From f99229ff786537e9baf9b72c708449858d9d69d4 Mon Sep 17 00:00:00 2001 From: Swachchhanda Poudel Date: Fri, 16 Jun 2023 10:26:58 +0545 Subject: [PATCH 01/33] Added filter to reduce false-positives from legitimate processes --- .../image_load/image_load_wmi_module_load.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_wmi_module_load.yml b/rules/windows/image_load/image_load_wmi_module_load.yml index 0aeb91378..9e2562218 100755 --- a/rules/windows/image_load/image_load_wmi_module_load.yml +++ b/rules/windows/image_load/image_load_wmi_module_load.yml @@ -4,9 +4,9 @@ status: test description: Detects non wmiprvse loading WMI modules references: - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html -author: Roberto Rodriguez @Cyb3rWard0g +author: Roberto Rodriguez @Cyb3rWard0g, Swachchhanda Shrawan Poudel date: 2019/08/10 -modified: 2022/01/12 +modified: 2022/06/16 tags: - attack.execution - attack.t1047 @@ -50,6 +50,18 @@ detection: - '\MsMpEng.exe' - '\thor64.exe' - '\thor.exe' + - '\WaAppAgent.exe' + - '\WindowsAzureGuestAgent.exe' + - '\Microsoft\Teams\Update.exe' + - '\Microsoft\Teams\current\Teams.exe' + - '\Windows\System32\ServerManager.exe' + - '\Windows\System32\vds.exe' + - '\Windows\System32\dfsrs.exe' + - '\Windows\System32\SecurityHealthService.exe' + - '\Windows\System32\dxdiag.exe' + - '\Windows\System32\dispdiag.exe' + - '\Windows\System32\gpresult.exe' + - '\Windows\System32\tasklist.exe' filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to Image|startswith: - 'C:\Program Files\' From 381b135ba7d419d2b2984e440a12e232aba80152 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 1 Aug 2023 23:13:18 +0200 Subject: [PATCH 02/33] feat: update shim rules --- ...e_event_win_creation_new_shim_database.yml | 13 +++++--- ..._creation_win_sdbinst_shim_persistence.yml | 28 ++++++++++------ ...oc_creation_win_sdbinst_susp_extension.yml | 30 +++++++++++++++++ ...egistry_set_persistence_shim_database.yml} | 15 +++++---- ...istence_shim_database_susp_application.yml | 32 +++++++++++++++++++ ...stence_shim_database_uncommon_location.yml | 28 ++++++++++++++++ .../registry_set_telemetry_persistence.yml | 26 +++++++-------- 7 files changed, 138 insertions(+), 34 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml rename rules/windows/registry/registry_set/{registry_set_persistence_shim_databases.yml => registry_set_persistence_shim_database.yml} (68%) create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml diff --git a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml index 8295ab9a4..79daa3125 100644 --- a/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml @@ -6,8 +6,12 @@ description: | The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory -author: frack113 + - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence + - https://liberty-shell.com/sec/2020/02/25/shim-persistence/ + - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2021/12/29 +modified: 2023/08/01 tags: - attack.persistence - attack.t1547.009 @@ -16,9 +20,10 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: '.sdb' - TargetFilename|contains: '\Windows\apppatch\Custom\' + TargetFilename|contains: + - ':\Windows\apppatch\Custom\' + - ':\Windows\apppatch\CustomSDB\' condition: selection falsepositives: - - Unknown + - Legitimate custom SHIM installations will also trigger this rule level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index b8af7e3e4..ecdca9000 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -1,12 +1,17 @@ -title: Possible Shim Database Persistence via sdbinst.exe +title: Potential Shim Database Persistence via Sdbinst.EXE id: 517490a7-115a-48c6-8862-1a481504d5a8 +related: + - id: 18ee686c-38a3-4f65-9f44-48a077141f42 + type: similar status: test -description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. +description: | + Detects installation of a new shim using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims references: - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence author: Markus Neis date: 2019/01/16 -modified: 2022/10/09 +modified: 2023/08/01 tags: - attack.persistence - attack.privilege_escalation @@ -15,12 +20,15 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\sdbinst.exe' + selection_img: + - Image|endswith: '\sdbinst.exe' + - OriginalFileName: 'sdbinst.exe' + selection_cli: CommandLine|contains: '.sdb' - filter: - CommandLine|contains: 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) - condition: selection and not filter + filter_optional_iis: + ParentImage|endswith: '\msiexec.exe' + CommandLine|contains: 'iisexpressshim.sdb' # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml new file mode 100644 index 000000000..d048ac839 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_susp_extension.yml @@ -0,0 +1,30 @@ +title: Suspicious Shim Database Installation via Sdbinst.EXE +id: 18ee686c-38a3-4f65-9f44-48a077141f42 +related: + - id: 517490a7-115a-48c6-8862-1a481504d5a8 + type: derived +status: test +description: | + Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims +references: + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/01 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.011 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\sdbinst.exe' + - OriginalFileName: 'sdbinst.exe' + filter_main_legit_ext: + CommandLine|contains: '.sdb' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml similarity index 68% rename from rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml rename to rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml index 0f0964bd7..4d31a7a0b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml @@ -7,9 +7,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ author: frack113 date: 2021/12/30 -modified: 2023/01/10 +modified: 2023/08/01 tags: - attack.persistence - attack.t1546.011 @@ -18,13 +19,13 @@ logsource: product: windows detection: selection: - TargetObject|startswith: - - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\' - - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\' EventType: SetValue - filter: + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\' + filter_main_empty: Details: '' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - - Unknown + - Legitimate custom SHIM installations will also trigger this rule level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml new file mode 100644 index 000000000..75f9da15d --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -0,0 +1,32 @@ +title: Suspicious Shim Database Patching Activity +id: bf344fea-d947-4ef4-9192-34d008315d3a +status: experimental +description: Detects installation of new shim databases that try to patch section of know processes for potential process injection or persistence. +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/01 +tags: + - attack.persistence + - attack.t1546.011 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\' + TargetObject|endswith: + # Note: add other application to increase coverage + - '\csrss.exe' + - '\dllhost.exe' + - '\explorer.exe' + - '\services.exe' + - '\svchost.exe' + - '\taskhostw.exe' + - '\winlogon.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml new file mode 100644 index 000000000..37dfd3b6c --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -0,0 +1,28 @@ +title: Potential Persistence Via Shim Database In Uncommon Location +id: 6b6976a3-b0e6-4723-ac24-ae38a737af41 +status: experimental +description: Detects the installation of a new shim database where the file is located in a non default location +references: + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ + - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/01 +tags: + - attack.persistence + - attack.t1546.011 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\' + - '\DatabasePath' + filter_main_known_locations: + Details|contains: ':\Windows\AppPatch\Custom' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index 307aecb82..e5eda1b32 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -5,7 +5,7 @@ related: type: obsoletes status: test description: | - Detects potential persistence behaviour using the windows telemetry registry key. + Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. @@ -13,7 +13,7 @@ references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Lednyov Alexey, oscd.community, Sreeman date: 2020/10/16 -modified: 2022/12/19 +modified: 2023/08/01 tags: - attack.persistence - attack.t1053.005 @@ -27,24 +27,24 @@ detection: TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' TargetObject|endswith: '\Command' Details|contains: - - '.sh' - - '.exe' - - '.dll' - - '.bin' - '.bat' + - '.bin' - '.cmd' - - '.js' - - '.ps' - - '.vb' - - '.jar' + - '.dat' + - '.dll' + - '.exe' - '.hta' + - '.jar' + - '.js' - '.msi' - - '.vbs' - filter: + - '.ps' + - '.sh' + - '.vb' + filter_main_generic: Details|contains: - '\system32\CompatTelRunner.exe' - '\system32\DeviceCensus.exe' - condition: selection and not filter + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high From c3bb062fa6fb7f66ec55d76d9689d053f47aafde Mon Sep 17 00:00:00 2001 From: Swachchhanda Poudel Date: Wed, 2 Aug 2023 15:16:16 +0545 Subject: [PATCH 03/33] Added rules to detect lolbas provlaunch.exe --- .../proc_creation_win_lolbin_provlaunch.yml | 27 +++++++++++++++++ ...c_creation_win_registry_add_provlaunch.yml | 30 +++++++++++++++++++ .../registry_set_lolbin_provlaunch.yml | 30 +++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml create mode 100644 rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml create mode 100644 rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml new file mode 100644 index 000000000..4ffa7f9ce --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml @@ -0,0 +1,27 @@ +title: Indirect command execution through provlaunch.exe +id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c +related: + - id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee + type: similar +status: experimental +description: Detect suspicious execution of provlaunch.exe for indirect execution of arbitrary commands. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Swachchhanda Shrawan Poudel +date: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\provlaunch.exe' + - OriginalFileName: 'provlaunch' + - Description: 'Provisioning package runtime command launching tool' + condition: selection +falsepositives: + - Depends on the administrators activity +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml new file mode 100644 index 000000000..11617cfb0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml @@ -0,0 +1,30 @@ +title: Lolbas Provlaunch.exe indirect command execution - CLI +id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 +related: + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c + type: similar +status: experimental +description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Swachchhanda Shrawan Poudel +date: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' + selection_cli: + CommandLine|contains|all: + - ' add ' + - 'SOFTWARE\Microsoft\Provisioning\Commands\' + condition: all of selection_* +falsepositives: + - Unlikely +level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml b/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml new file mode 100644 index 000000000..998c23c4a --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml @@ -0,0 +1,30 @@ +title: Lolbas Provlaunch.exe indirect command execution - REG +id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee +related: + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 + type: derived +status: experimental +description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Swachchhanda Shrawan Poudel +date: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: registry_set + product: windows + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Provisioning\Commands\ subkey of the HKLM hives' +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\' + condition: selection +fields: + - TargetObject + - Details +falsepositives: + - Unlikely +level: high From b9beedee769c99162555a081e0651439b89ac7cf Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 2 Aug 2023 13:16:10 +0200 Subject: [PATCH 04/33] feat: update csc rules --- .../proc_creation_win_csc_compilation.yml | 28 ++++++++++ ...ation_win_csc_susp_dynamic_compilation.yml | 51 +++++++++++++++++ .../proc_creation_win_csc_susp_folder.yml | 36 ------------ .../proc_creation_win_csc_susp_parent.yml | 55 ++++++++++++++++--- 4 files changed, 125 insertions(+), 45 deletions(-) create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml create mode 100644 rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml new file mode 100644 index 000000000..2c578db55 --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -0,0 +1,28 @@ +title: