - '\winword.exe' + filter_teams: + Image|endswith: '\Teams.exe' filter_avg: Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml similarity index 68% rename from rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml rename to rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index 0f0964bd7..4d31a7a0b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -7,9 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ author: frack113 date: 2021/12/30 -modified: 2023/01/10 +modified: 2023/08/01 tags: - attack.persistence - attack.t1546.011 @@ -18,13 +19,13 @@ logsource: product: windows detection: selection: - TargetObject|startswith: - - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\' - - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\' EventType: SetValue - filter: + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\' + filter_main_empty: Details: '' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - - Unknown + - Legitimate custom SHIM installations will also trigger this rule level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml new file mode 100644 index 000000000..41a3feb71 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -0,0 +1,32 @@ +title: Suspicious Shim Database Patching Activity +id: bf344fea-d947-4ef4-9192-34d008315d3a +status: experimental +description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/01 +tags: + - attack.persistence + - attack.t1546.011 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\' + TargetObject|endswith: + # Note: add other application to increase coverage + - '\csrss.exe' + - '\dllhost.exe' + - '\explorer.exe' + - '\services.exe' + - '\svchost.exe' + - '\taskhostw.exe' + - '\winlogon.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml new file mode 100644 index 000000000..ce5f2a01b --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -0,0 +1,28 @@ +title: Potential Persistence Via Shim Database In Uncommon Location +id: 6b6976a3-b0e6-4723-ac24-ae38a737af41 +status: experimental +description: Detects the installation of a new shim database where the file is located in a non-default location +references: + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ + - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/01 +tags: + - attack.persistence + - attack.t1546.011 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\' + - '\DatabasePath' + filter_main_known_locations: + Details|contains: ':\Windows\AppPatch\Custom' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml new file mode 100644 index 000000000..84397cc38 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -0,0 +1,31 @@ +title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG +id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 +related: + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar +status: experimental +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Swachchhanda Shrawan Poudel +date: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: registry_set + product: windows + definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored' +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index 307aecb82..e5eda1b32 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -5,7 +5,7 @@ related: type: obsoletes status: test description: | - Detects potential persistence behaviour using the windows telemetry registry key. + Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. @@ -13,7 +13,7 @@ references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Lednyov Alexey, oscd.community, Sreeman date: 2020/10/16 -modified: 2022/12/19 +modified: 2023/08/01 tags: - attack.persistence - attack.t1053.005 @@ -27,24 +27,24 @@ detection: TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' TargetObject|endswith: '\Command' Details|contains: - - '.sh' - - '.exe' - - '.dll' - - '.bin' - '.bat' + - '.bin' - '.cmd' - - '.js' - - '.ps' - - '.vb' - - '.jar' + - '.dat' + - '.dll' + - '.exe' - '.hta' + - '.jar' + - '.js' - '.msi' - - '.vbs' - filter: + - '.ps' + - '.sh' + - '.vb' + filter_main_generic: Details|contains: - '\system32\CompatTelRunner.exe' - '\system32\DeviceCensus.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/tests/logsource.json b/tests/logsource.json index d7bc197ab..64cc38ae0 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -281,6 +281,7 @@ "auditlogs":[], "azureactivity":[], "microsoft365portal":[], + "riskdetection":[], "signinlogs":[] } },