Dynamic .NET Compilation Via Csc.EXE - Hunting +id: acf2807c-805b-4042-aab9-f86b6ba9cb2b +related: + - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 + type: derived +status: experimental +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +references: + - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ + - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf + - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ + - https://twitter.com/gN3mes1s/status/1206874118282448897 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1027.004 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\csc.exe' + CommandLine|contains: '/noconfig /fullpaths @' + condition: selection +falsepositives: + - Many legitimate applications make use of dynamic compilation use this rule to hunt for anomalies +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml new file mode 100644 index 000000000..2e411584e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml @@ -0,0 +1,51 @@ +title: Dynamic .NET Compilation Via Csc.EXE +id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 +status: test +description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. +references: + - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ + - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf + - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ + - https://twitter.com/gN3mes1s/status/1206874118282448897 +author: Florian Roth (Nextron Systems) +date: 2019/08/24 +modified: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1027.004 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\csc.exe' + CommandLine|contains: + - '\AppData\Local\Temp\' # User execution + - '\Windows\Temp\' # Admin execution + filter_main_programfiles: + # Note: this is a generic filter. You could baseline execution in your env for a more robust rule + ParentImage|startswith: + - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897 + - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897 + filter_main_sdiagnhost: + ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 + filter_main_w3p: + ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 + filter_optional_chocolatey: + ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/ + filter_optional_defender: + ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' + filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting + ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' + - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw' + - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA' + - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 + - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 + - Ansible +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml deleted file mode 100644 index 434a6afda..000000000 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Suspicious Csc.exe Source File Folder -id: dcaa3f04-70c3-427a-80b4-b870d73c94c4 -status: test -description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) -references: - - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ - - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf - - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ - - https://twitter.com/gN3mes1s/status/1206874118282448897 -author: Florian Roth (Nextron Systems) -date: 2019/08/24 -modified: 2022/10/09 -tags: - - attack.defense_evasion - - attack.t1027.004 -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\csc.exe' - CommandLine|contains: - - '\AppData\' - - '\Windows\Temp\' - filter: - - ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - ParentImage|endswith: - - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 - - '\choco.exe' # Chocolatey https://chocolatey.org/ - - ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' - condition: selection and not filter -falsepositives: - - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 - - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 2dd763878..27e7c2593 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -1,12 +1,13 @@ -title: Suspicious Parent of Csc.exe +title: Csc.EXE Execution Form Potentially Suspicious Parent id: b730a276-6b63-41b8-bcf8-55930c8fc6ee status: test -description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery +description: Detects a potential suspicious parent of "csc.exe", which could be a sign of payload delivery. references: - - https://twitter.com/SBousseaden/status/1094924091256176641 -author: Florian Roth (Nextron Systems) + - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing + - https://reaqta.com/2017/11/short-journey-darkvnc/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019/02/11 -modified: 2022/01/07 +modified: 2023/08/02 tags: - attack.execution - attack.t1059.005 @@ -18,13 +19,49 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\csc.exe' + selection_img: + - Image|endswith: '\csc.exe' + - OriginalFileName: 'csc.exe' + selection_parent_generic: ParentImage|endswith: - - '\wscript.exe' - '\cscript.exe' - '\mshta.exe' - condition: selection + - '\winword.exe' + - '\wscript.exe' + selection_parent_powershell: + ParentImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' + ParentCommandLine|contains: + - '-Encoded ' + - 'FromBase64String' + selection_parent_susp_location: + - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%[Aa]pp[Dd]ata%|%[Ll]ocal[Aa]pp[Dd]ata%|\[Aa]pp[Dd]ata\([Ll]ocal|[Rr]oaming|[Ll]ocal[Ll]ow)\[^\]{1,26}\.' + - ParentCommandLine|contains: + - ':\Users\Public\' + - ':\PerfLogs\' + - '\Temporary Internet' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Favorites\' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Favourites\' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Contacts\' + - ParentCommandLine|contains|all: + - ':\Users\' + - '\Pictures\' + filter_optional_ansible: + # Note: As ansible is widely used we exclude it with this generic filter. + # A better option would be to filter based on script content basis or other marker while hunting + ParentCommandLine|contains: + # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}' + - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw' + - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA' + - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA' + condition: selection_img and 1 of selection_parent_* and not 1 of filter_optional_* falsepositives: - Unknown level: high From 64ff613934984e6772b5cf0fbf2a03475a672f04 Mon Sep 17 00:00:00 2001 From: Swachchhanda Poudel Date: Wed, 2 Aug 2023 19:34:38 +0545 Subject: [PATCH 05/33] Capitalized title --- .../process_creation/proc_creation_win_lolbin_provlaunch.yml | 2 +- .../proc_creation_win_registry_add_provlaunch.yml | 2 +- .../registry/registry_set/registry_set_lolbin_provlaunch.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml index 4ffa7f9ce..25b715426 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml @@ -1,4 +1,4 @@ -title: Indirect command execution through provlaunch.exe +title: Indirect Command Execution through provlaunch.exe id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c related: - id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee diff --git a/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml index 11617cfb0..3e08d4f0c 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml @@ -1,4 +1,4 @@ -title: Lolbas Provlaunch.exe indirect command execution - CLI +title: Lolbas Provlaunch.exe Indirect Command Execution - CLI id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 related: - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml b/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml index 998c23c4a..85b017174 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml @@ -1,4 +1,4 @@ -title: Lolbas Provlaunch.exe indirect command execution - REG +title: Lolbas Provlaunch.exe Indirect Command Execution - REG id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee related: - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 From de4e50ff01900540ed2c6d1765e93b0b1ea47bd3 Mon Sep 17 00:00:00 2001 From: z00t Date: Thu, 3 Aug 2023 14:42:50 +0500 Subject: [PATCH 06/33] feat: add new rule related to "Amazon SSM Agent" potential abuse (#4369) --- .../proc_creation_win_ssm_agent_abuse.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml diff --git a/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml new file mode 100644 index 000000000..c5e93f434 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml @@ -0,0 +1,29 @@ +title: Potential Amazon SSM Agent Hijacking +id: d20ee2f4-822c-4827-9e15-41500b1fff10 +status: experimental +description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport. +references: + - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan + - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ + - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ +author: Muhammad Faisal +date: 2023/08/02 +tags: + - attack.command_and_control + - attack.persistence + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\amazon-ssm-agent.exe' + CommandLine|contains|all: + - '-register ' + - '-code ' + - '-id ' + - '-region ' + condition: selection +falsepositives: + - Legitimate activity of system administrators +level: medium From 5c0f48ae552881aead016506d1126f9224b01707 Mon Sep 17 00:00:00 2001 From: z00t Date: Thu, 3 Aug 2023 18:35:12 +0500 Subject: [PATCH 07/33] New rule created for Linux OS. --- .../proc_creation_lnx_ssm_agent_abuse.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml new file mode 100644 index 000000000..d7e4492b7 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -0,0 +1,29 @@ +title: Potential Amazon SSM Agent Hijacking +id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 +status: experimental +description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport. +author: Muhammad Faisal +date: 2023/08/03 +references: + - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan + - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ + - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ +tags: + - attack.command_and_control + - attack.persistence + - attack.t1219 +logsource: + category: process_creation + product: linux +detection: + selection: + ParentImage|endswith: '/amazon-ssm-agent' + CommandLine|contains|all: + - '-register' + - '-code' + - '-id' + - '-region' + condition: selection +falsepositives: + - Legitimate activity of system administrators +level: medium \ No newline at end of file From 8837bb770b27b386e643c54f5e281b21474bd5c2 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 3 Aug 2023 15:54:55 +0200 Subject: [PATCH 08/33] fix: FP with perfmon.exe --- .../win_security_susp_lsass_dump_generic.yml | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml index 8ce6bc8d2..4cb088516 100644 --- a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml @@ -7,7 +7,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2023/07/31 +modified: 2023/08/03 tags: - attack.credential_access - car.2019-04-004 @@ -41,32 +41,33 @@ detection: - '4416' filter_specific: ProcessName|endswith: - - '\wmiprvse.exe' - - '\taskmgr.exe' - - '\procexp64.exe' - - '\procexp.exe' - - '\lsm.exe' - '\csrss.exe' - - '\wininit.exe' - - '\vmtoolsd.exe' + - '\GamingServices.exe' + - '\lsm.exe' + - '\MicrosoftEdgeUpdate.exe' - '\minionhost.exe' # Cyberreason - - '\VsTskMgr.exe' # McAfee Enterprise + - '\MRT.exe' # MS Malware Removal Tool + - '\MsMpEng.exe' # Defender + - '\perfmon.exe' + - '\procexp.exe' + - '\procexp64.exe' + - '\svchost.exe' + - '\taskmgr.exe' - '\thor.exe' # THOR - '\thor64.exe' # THOR - - '\MicrosoftEdgeUpdate.exe' - - '\GamingServices.exe' - - '\svchost.exe' - - '\MsMpEng.exe' # Defender - - '\MRT.exe' # MS Malware Removal Tool + - '\vmtoolsd.exe' + - '\VsTskMgr.exe' # McAfee Enterprise + - '\wininit.exe' + - '\wmiprvse.exe' - 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff ProcessName|startswith: + - 'C:\Program Files (x86)\' + - 'C:\Program Files\' + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Windows\SysNative\' - 'C:\Windows\System32\' - 'C:\Windows\SysWow64\' - - 'C:\Windows\SysNative\' - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - 'C:\Windows\Temp\asgard2-agent\' - - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' filter_generic: ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions filter_exact: From d854c66616a778e87648b864a487b4c7c9105164 Mon Sep 17 00:00:00 2001 From: z00t Date: Thu, 3 Aug 2023 19:38:29 +0500 Subject: [PATCH 09/33] Title has been update to avoid duplication. --- .../process_creation/proc_creation_lnx_ssm_agent_abuse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml index d7e4492b7..e44938315 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -1,4 +1,4 @@ -title: Potential Amazon SSM Agent Hijacking +title: Potential Linux Amazon SSM Agent Hijacking id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 status: experimental description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport. From 30933109cdee1a667d8a74bf67dd1453b93a689e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 3 Aug 2023 18:50:16 +0200 Subject: [PATCH 10/33] feat: more updates --- .../image_load_side_load_avkkid.yml | 31 +++++++++++++++++++ .../image_load_side_load_eacore.yml | 28 +++++++++++++++++ .../image_load_side_load_mfdetours.yml | 25 +++++++++++++++ .../image_load_side_load_vivaldi_elf.yml | 26 ++++++++++++++++ .../proc_creation_win_lolbin_mftrace.yml | 28 ----------------- ...reation_win_lolbin_offlinescannershell.yml | 25 --------------- ...roc_creation_win_mftrace_child_process.yml | 22 +++++++++++++ ...flinescannershell_mpclient_sideloading.yml | 31 +++++++++++++++++++ ...win_susp_lolbin_exec_from_non_c_drive.yml} | 0 9 files changed, 163 insertions(+), 53 deletions(-) create mode 100644 rules/windows/image_load/image_load_side_load_avkkid.yml create mode 100644 rules/windows/image_load/image_load_side_load_eacore.yml create mode 100644 rules/windows/image_load/image_load_side_load_mfdetours.yml create mode 100644 rules/windows/image_load/image_load_side_load_vivaldi_elf.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml create mode 100644 rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml create mode 100644 rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml rename rules/windows/process_creation/{proc_creation_win_lolbin_not_from_c_drive.yml => proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml} (100%) diff --git a/rules/windows/image_load/image_load_side_load_avkkid.yml b/rules/windows/image_load/image_load_side_load_avkkid.yml new file mode 100644 index 000000000..1fb23bd40 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_avkkid.yml @@ -0,0 +1,31 @@ +title: Potential AVKkid.DLL Sideloading +id: 952ed57c-8f99-453d-aee0-53a49c22f95d +status: experimental +description: Detects potential DLL sideloading of "AVKkid.dll" +references: + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\AVKkid.dll' + filter_main_legit_path: + Image|contains: + - 'C:\Program Files (x86)\G DATA\' + - 'C:\Program Files\G DATA\' + Image|endswith: '\AVKKid.exe' + ImageLoaded|startswith: + - 'C:\Program Files (x86)\G DATA\' + - 'C:\Program Files\G DATA\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_eacore.yml b/rules/windows/image_load/image_load_side_load_eacore.yml new file mode 100644 index 000000000..fa652280f --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_eacore.yml @@ -0,0 +1,28 @@ +title: Potential EACore.DLL Sideloading +id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5 +status: experimental +description: Detects potential DLL sideloading of "EACore.dll" +references: + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\EACore.dll' + filter_main_legit_path: + Image|contains|all: + - 'C:\Program Files\Electronic Arts\EA Desktop\' + - '\EACoreServer.exe' + ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_mfdetours.yml b/rules/windows/image_load/image_load_side_load_mfdetours.yml new file mode 100644 index 000000000..e9f7437af --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_mfdetours.yml @@ -0,0 +1,25 @@ +title: Potential Mfdetours.DLL Sideloading +id: d2605a99-2218-4894-8fd3-2afb7946514d +status: experimental +description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. +references: + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\mfdetours.dll' + filter_main_legit_path: + ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml new file mode 100644 index 000000000..44a5dcf5f --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_vivaldi_elf.yml @@ -0,0 +1,26 @@ +title: Potential Vivaldi_elf.DLL Sideloading +id: 2092cacb-d77b-4f98-ab0d-32b32f99a054 +status: experimental +description: Detects potential DLL sideloading of "vivaldi_elf.dll" +references: + - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ +author: X__Junior (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\vivaldi_elf.dll' + filter_main_legit_path: + Image|endswith: '\Vivaldi\Application\vivaldi.exe' + ImageLoaded|contains: '\Vivaldi\Application\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml deleted file mode 100644 index 5cb82525a..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Use of Mftrace.exe -id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e -status: experimental -description: The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries -references: - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/06/09 -tags: - - attack.defense_evasion - - attack.t1127 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\mftrace.exe' - - OriginalFileName: 'mftrace.exe' - selection_cli: - # This assumes that when someone use mftrace to launch an ".exe" he will add a space and the binary launched will end with ".exe" - CommandLine|contains: '.exe ' - CommandLine|endswith: '.exe' - parent: - ParentImage|endswith: '\mftrace.exe' - condition: all of selection* or parent -falsepositives: - - Legitimate use for tracing purposes -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml deleted file mode 100644 index 05030298e..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Suspicious OfflineScannerShell.exe Execution From Another Folder -id: 02b18447-ea83-4b1b-8805-714a8a34546a -status: test -description: Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory -references: - - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ -author: frack113 -date: 2022/03/06 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - lolbas: - Image|endswith: '\OfflineScannerShell.exe' - filter_correct: - CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' - filter_missing: - CurrentDirectory: null - condition: lolbas and not 1 of filter_* -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml new file mode 100644 index 000000000..77eedc781 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml @@ -0,0 +1,22 @@ +title: Potential Mftrace.EXE Abuse +id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e +status: experimental +description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/06/09 +modified: 2023/08/03 +tags: + - attack.defense_evasion + - attack.t1127 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\mftrace.exe' + condition: selection +falsepositives: + - Legitimate use for tracing purposes +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml new file mode 100644 index 000000000..bc5067a80 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_offlinescannershell_mpclient_sideloading.yml @@ -0,0 +1,31 @@ +title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution +id: 02b18447-ea83-4b1b-8805-714a8a34546a +status: test +description: | + Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. + The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory. +references: + - https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ +author: frack113 +date: 2022/03/06 +modified: 2023/08/03 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\OfflineScannerShell.exe' + - OriginalFileName: 'OfflineScannerShell.exe' + filter_main_legit_dir: + CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\' + filter_main_empty: + CurrentDirectory: '' + filter_main_null: + CurrentDirectory: null + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml b/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml rename to rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml From 1e0fb02ef764c6e3316e6b7b84c509017d3db043 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 4 Aug 2023 00:09:48 +0200 Subject: [PATCH 11/33] Update proc_creation_lnx_ssm_agent_abuse.yml --- .../proc_creation_lnx_ssm_agent_abuse.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml index e44938315..a3d35a929 100644 --- a/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml +++ b/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml @@ -2,12 +2,12 @@ title: Potential Linux Amazon SSM Agent Hijacking id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7 status: experimental description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport. -author: Muhammad Faisal -date: 2023/08/03 references: - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/ - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ +author: Muhammad Faisal +date: 2023/08/03 tags: - attack.command_and_control - attack.persistence @@ -17,13 +17,13 @@ logsource: product: linux detection: selection: - ParentImage|endswith: '/amazon-ssm-agent' + Image|endswith: '/amazon-ssm-agent' CommandLine|contains|all: - - '-register' - - '-code' - - '-id' - - '-region' + - '-register ' + - '-code ' + - '-id ' + - '-region ' condition: selection falsepositives: - Legitimate activity of system administrators -level: medium \ No newline at end of file +level: medium From bca13a36127e426ad9a16b7eb2ee13f6835bd615 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 4 Aug 2023 10:44:46 +0200 Subject: [PATCH 12/33] fix: wording --- .../process_creation/proc_creation_win_csc_compilation.yml | 2 +- .../process_creation/proc_creation_win_csc_susp_parent.yml | 2 +- ...registry_set_persistence_shim_database_uncommon_location.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml index 2c578db55..aa1cba381 100644 --- a/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml @@ -24,5 +24,5 @@ detection: CommandLine|contains: '/noconfig /fullpaths @' condition: selection falsepositives: - - Many legitimate applications make use of dynamic compilation use this rule to hunt for anomalies + - Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies level: medium diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 27e7c2593..3bb491e34 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -1,7 +1,7 @@ title: Csc.EXE Execution Form Potentially Suspicious Parent id: b730a276-6b63-41b8-bcf8-55930c8fc6ee status: test -description: Detects a potential suspicious parent of "csc.exe", which could be a sign of payload delivery. +description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. references: - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing - https://reaqta.com/2017/11/short-journey-darkvnc/ diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml index 37dfd3b6c..ce5f2a01b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml @@ -1,7 +1,7 @@ title: Potential Persistence Via Shim Database In Uncommon Location id: 6b6976a3-b0e6-4723-ac24-ae38a737af41 status: experimental -description: Detects the installation of a new shim database where the file is located in a non default location +description: Detects the installation of a new shim database where the file is located in a non-default location references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ From db8e3d2661c6c6a95482f0d582b2fda681d7c209 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 4 Aug 2023 11:12:18 +0200 Subject: [PATCH 13/33] Update rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../registry_set_persistence_shim_database_susp_application.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml index 75f9da15d..41a3feb71 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml @@ -1,7 +1,7 @@ title: Suspicious Shim Database Patching Activity id: bf344fea-d947-4ef4-9192-34d008315d3a status: experimental -description: Detects installation of new shim databases that try to patch section of know processes for potential process injection or persistence. +description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/ - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html From 134c3ff3aa04bdc99f024d5f4666d6463546fd27 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 4 Aug 2023 11:30:44 +0200 Subject: [PATCH 14/33] Update rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../process_creation/proc_creation_win_csc_susp_parent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml index 3bb491e34..1f5e3cb53 100644 --- a/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml @@ -36,7 +36,7 @@ detection: - '-Encoded ' - 'FromBase64String' selection_parent_susp_location: - - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%[Aa]pp[Dd]ata%|%[Ll]ocal[Aa]pp[Dd]ata%|\[Aa]pp[Dd]ata\([Ll]ocal|[Rr]oaming|[Ll]ocal[Ll]ow)\[^\]{1,26}\.' + - ParentCommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$' - ParentCommandLine|contains: - ':\Users\Public\' - ':\PerfLogs\' From 7f6c1d4952b3aed5d87d761f909520bca702d92d Mon Sep 17 00:00:00 2001 From: RenaudFrere <90250126+RenaudFrere@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:14:33 +0200 Subject: [PATCH 15/33] Fixing 1 service typo in proc_creation_win_susp_service_tamper.yml --- .../process_creation/proc_creation_win_susp_service_tamper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 3856594ab..6a613adeb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -93,7 +93,7 @@ detection: - 'FirebirdGuardianDefaultInstance' - 'FirebirdServerDefaultInstance' - 'HealthTLService' - - 'HISSQLFDLauncherSSHAREPOINIT' + - 'MSSQLFDLauncher$SHAREPOINT' - 'hmpalertsvc' - 'HMS' - 'IISAdmin' From edf3e3f3a210a4dcf14ed449ce5f63e4e53e3b43 Mon Sep 17 00:00:00 2001 From: RenaudFrere <90250126+RenaudFrere@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:31:00 +0200 Subject: [PATCH 16/33] Update proc_creation_win_susp_service_tamper.yml --- .../process_creation/proc_creation_win_susp_service_tamper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index 6a613adeb..f5a448234 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -221,7 +221,7 @@ detection: - 'UI0Detect' - 'UTODetect' - 'Veeam' - - 'VeemaDep/oySvc' + - 'VeemaDeploySvc' - 'Veritas System Recovery' - 'VSApiNt' - 'VSS' From 6a3edbdfcad3cccb62798f18cb285515ed8c2208 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 6 Aug 2023 11:00:52 +0200 Subject: [PATCH 17/33] Add portable gpg.exe detection Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../proc_creation_win_portable_gpg.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_portable_gpg.yml diff --git a/rules/windows/process_creation/proc_creation_win_portable_gpg.yml b/rules/windows/process_creation/proc_creation_win_portable_gpg.yml new file mode 100644 index 000000000..b0ca847ae --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_portable_gpg.yml @@ -0,0 +1,24 @@ +title: Gpg.exe Portable Use +id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 +status: experimental +description: Detects the use of gpg.exe as a portable tool. May indicate ransomware activity like CrypVault or Qwerty. +references: + - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a + - https://securelist.com/locked-out/68960/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md +author: frack113 +date: 2023/08/06 +tags: + - attack.impact + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + - OriginalFileName: 'gpg.exe' + - Description: 'GnuPG’s OpenPGP tool' + filter_legit: + Image: 'C:\Program Files (x86)\GnuPG\bin\gpg.exe' + condition: selection and not filter_legit +level: high From a5fcba83cb4469fc84f44b80b1dbddd550ba6776 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 7 Aug 2023 11:47:07 +0200 Subject: [PATCH 18/33] Update proc_creation_win_susp_service_tamper.yml --- .../process_creation/proc_creation_win_susp_service_tamper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index f5a448234..fdb5b28d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -17,7 +17,7 @@ references: - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2022/09/01 -modified: 2023/07/13 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.t1489 From ba3af8f35320c907ecab3adfbaea17b7441a089f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 7 Aug 2023 11:47:27 +0200 Subject: [PATCH 19/33] feat: apply suggestions from code review --- .../proc_creation_win_susp_service_tamper.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml index fdb5b28d9..7b3d10c71 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml @@ -93,7 +93,7 @@ detection: - 'FirebirdGuardianDefaultInstance' - 'FirebirdServerDefaultInstance' - 'HealthTLService' - - 'MSSQLFDLauncher$SHAREPOINT' + - 'MSSQLFDLauncher$' # Covers 'SHAREPOINT', 'TPS', 'SBSMonitoring', etc. - 'hmpalertsvc' - 'HMS' - 'IISAdmin' @@ -221,7 +221,7 @@ detection: - 'UI0Detect' - 'UTODetect' - 'Veeam' - - 'VeemaDeploySvc' + - 'VeeamDeploySvc' - 'Veritas System Recovery' - 'VSApiNt' - 'VSS' From f52cd142e39f9772a16560ec98696c87c482b485 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 7 Aug 2023 16:09:21 +0200 Subject: [PATCH 20/33] feat: rules update --- .../pipe_created_psexec_pipes_artifacts.yml | 4 +- .../pipe_created_apt_turla_named_pipes.yml | 14 +++--- .../security/win_security_mal_creddumper.yml | 8 ++-- .../win_system_mal_creddumper.yml | 8 ++-- .../win_system_service_install_csexecsvc.yml | 28 +++++++++++ .../win_system_service_install_hacktools.yml | 29 ++++++----- .../win_system_service_install_remcom.yml | 27 +++++++++++ ...m_service_install_sysinternals_psexec.yml} | 20 +++----- .../driver_load_win_mal_creddumper.yml | 8 ++-- ...vent_win_cred_dump_tools_dropped_files.yml | 32 ++++++------- .../file_event_win_csexec_service.yml | 22 +++++++++ .../file_event_win_remcom_service.yml | 22 +++++++++ ...event_win_sysinternals_psexec_service.yml} | 8 ---- .../image_load_side_load_windows_defender.yml | 23 +++++---- .../pipe_created_csexec_default_pipe.yml | 28 +++++++++++ ...yml => pipe_created_hktl_cobaltstrike.yml} | 5 ++ ... => pipe_created_hktl_cobaltstrike_re.yml} | 5 ++ ..._hktl_cobaltstrike_susp_pipe_patterns.yml} | 43 +++++++++-------- ...ml => pipe_created_hktl_diagtrack_eop.yml} | 5 +- ...pe.yml => pipe_created_hktl_efspotato.yml} | 12 ++--- ...ed_hktl_generic_cred_dump_tools_pipes.yml} | 9 ++-- ...=> pipe_created_hktl_koh_default_pipe.yml} | 3 +- .../pipe_created_mal_namedpipes.yml | 48 +++++++++---------- ...reated_powershell_alternate_host_pipe.yml} | 0 .../pipe_created_remcom_default_pipe.yml | 28 +++++++++++ ...reated_scrcons_wmi_consumer_namedpipe.yml} | 0 ...ated_sysinternals_psexec_default_pipe.yml} | 10 +--- ...als_psexec_default_pipe_susp_location.yml} | 15 ++---- ...ion_win_mpcmdrun_dll_sideload_defender.yml | 26 ++++++---- ...tion_win_vsdiagnostics_execution_proxy.yml | 28 +++++++++++ 30 files changed, 351 insertions(+), 167 deletions(-) rename {rules/windows/pipe_created => deprecated/windows}/pipe_created_psexec_pipes_artifacts.yml (96%) rename rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml => rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml (64%) mode change 100755 => 100644 create mode 100644 rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml create mode 100644 rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml rename rules/windows/builtin/system/service_control_manager/{win_system_service_install_psexec.yml => win_system_service_install_sysinternals_psexec.yml} (71%) create mode 100644 rules/windows/file/file_event/file_event_win_csexec_service.yml create mode 100644 rules/windows/file/file_event/file_event_win_remcom_service.yml rename rules/windows/file/file_event/{file_event_win_tool_psexec.yml => file_event_win_sysinternals_psexec_service.yml} (84%) create mode 100644 rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml rename rules/windows/pipe_created/{pipe_created_mal_cobaltstrike.yml => pipe_created_hktl_cobaltstrike.yml} (93%) rename rules/windows/pipe_created/{pipe_created_mal_cobaltstrike_re.yml => pipe_created_hktl_cobaltstrike_re.yml} (93%) rename rules/windows/pipe_created/{pipe_created_susp_cobaltstrike_pipe_patterns.yml => pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml} (84%) rename rules/windows/pipe_created/{pipe_created_diagtrack_eop_default_pipe.yml => pipe_created_hktl_diagtrack_eop.yml} (89%) rename rules/windows/pipe_created/{pipe_created_efspotato_namedpipe.yml => pipe_created_hktl_efspotato.yml} (80%) rename rules/windows/pipe_created/{pipe_created_cred_dump_tools_named_pipes.yml => pipe_created_hktl_generic_cred_dump_tools_pipes.yml} (82%) rename rules/windows/pipe_created/{pipe_created_koh_default_pipe.yml => pipe_created_hktl_koh_default_pipe.yml} (95%) rename rules/windows/pipe_created/{pipe_created_alternate_powershell_hosts_pipe.yml => pipe_created_powershell_alternate_host_pipe.yml} (100%) create mode 100644 rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml rename rules/windows/pipe_created/{pipe_created_susp_wmi_consumer_namedpipe.yml => pipe_created_scrcons_wmi_consumer_namedpipe.yml} (100%) rename rules/windows/pipe_created/{pipe_created_psexec_default_pipe.yml => pipe_created_sysinternals_psexec_default_pipe.yml} (83%) rename rules/windows/pipe_created/{pipe_created_psexec_default_pipe_from_susp_location.yml => pipe_created_sysinternals_psexec_default_pipe_susp_location.yml} (88%) create mode 100644 rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml diff --git a/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml b/deprecated/windows/pipe_created_psexec_pipes_artifacts.yml similarity index 96% rename from rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml rename to deprecated/windows/pipe_created_psexec_pipes_artifacts.yml index a0429bc59..c3f2566f7 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml +++ b/deprecated/windows/pipe_created_psexec_pipes_artifacts.yml @@ -1,12 +1,12 @@ title: PsExec Pipes Artifacts id: 9e77ed63-2ecf-4c7b-b09d-640834882028 -status: test +status: deprecated description: Detecting use PsExec via Pipe Creation/Access to pipes references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nikita Nazarov, oscd.community date: 2020/05/10 -modified: 2021/11/27 +modified: 2023/08/07 tags: - attack.lateral_movement - attack.t1021.002 diff --git a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml old mode 100755 new mode 100644 similarity index 64% rename from rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml rename to rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml index 452bdbb65..fbffedc59 --- a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml +++ b/rules-emerging-threats/2017/TA/Turla/pipe_created_apt_turla_named_pipes.yml @@ -19,13 +19,13 @@ logsource: detection: selection: PipeName: - - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection - - '\userpipe' # ruag apt case - - '\iehelper' # ruag apt case - - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra - - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra - # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 + - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection + - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - '\iehelper' # ruag apt case + - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - '\userpipe' # ruag apt case + #- '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 condition: selection falsepositives: - - Unknown + - Unlikely level: critical diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index 262e53b24..f5e9ec665 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -28,13 +28,13 @@ detection: selection: EventID: 4697 ServiceFileName|contains: - - 'fgexec' - - 'dumpsvc' - 'cachedump' - - 'mimidrv' + - 'dumpsvc' + - 'fgexec' - 'gsecdump' - - 'servpw' + - 'mimidrv' - 'pwdump' + - 'servpw' condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery diff --git a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml index f30c790c3..1a631f9fb 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_mal_creddumper.yml @@ -25,13 +25,13 @@ detection: Provider_Name: 'Service Control Manager' EventID: 7045 ImagePath|contains: - - 'fgexec' - - 'dumpsvc' - 'cachedump' - - 'mimidrv' + - 'dumpsvc' + - 'fgexec' - 'gsecdump' - - 'servpw' + - 'mimidrv' - 'pwdump' + - 'servpw' condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml new file mode 100644 index 000000000..c3a70abe3 --- /dev/null +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -0,0 +1,28 @@ +title: CSExec Service Installation +id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf +status: experimental +description: Detects CSExec service installation and execution events +references: + - https://github.com/malcomvetter/CSExec +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection_service_installation: + Provider_Name: 'Service Control Manager' + EventID: 7045 + ServiceName: 'csexecsvc' + ImagePath|endswith: '\csexecsvc.exe' + selection_service_execution: + EventID: 7036 + ServiceName: 'csexecsvc' + condition: 1 of selection_* +falsepositives: + - Unknown +level: medium + diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml index 4e9779c3d..37789edc5 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_hacktools.yml @@ -1,11 +1,12 @@ -title: Hacktool Service Registration or Execution +title: HackTool Service Registration or Execution id: d26ce60c-2151-403c-9a42-49420d87b5e4 status: test -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects installation or execution of services references: - Internal Research author: Florian Roth (Nextron Systems) date: 2022/03/21 +modified: 2023/08/07 tags: - attack.execution - attack.t1569.002 @@ -14,22 +15,24 @@ logsource: product: windows service: system detection: - service: + selection_eid: Provider_Name: 'Service Control Manager' EventID: - 7045 - 7036 - selection: - - ServiceName|contains: - - 'WCESERVICE' - - 'WCE SERVICE' - - 'winexesvc' - - 'DumpSvc' - - 'pwdump' - - 'gsecdump' + selection_service_name: + ServiceName|contains: - 'cachedump' - - ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 - condition: service and selection + - 'DumpSvc' + - 'gsecdump' + - 'pwdump' + - 'UACBypassedService' + - 'WCE SERVICE' + - 'WCESERVICE' + - 'winexesvc' + selection_service_image: + ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 + condition: selection_eid and 1 of selection_service_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml new file mode 100644 index 000000000..f4d21e441 --- /dev/null +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -0,0 +1,27 @@ +title: RemCom Service Installation +id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf +status: experimental +description: Detects RemCom service installation and execution events +references: + - https://github.com/kavika13/RemCom/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection_service_installation: + Provider_Name: 'Service Control Manager' + EventID: 7045 + ServiceName: 'RemComSvc' + ImagePath|endswith: '\RemComSvc.exe' + selection_service_execution: + EventID: 7036 + ServiceName: 'RemComSvc' + condition: 1 of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml similarity index 71% rename from rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml rename to rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index 887eabc37..3e1d5b89c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_psexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -1,13 +1,13 @@ title: PsExec Service Installation id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects PsExec service installation and execution events references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke date: 2017/06/12 -modified: 2022/10/26 +modified: 2023/08/04 tags: - attack.execution - attack.t1569.002 @@ -16,23 +16,15 @@ logsource: product: windows service: system detection: - service_installation: + selection_service_installation: Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: 'PSEXESVC' ImagePath|endswith: '\PSEXESVC.exe' - service_execution: + selection_service_execution: EventID: 7036 ServiceName: 'PSEXESVC' - condition: 1 of service_* -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName + condition: 1 of selection_* falsepositives: - Unknown -level: low +level: medium diff --git a/rules/windows/driver_load/driver_load_win_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml index 593bfeae4..18f583465 100644 --- a/rules/windows/driver_load/driver_load_win_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml @@ -26,13 +26,13 @@ logsource: detection: selection: ImageLoaded|contains: - - 'fgexec' - - 'dumpsvc' - 'cachedump' - - 'mimidrv' + - 'dumpsvc' + - 'fgexec' - 'gsecdump' - - 'servpw' + - 'mimidrv' - 'pwdump' + - 'servpw' condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery diff --git a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml index 6089b9e4c..de54c089e 100755 --- a/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml @@ -20,32 +20,32 @@ logsource: detection: selection: - TargetFilename|contains: - - '\pwdump' + - '\fgdump-log' - '\kirbi' + - '\pwdump' - '\pwhashes' - '\wce_ccache' - '\wce_krbtkts' - - '\fgdump-log' - TargetFilename|endswith: - - '\test.pwd' - - '\lsremora64.dll' - - '\lsremora.dll' - - '\fgexec.exe' - - '\wceaux.dll' - - '\SAM.out' - - '\SECURITY.out' - - '\SYSTEM.out' - - '\NTDS.out' + - '\cachedump.exe' + - '\cachedump64.exe' - '\DumpExt.dll' - '\DumpSvc.exe' - - '\cachedump64.exe' - - '\cachedump.exe' + - '\Dumpy.exe' + - '\fgexec.exe' + - '\lsremora.dll' + - '\lsremora64.dll' + - '\NTDS.out' + - '\procdump64.exe' - '\pstgdump.exe' + - '\pwdump.exe' + - '\SAM.out' + - '\SECURITY.out' - '\servpw.exe' - '\servpw64.exe' - - '\pwdump.exe' - - '\procdump64.exe' - - '\Dumpy.exe' + - '\SYSTEM.out' + - '\test.pwd' + - '\wceaux.dll' condition: selection falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/rules/windows/file/file_event/file_event_win_csexec_service.yml b/rules/windows/file/file_event/file_event_win_csexec_service.yml new file mode 100644 index 000000000..33f9fce2a --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_csexec_service.yml @@ -0,0 +1,22 @@ +title: CSExec Service File Creation +id: f0e2b768-5220-47dd-b891-d57b96fc0ec1 +status: test +description: Detects default CSExec service filename which indicates CSExec service installation and execution +references: + - https://github.com/malcomvetter/CSExec +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/04 +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\csexecsvc.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/file/file_event/file_event_win_remcom_service.yml b/rules/windows/file/file_event/file_event_win_remcom_service.yml new file mode 100644 index 000000000..db011fb6e --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_remcom_service.yml @@ -0,0 +1,22 @@ +title: RemCom Service File Creation +id: f0e2b768-5220-47dd-b891-d57b96fc0ec1 +status: test +description: Detects default RemCom service filename which indicates RemCom service installation and execution +references: + - https://github.com/kavika13/RemCom/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/04 +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\RemComSvc.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/file/file_event/file_event_win_tool_psexec.yml b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml similarity index 84% rename from rules/windows/file/file_event/file_event_win_tool_psexec.yml rename to rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml index 09dc46ef3..70adaaad4 100644 --- a/rules/windows/file/file_event/file_event_win_tool_psexec.yml +++ b/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service.yml @@ -22,14 +22,6 @@ detection: selection: TargetFilename|endswith: '\PSEXESVC.exe' condition: selection -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName falsepositives: - Unknown level: low diff --git a/rules/windows/image_load/image_load_side_load_windows_defender.yml b/rules/windows/image_load/image_load_side_load_windows_defender.yml index ab39de622..2ce295c43 100644 --- a/rules/windows/image_load/image_load_side_load_windows_defender.yml +++ b/rules/windows/image_load/image_load_side_load_windows_defender.yml @@ -1,12 +1,15 @@ -title: Microsoft Defender Loading DLL from Nondefault Path +title: Potential Mpclient.DLL Sideloading id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc +related: + - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 + type: similar status: experimental -description: Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL +description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/02 -modified: 2022/08/17 +modified: 2023/08/04 tags: - attack.defense_evasion - attack.t1574.002 @@ -15,16 +18,18 @@ logsource: category: image_load detection: selection: + ImageLoaded|endswith: '\mpclient.dll' Image|endswith: - '\MpCmdRun.exe' - '\NisSrv.exe' - ImageLoaded|endswith: '\mpclient.dll' - filter: - ImageLoaded|startswith: - - 'C:\Program Files\Windows Defender\' + filter_main_known_locations: + Image|startswith: - 'C:\Program Files (x86)\Windows Defender\' + - 'C:\Program Files\Microsoft Security Client\' + - 'C:\Program Files\Windows Defender\' - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - condition: selection and not filter + - 'C:\Windows\WinSxS\' + condition: selection and not 1 of filter_main_* falsepositives: - - Very unlikely + - Unlikely level: high diff --git a/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml new file mode 100644 index 000000000..f4c4da6dc --- /dev/null +++ b/rules/windows/pipe_created/pipe_created_csexec_default_pipe.yml @@ -0,0 +1,28 @@ +title: CSExec Default Named Pipe +id: f318b911-ea88-43f4-9281-0de23ede628e +related: + - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 + type: obsoletes +status: test +description: Detects default CSExec pipe creation +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view + - https://github.com/malcomvetter/CSExec +author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.execution + - attack.t1569.002 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' +detection: + selection: + PipeName|contains: '\csexecsvc' + condition: selection +falsepositives: + - Legitimate Administrator activity +level: medium diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml similarity index 93% rename from rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml rename to rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml index 9ca006e3f..6648ba357 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml @@ -1,5 +1,10 @@ title: CobaltStrike Named Pipe id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 +related: + - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns + type: similar + - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex + type: similar status: test description: Detects the creation of a named pipe as used by CobaltStrike references: diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml similarity index 93% rename from rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml rename to rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml index 040265dd5..92d3ffa90 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml @@ -1,5 +1,10 @@ title: CobaltStrike Named Pipe Pattern Regex id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a +related: + - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns + type: similar + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic + type: similar status: test description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles references: diff --git a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml similarity index 84% rename from rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml rename to rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index f9760d37f..da457cd23 100644 --- a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -1,5 +1,10 @@ title: CobaltStrike Named Pipe Patterns id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 +related: + - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex + type: similar + - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic + type: similar status: test description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles references: @@ -7,7 +12,7 @@ references: - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) date: 2021/07/30 -modified: 2022/10/09 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.privilege_escalation @@ -17,35 +22,35 @@ logsource: category: pipe_created definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection_malleable_profiles: + selection_malleable_profiles_generic: - PipeName|startswith: + - '\DserNamePipe' + - '\f4c3' + - '\f53f' + - '\fullduplex_' - '\mojo.5688.8052.183894939787088877' - '\mojo.5688.8052.35780273329370473' + - '\MsFteWds' + - '\msrpc_' - '\mypipe-f' - '\mypipe-h' - '\ntsvcs' - - '\scerpc' - - '\win_svc' - - '\spoolss' - - '\msrpc_' - - '\win\msrpc_' - - '\wkssvc' - - '\f53f' - - '\windows.update.manager' - - '\SearchTextHarvester' - - '\DserNamePipe' - '\PGMessagePipe' - - '\MsFteWds' - - '\f4c3' - - '\fullduplex_' - '\rpc_' + - '\scerpc' + - '\SearchTextHarvester' + - '\spoolss' + - '\win_svc' + - '\win\msrpc_' + - '\windows.update.manager' + - '\wkssvc' - PipeName: - '\demoagent_11' - '\demoagent_22' - selection_malleable_profile_CatalogChangeListener: + selection_malleable_profile_catalog_change_listener: PipeName|startswith: '\Winsock2\CatalogChangeListener-' PipeName|endswith: '-0,' - filter: + filter_main_generic: PipeName: - '\wkssvc' - '\spoolss' @@ -54,7 +59,7 @@ detection: - '\SearchTextHarvester' - '\PGMessagePipe' - '\MsFteWds' - condition: 1 of selection_malleable_profile* and not filter + condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* falsepositives: - - Chrome instances using the exact same pipe name "mojo.something" + - Chrome instances using the exact same pipe name "mojo.xxx" level: high diff --git a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml similarity index 89% rename from rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml rename to rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml index 3ae653567..f6017cdbd 100644 --- a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_diagtrack_eop.yml @@ -1,11 +1,12 @@ -title: DiagTrackEoP Default Named Pipe +title: HackTool - DiagTrackEoP Default Named Pipe id: 1f7025a6-e747-4130-aac4-961eb47015f1 status: experimental -description: Detects creation of default named pipe used by the DiagTrackEoP POC +description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege. references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/03 +modified: 2023/08/07 tags: - attack.privilege_escalation logsource: diff --git a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml similarity index 80% rename from rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml rename to rules/windows/pipe_created/pipe_created_hktl_efspotato.yml index 957e4104f..cc2dee084 100644 --- a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_efspotato.yml @@ -1,13 +1,13 @@ -title: EfsPotato Named Pipe +title: HackTool - EfsPotato Named Pipe Creation id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2 status: experimental -description: Detects the pattern of a pipe name as used by the tool EfsPotato +description: Detects the pattern of a pipe name as used by the hacktool EfsPotato references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - https://github.com/zcgonvh/EfsPotato author: Florian Roth (Nextron Systems) date: 2021/08/23 -modified: 2022/06/20 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.privilege_escalation @@ -20,10 +20,10 @@ detection: selection: PipeName|contains: - '\pipe\' - - '\pipe\srvsvc' # more specific version (use only this one of the other causes too many false positives) - filter: + - '\pipe\srvsvc' # more specific version (use only this one if the other causes too many false positives) + filter_optional_ctx: PipeName|contains: '\CtxShare' - condition: selection and not filter + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml similarity index 82% rename from rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml rename to rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml index 374c1b428..abf6b6a52 100644 --- a/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_generic_cred_dump_tools_pipes.yml @@ -1,12 +1,13 @@ -title: Cred Dump-Tools Named Pipes +title: HackTool - Credential Dumping Tools Named Pipe Created id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e status: test -description: Detects well-known credential dumping tools execution via specific named pipes +description: Detects well-known credential dumping tools execution via specific named pipe creation references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799 author: Teymur Kheirkhabarov, oscd.community date: 2019/11/01 -modified: 2021/11/27 +modified: 2023/08/07 tags: - attack.credential_access - attack.t1003.001 @@ -20,8 +21,8 @@ logsource: detection: selection: PipeName|contains: - - '\lsadump' - '\cachedump' + - '\lsadump' - '\wceservicepipe' condition: selection falsepositives: diff --git a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml similarity index 95% rename from rules/windows/pipe_created/pipe_created_koh_default_pipe.yml rename to rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml index 6a9e10ab4..3042597df 100644 --- a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_koh_default_pipe.yml @@ -1,4 +1,4 @@ -title: Koh Default Named Pipes +title: HackTool - Koh Default Named Pipe id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a status: experimental description: Detects creation of default named pipes used by the Koh tool @@ -6,6 +6,7 @@ references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/08 +modified: 2023/08/07 tags: - attack.privilege_escalation - attack.credential_access diff --git a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml index c92637a41..8d7029c32 100644 --- a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml @@ -1,7 +1,7 @@ -title: Malicious Named Pipe +title: Malicious Named Pipe Created id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a status: test -description: Detects the creation of a named pipe used by known APT malware +description: Detects the creation of a named pipe seen used by known APTs or malware. references: - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/ - https://securelist.com/faq-the-projectsauron-apt/75533/ @@ -17,7 +17,7 @@ references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ author: Florian Roth (Nextron Systems), blueteam0ps, elhoim date: 2017/11/06 -modified: 2022/03/15 +modified: 2023/08/07 tags: - attack.defense_evasion - attack.privilege_escalation @@ -29,34 +29,34 @@ logsource: detection: selection: PipeName: - - '\isapi_http' # Uroburos Malware + - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron + - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware + - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake + - '\9f81f59bc58452127884ce513865ed20' # Project Sauron + - '\adschemerpc' # Turla HyperStack + - '\ahexec' # Sofacy group malware + - '\AnonymousPipe' # Hidden Cobra Hoplight + - '\bc31a7' # Pacifier + - '\bc367' # Pacifier + - '\bizkaz' # Snatch Ransomware + - '\csexecsvc' #CSEXEC default + - '\dce_3d' #Qbot + - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron + - '\gruntsvc' # Covenant default - '\isapi_dg' # Uroburos Malware - '\isapi_dg2' # Uroburos Malware - - '\sdlrpc' # Cobra Trojan - - '\ahexec' # Sofacy group malware - - '\winsession' # Wild Neutron APT malware + - '\isapi_http' # Uroburos Malware + - '\jaccdpqnvbrrxlaf' #PoshC2 default - '\lsassw' # Wild Neutron APT malware - - '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron - - '\9f81f59bc58452127884ce513865ed20' # Project Sauron - - '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron - - '\rpchlp_3' # Project Sauron - '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves - '\pcheap_reuse' # Pipe used by Equation Group malware - - '\gruntsvc' # Covenant default - # - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253 - - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware - - '\bizkaz' # Snatch Ransomware - - '\svcctl' #Crackmapexec smbexec default - '\Posh*' #PoshC2 default - - '\jaccdpqnvbrrxlaf' #PoshC2 default - - '\csexecsvc' #CSEXEC default - - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake - - '\adschemerpc' # Turla HyperStack - - '\AnonymousPipe' # Hidden Cobra Hoplight - - '\bc367' # Pacifier - - '\bc31a7' # Pacifier + - '\rpchlp_3' # Project Sauron + - '\sdlrpc' # Cobra Trojan + - '\svcctl' #Crackmapexec smbexec default - '\testPipe' # Emissary Panda Hyperbro - - '\dce_3d' #Qbot + - '\winsession' # Wild Neutron APT malware + # - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253 condition: selection falsepositives: - Unknown diff --git a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml similarity index 100% rename from rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml rename to rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml diff --git a/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml b/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml new file mode 100644 index 000000000..8e819e72c --- /dev/null +++ b/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml @@ -0,0 +1,28 @@ +title: RemCom Default Named Pipe +id: d36f87ea-c403-44d2-aa79-1a0ac7c24456 +related: + - id: 9e77ed63-2ecf-4c7b-b09d-640834882028 + type: obsoletes +status: test +description: Detects default RemCom pipe creation +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view + - https://github.com/kavika13/RemCom +author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/07 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.execution + - attack.t1569.002 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' +detection: + selection: + PipeName|contains: '\RemCom' + condition: selection +falsepositives: + - Legitimate Administrator activity +level: medium diff --git a/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml b/rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml similarity index 100% rename from rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml rename to rules/windows/pipe_created/pipe_created_scrcons_wmi_consumer_namedpipe.yml diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml similarity index 83% rename from rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml rename to rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml index 2fbbeba1d..e0f10faeb 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe.yml @@ -4,7 +4,7 @@ related: - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 type: derived status: test -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects PsExec service default pipe creation references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -23,14 +23,6 @@ detection: selection: PipeName: '\PSEXESVC' condition: selection -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName falsepositives: - Unknown level: low diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml similarity index 88% rename from rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml rename to rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml index 41fa2e118..27725e574 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_sysinternals_psexec_default_pipe_susp_location.yml @@ -10,6 +10,7 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/04 +modified: 2023/08/07 tags: - attack.execution - attack.t1569.002 @@ -22,20 +23,12 @@ detection: selection: PipeName: '\PSEXESVC' Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env - - 'C:\Users\Public\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' - '\Desktop\' - '\Downloads\' - - '\AppData\Local\Temp\' - - 'C:\Windows\Temp\' condition: selection -fields: - - EventID - - CommandLine - - ParentCommandLine - - ServiceName - - ServiceFileName - - TargetFilename - - PipeName falsepositives: - Rare legitimate use of psexec from the locations mentioned above level: high diff --git a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml index 6e6de4fdc..9d898c282 100644 --- a/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml @@ -1,12 +1,15 @@ -title: DLL Sideloading by Microsoft Defender +title: Potential Mpclient.DLL Sideloading Via Defender Binaries id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9 +related: + - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc + type: similar status: experimental -description: Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL +description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/01 -modified: 2022/08/09 +modified: 2023/08/04 tags: - attack.defense_evasion - attack.t1574.002 @@ -15,14 +18,17 @@ logsource: category: process_creation detection: selection: - Image|endswith: '\MpCmdRun.exe' - legit_path: - Image|startswith: # MpCmdRun resides in two locations + Image|endswith: + - '\MpCmdRun.exe' + - '\NisSrv.exe' + filter_main_known_locations: + Image|startswith: + - 'C:\Program Files (x86)\Windows Defender\' + - 'C:\Program Files\Microsoft Security Client\' - 'C:\Program Files\Windows Defender\' - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - - 'C:\Windows\winsxs\' - - 'C:\Program Files\Microsoft Security Client\MpCmdRun.exe' # found on Win7 i386 - condition: selection and not legit_path + - 'C:\Windows\WinSxS\' + condition: selection and not 1 of filter_main_* falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml new file mode 100644 index 000000000..aafcf1061 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -0,0 +1,28 @@ +title: Potential Binary Proxy Execution Via VSDiagnostics.EXE +id: 43103702-5886-11ed-9b6a-0242ac120002 +status: experimental +description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. +references: + - https://twitter.com/0xBoku/status/1679200664013135872 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/03 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\VSDiagnostics.exe' + - OriginalFileName: 'VSDiagnostics.exe' + selection_cli_start: + CommandLine|contains: 'start' + selection_cli_launch: + CommandLine|contains: + - ' /launch:' + - ' -launch:' + condition: all of selection_* +falsepositives: + - Legitimate usage for tracing and diagnostics purposes +level: medium From ef2d8b4c99cdd2e0e883755160d906f3b2cc0ce8 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Mon, 7 Aug 2023 18:33:35 -0700 Subject: [PATCH 21/33] Create azure_identity_protectection_anomalous_token.yml Adding the first of several identity protection alerts --- ...identity_protectection_anomalous_token.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml diff --git a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml new file mode 100644 index 000000000..1482202e7 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml @@ -0,0 +1,23 @@ +title: Anomalous Token +id: 6555754e-5e7f-4a67-ad1c-4041c413a007 +status: experimental +description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow' +date: 2023/08/07 +tags: + - attack.t1528 + - attack.credential_access +logsource: + product: azure + service: riskDetection +detection: + selection: + properties.message: + - anomalousToken + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high From fa780ec7b91b640045b01e8ba2b47b4d4c85a3ab Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Mon, 7 Aug 2023 18:36:25 -0700 Subject: [PATCH 22/33] Update azure_identity_protectection_anomalous_token.yml Deleting extra space --- .../azure_identity_protectection_anomalous_token.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml index 1482202e7..615188069 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml @@ -1,5 +1,5 @@ title: Anomalous Token -id: 6555754e-5e7f-4a67-ad1c-4041c413a007 +id: 6555754e-5e7f-4a67-ad1c-4041c413a007 status: experimental description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. references: From a66b38d3df9116d215ff1b39fb9d0cdeea22a7b9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 8 Aug 2023 06:47:08 +0200 Subject: [PATCH 23/33] Fix to pass the tests --- .../azure_identity_protectection_anomalous_token.yml | 3 +-- tests/logsource.json | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml index 615188069..2fa37b148 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml @@ -15,8 +15,7 @@ logsource: service: riskDetection detection: selection: - properties.message: - - anomalousToken + properties.message: anomalousToken condition: selection falsepositives: - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. diff --git a/tests/logsource.json b/tests/logsource.json index d7bc197ab..465459689 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -281,6 +281,7 @@ "auditlogs":[], "azureactivity":[], "microsoft365portal":[], + "riskDetection":[], "signinlogs":[] } }, From eca465192360dd962e52702f30e38fc343aaacba Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 8 Aug 2023 11:06:37 +0200 Subject: [PATCH 24/33] fix: typos --- .../win_system_defender_disabled.yml | 9 ++++++--- .../win_system_service_install_csexecsvc.yml | 14 ++++++-------- .../win_system_service_install_remcom.yml | 12 +++++------- .../win_system_service_install_sliver.yml | 6 +++--- ..._system_service_install_sysinternals_psexec.yml | 12 +++++------- ...reated_hktl_cobaltstrike_susp_pipe_patterns.yml | 2 +- 6 files changed, 26 insertions(+), 29 deletions(-) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml index b060b3d02..3835102e5 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/08/01 +modified: 2023/08/08 tags: - attack.defense_evasion - attack.t1562.001 @@ -21,12 +21,15 @@ detection: selection: EventID: 7036 Provider_Name: 'Service Control Manager' + # Note: The service name and messages are localized param1: - 'Windows Defender Antivirus Service' - 'Service antivirus Microsoft Defender' #French OS - param2: 'stopped' + param2: + - 'stopped' + - 'arrêté' condition: selection falsepositives: - Administrator actions - Auto updates of Windows Defender causes restarts -level: low +level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml index c3a70abe3..82f3740c8 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -1,5 +1,5 @@ title: CSExec Service Installation -id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf +id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12 status: experimental description: Detects CSExec service installation and execution events references: @@ -13,15 +13,13 @@ logsource: product: windows service: system detection: - selection_service_installation: + selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 - ServiceName: 'csexecsvc' - ImagePath|endswith: '\csexecsvc.exe' - selection_service_execution: - EventID: 7036 - ServiceName: 'csexecsvc' - condition: 1 of selection_* + selection_service: + - ServiceName: 'csexecsvc' + - ImagePath|endswith: '\csexecsvc.exe' + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml index f4d21e441..44590237d 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_remcom.yml @@ -13,15 +13,13 @@ logsource: product: windows service: system detection: - selection_service_installation: + selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 - ServiceName: 'RemComSvc' - ImagePath|endswith: '\RemComSvc.exe' - selection_service_execution: - EventID: 7036 - ServiceName: 'RemComSvc' - condition: 1 of selection_* + selection_service: + - ServiceName: 'RemComSvc' + - ImagePath|endswith: '\RemComSvc.exe' + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml index c4c54a6f3..e6bccf83c 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -5,7 +5,7 @@ description: Detects known malicious service installation that appear in cases i references: - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231 - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/08/25 tags: - attack.execution @@ -16,7 +16,7 @@ logsource: product: windows service: system detection: - selection_id: + selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 selection_service1: @@ -25,7 +25,7 @@ detection: ServiceName: - 'Sliver' - 'Sliver implant' - condition: selection_id and 1 of selection_service* + condition: selection_eid and 1 of selection_service_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml index 3e1d5b89c..1c1bee909 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml @@ -16,15 +16,13 @@ logsource: product: windows service: system detection: - selection_service_installation: + selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 - ServiceName: 'PSEXESVC' - ImagePath|endswith: '\PSEXESVC.exe' - selection_service_execution: - EventID: 7036 - ServiceName: 'PSEXESVC' - condition: 1 of selection_* + selection_service: + - ServiceName: 'PSEXESVC' + - ImagePath|endswith: '\PSEXESVC.exe' + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml index da457cd23..31747b587 100644 --- a/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml @@ -22,7 +22,7 @@ logsource: category: pipe_created definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: - selection_malleable_profiles_generic: + selection_malleable_profile_generic: - PipeName|startswith: - '\DserNamePipe' - '\f4c3' From 67d0d2afff8e79965708bcad621d8e0c32614c47 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 8 Aug 2023 15:41:08 +0200 Subject: [PATCH 25/33] chore: change service name to lowercase --- .../azure_identity_protectection_anomalous_token.yml | 2 +- tests/logsource.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml index 2fa37b148..3875b3828 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml @@ -12,7 +12,7 @@ tags: - attack.credential_access logsource: product: azure - service: riskDetection + service: riskdetection detection: selection: properties.message: anomalousToken diff --git a/tests/logsource.json b/tests/logsource.json index 465459689..64cc38ae0 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -281,7 +281,7 @@ "auditlogs":[], "azureactivity":[], "microsoft365portal":[], - "riskDetection":[], + "riskdetection":[], "signinlogs":[] } }, From 87b94ac1667973ac97c3f8e9402905889a930a83 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 8 Aug 2023 21:53:37 +0200 Subject: [PATCH 26/33] feat: updates and enhancements --- .../image_load/image_load_wmi_module_load.yml | 77 ----------------- ...ad_wmi_module_load_by_uncommon_process.yml | 85 +++++++++++++++++++ .../proc_creation_win_lolbin_provlaunch.yml | 27 ------ ...reation_win_provlaunch_potential_abuse.yml | 50 +++++++++++ ...tion_win_provlaunch_susp_child_process.yml | 49 +++++++++++ ...c_creation_win_registry_add_provlaunch.yml | 30 ------- ...gistry_provlaunch_provisioning_command.yml | 29 +++++++ .../registry_set_lolbin_provlaunch.yml | 30 ------- ...egistry_set_provisioning_command_abuse.yml | 31 +++++++ 9 files changed, 244 insertions(+), 164 deletions(-) delete mode 100755 rules/windows/image_load/image_load_wmi_module_load.yml create mode 100644 rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml create mode 100644 rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml create mode 100644 rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml create mode 100644 rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml delete mode 100644 rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml create mode 100644 rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml diff --git a/rules/windows/image_load/image_load_wmi_module_load.yml b/rules/windows/image_load/image_load_wmi_module_load.yml deleted file mode 100755 index 9e2562218..000000000 --- a/rules/windows/image_load/image_load_wmi_module_load.yml +++ /dev/null @@ -1,77 +0,0 @@ -title: WMI Modules Loaded -id: 671bb7e3-a020-4824-a00e-2ee5b55f385e -status: test -description: Detects non wmiprvse loading WMI modules -references: - - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html -author: Roberto Rodriguez @Cyb3rWard0g, Swachchhanda Shrawan Poudel -date: 2019/08/10 -modified: 2022/06/16 -tags: - - attack.execution - - attack.t1047 -logsource: - category: image_load - product: windows -detection: - selection: - ImageLoaded|endswith: - - '\wmiclnt.dll' - - '\WmiApRpl.dll' - - '\wmiprov.dll' - - '\wmiutils.dll' - - '\wbemcomn.dll' - - '\wbemprox.dll' - - '\WMINet_Utils.dll' - - '\wbemsvc.dll' - - '\fastprox.dll' - filter: - Image|endswith: - - '\WmiPrvSE.exe' - - '\WmiApSrv.exe' - - '\svchost.exe' - - '\DeviceCensus.exe' - - '\CompatTelRunner.exe' - - '\sdiagnhost.exe' - - '\SIHClient.exe' - - '\ngentask.exe' # c:\Windows\Microsoft.NET\Framework(64)\ngentask.exe - - '\windows\system32\taskhostw.exe' # c:\windows\system32\taskhostw.exe - - '\windows\system32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least - - '\windows\system32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 - - 'C:\Windows\Sysmon64.exe' - - 'C:\Windows\Sysmon.exe' - - 'C:\Windows\System32\wbem\unsecapp.exe' - - '\logman.exe' - - '\systeminfo.exe' - - '\nvcontainer.exe' - - 'C:\Windows\System32\wbem\WMIC.exe' - - '\explorer.exe' - - '\opera_autoupdate.exe' - - '\MsMpEng.exe' - - '\thor64.exe' - - '\thor.exe' - - '\WaAppAgent.exe' - - '\WindowsAzureGuestAgent.exe' - - '\Microsoft\Teams\Update.exe' - - '\Microsoft\Teams\current\Teams.exe' - - '\Windows\System32\ServerManager.exe' - - '\Windows\System32\vds.exe' - - '\Windows\System32\dfsrs.exe' - - '\Windows\System32\SecurityHealthService.exe' - - '\Windows\System32\dxdiag.exe' - - '\Windows\System32\dispdiag.exe' - - '\Windows\System32\gpresult.exe' - - '\Windows\System32\tasklist.exe' - filter_generic: # rule caused many false positives in different productive environments - using this filter to exclude all programs that run from folders that only the administrative groups should have access to - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter and not filter_generic -fields: - - ComputerName - - User - - Image - - ImageLoaded -falsepositives: - - Unknown -level: informational diff --git a/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml new file mode 100644 index 000000000..a1a6777d2 --- /dev/null +++ b/rules/windows/image_load/image_load_wmi_module_load_by_uncommon_process.yml @@ -0,0 +1,85 @@ +title: WMI Module Loaded By Non Uncommon Process +id: 671bb7e3-a020-4824-a00e-2ee5b55f385e +status: test +description: Detects a WMI modules being loaded by an uncommon process +references: + - https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html +author: Roberto Rodriguez @Cyb3rWard0g +date: 2019/08/10 +modified: 2023/08/08 +tags: + - attack.execution + - attack.t1047 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\fastprox.dll' + - '\wbemcomn.dll' + - '\wbemprox.dll' + - '\wbemsvc.dll' + - '\WmiApRpl.dll' + - '\wmiclnt.dll' + - '\WMINet_Utils.dll' + - '\wmiprov.dll' + - '\wmiutils.dll' + filter_optional_generic: + Image|contains: + - ':\Microsoft\Teams\current\Teams.exe' + - ':\Microsoft\Teams\Update.exe' + - ':\Windows\\explorer.exe' + - ':\Windows\Sysmon.exe' + - ':\Windows\Sysmon64.exe' + - ':\Windows\System32\CompatTelRunner.exe' + - ':\Windows\System32\DeviceCensus.exe' + - ':\Windows\System32\dfsrs.exe' + - ':\Windows\System32\dispdiag.exe' + - ':\Windows\System32\dxdiag.exe' + - ':\Windows\System32\gpresult.exe' + - ':\Windows\System32\logman.exe' + - ':\Windows\System32\MoUsoCoreWorker.exe' # c:\windows\System32\MoUsoCoreWorker.exe on win10 20H04 at least + - ':\Windows\System32\sdiagnhost.exe' + - ':\Windows\System32\SecurityHealthService.exe' + - ':\Windows\System32\ServerManager.exe' + - ':\Windows\System32\SIHClient.exe' + - ':\Windows\System32\svchost.exe' + - ':\Windows\System32\systeminfo.exe' + - ':\Windows\System32\taskhostw.exe' # c:\windows\system32\taskhostw.exe + - ':\Windows\System32\tasklist.exe' + - ':\Windows\System32\vds.exe' + - ':\Windows\System32\wbem\unsecapp.exe' + - ':\Windows\System32\wbem\WMIADAP.exe' # https://github.com/SigmaHQ/sigma/issues/1871 + - ':\Windows\System32\wbem\WmiApSrv.exe' + - ':\Windows\System32\wbem\WMIC.exe' + - ':\Windows\System32\wbem\WmiPrvSE.exe' + - ':\Windows\SysWOW64\explorer.exe' + - ':\Windows\SysWOW64\logman.exe' + - ':\Windows\SysWOW64\sdiagnhost.exe' + - ':\Windows\SysWOW64\svchost.exe' + - ':\Windows\SysWOW64\systeminfo.exe' + - ':\Windows\SysWOW64\wbem\WmiPrvSE.exe' + filter_optional_other: + Image|endswith: + - '\WindowsAzureGuestAgent.exe' + - '\WaAppAgent.exe' + filter_optional_thor: + Image|endswith: + - '\thor.exe' + - '\thor64.exe' + filter_optional_defender: + Image|endswith: '\MsMpEng.exe' + filter_optional_dotnet: + Image|contains: + - ':\Windows\Microsoft.NET\Framework\' + - ':\Windows\Microsoft.NET\Framework64\' + Image|endswith: '\ngentask.exe' + filter_optional_programfiles: + Image|contains: + - ':\Program Files\' + - ':\Program Files (x86)\' + condition: selection and not 1 of filter_optional_* +falsepositives: + - Unknown +level: low diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml deleted file mode 100644 index 25b715426..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_provlaunch.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Indirect Command Execution through provlaunch.exe -id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c -related: - - id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee - type: similar -status: experimental -description: Detect suspicious execution of provlaunch.exe for indirect execution of arbitrary commands. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - - https://twitter.com/0gtweet/status/1674399582162153472 -author: Swachchhanda Shrawan Poudel -date: 2023/08/02 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection: - - Image|endswith: '\provlaunch.exe' - - OriginalFileName: 'provlaunch' - - Description: 'Provisioning package runtime command launching tool' - condition: selection -falsepositives: - - Depends on the administrators activity -level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml new file mode 100644 index 000000000..c996627e4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -0,0 +1,50 @@ +title: Potential Provlaunch.EXE Binary Proxy Execution Abuse +id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c +related: + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar +status: experimental +description: Detect child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/08/08 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\provlaunch.exe' + filter_main_covered_children: + # Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd + - Image|endswith: + - '\calc.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + - Image|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\AppData\Temp\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' + - '\Windows\Temp\' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml new file mode 100644 index 000000000..b2a8d6b40 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -0,0 +1,49 @@ +title: Suspicious Provlaunch.EXE Child Process +id: f9999590-1f94-4a34-a91e-951e47bedefd +related: + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar +status: experimental +description: Detect suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/08 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: '\provlaunch.exe' + selection_child: + - Image|endswith: + - '\calc.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\notepad.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + - Image|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - '\AppData\Temp\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' + - '\Windows\Temp\' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml b/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml deleted file mode 100644 index 3e08d4f0c..000000000 --- a/rules/windows/process_creation/proc_creation_win_registry_add_provlaunch.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Lolbas Provlaunch.exe Indirect Command Execution - CLI -id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 -related: - - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c - type: similar -status: experimental -description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - - https://twitter.com/0gtweet/status/1674399582162153472 -author: Swachchhanda Shrawan Poudel -date: 2023/08/02 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\reg.exe' - - OriginalFileName: 'reg.exe' - selection_cli: - CommandLine|contains|all: - - ' add ' - - 'SOFTWARE\Microsoft\Provisioning\Commands\' - condition: all of selection_* -falsepositives: - - Unlikely -level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml new file mode 100644 index 000000000..54ba343c0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -0,0 +1,29 @@ +title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution +id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 +related: + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry + type: similar +status: experimental +description: Detects potential abuse of the provisioning registry key abuse for indirect command execution through "Provlaunch.exe". +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel +date: 2023/08/08 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml b/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml deleted file mode 100644 index 85b017174..000000000 --- a/rules/windows/registry/registry_set/registry_set_lolbin_provlaunch.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Lolbas Provlaunch.exe Indirect Command Execution - REG -id: f7d31a1c-3902-4a6e-bccd-9a5f85e4b3ee -related: - - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 - type: derived -status: experimental -description: Detects potential "provisioning" registry value abuse for indirect command execution through Provlaunch.exe. -references: - - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - - https://twitter.com/0gtweet/status/1674399582162153472 -author: Swachchhanda Shrawan Poudel -date: 2023/08/02 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: registry_set - product: windows - definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Provisioning\Commands\ subkey of the HKLM hives' -detection: - selection: - EventType: SetValue - TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\' - condition: selection -fields: - - TargetObject - - Details -falsepositives: - - Unlikely -level: high diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml new file mode 100644 index 000000000..b40f98371 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -0,0 +1,31 @@ +title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG +id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 +related: + - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic + type: similar + - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse + type: similar + - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry + type: similar +status: experimental +description: Detects potential abuse of the provisioning registry key abuse for indirect command execution through "Provlaunch.exe". +references: + - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ + - https://twitter.com/0gtweet/status/1674399582162153472 +author: Swachchhanda Shrawan Poudel +date: 2023/08/02 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: registry_set + product: windows + definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored' +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\' + condition: selection +falsepositives: + - Unknown +level: high From 7beea4c526ac62a8bd0655a3392545fad76c9866 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 9 Aug 2023 13:41:27 +0200 Subject: [PATCH 27/33] fix: wording --- .../proc_creation_win_provlaunch_potential_abuse.yml | 2 +- .../proc_creation_win_provlaunch_susp_child_process.yml | 2 +- ...oc_creation_win_registry_provlaunch_provisioning_command.yml | 2 +- .../registry_set/registry_set_provisioning_command_abuse.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml index c996627e4..c9732a038 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml @@ -8,7 +8,7 @@ related: - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar status: experimental -description: Detect child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 diff --git a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml index b2a8d6b40..69c18763e 100644 --- a/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml @@ -8,7 +8,7 @@ related: - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar status: experimental -description: Detect suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. +description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 diff --git a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml index 54ba343c0..9c6e44ecc 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml @@ -8,7 +8,7 @@ related: - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry type: similar status: experimental -description: Detects potential abuse of the provisioning registry key abuse for indirect command execution through "Provlaunch.exe". +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 diff --git a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml index b40f98371..84397cc38 100644 --- a/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml +++ b/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml @@ -8,7 +8,7 @@ related: - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry type: similar status: experimental -description: Detects potential abuse of the provisioning registry key abuse for indirect command execution through "Provlaunch.exe". +description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". references: - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ - https://twitter.com/0gtweet/status/1674399582162153472 From 75085680deb8ebe4d54f863b52bcea8de6486b71 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 9 Aug 2023 17:08:59 +0200 Subject: [PATCH 28/33] feat: update gpg4win rules --- .../proc_creation_win_gpg4win_decryption.yml | 29 +++++++++++++++ .../proc_creation_win_gpg4win_encryption.yml | 29 +++++++++++++++ ...reation_win_gpg4win_portable_execution.yml | 30 ++++++++++++++++ ...roc_creation_win_gpg4win_susp_location.yml | 36 +++++++++++++++++++ .../proc_creation_win_gpg4win_susp_usage.yml | 31 ---------------- .../proc_creation_win_portable_gpg.yml | 24 ------------- .../proc_creation_win_renamed_gpg4win.yml | 23 ++++++++++++ 7 files changed, 147 insertions(+), 55 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml create mode 100644 rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml create mode 100644 rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_portable_gpg.yml create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml new file mode 100644 index 000000000..3b7637bb7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -0,0 +1,29 @@ +title: Files Decryption Using Gpg4win +id: 037dcd71-33a8-4392-bb01-293c94663e5a +status: experimental +description: Detects usage of the Gpg4win to decrypt files +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://www.gpg4win.de/documentation.html + - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/09 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - Description: 'GnuPG’s OpenPGP tool' + selection_cli: + CommandLine|contains|all: + - ' -d ' + - 'passphrase' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml new file mode 100644 index 000000000..df070eb64 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -0,0 +1,29 @@ +title: Files Encryption Using Gpg4win +id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd +status: experimental +description: Detects usage of the Gpg4win to encrypt files +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://www.gpg4win.de/documentation.html + - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/09 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - Description: 'GnuPG’s OpenPGP tool' + selection_cli: + CommandLine|contains|all: + - ' -c ' + - 'passphrase' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml new file mode 100644 index 000000000..1101f32c3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml @@ -0,0 +1,30 @@ +title: Portable Gpg.EXE Execution +id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 +status: experimental +description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. +references: + - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a + - https://securelist.com/locked-out/68960/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/08/06 +tags: + - attack.impact + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - OriginalFileName: 'gpg.exe' + - Description: 'GnuPG’s OpenPGP tool' + filter_main_legit_location: + Image|contains: + - ':\Program Files (x86)\GnuPG\bin\' + - ':\Program Files (x86)\GNU\GnuPG\bin\' + - ':\Program Files (x86)\Gpg4win\bin\' + condition: selection and not 1 of filter_main_* +level: high diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml new file mode 100644 index 000000000..0f8be51d9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -0,0 +1,36 @@ +title: File Encryption/Decryption Via Gpg4win From Suspicious Locations +id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d +status: experimental +description: Detects usage of the Gpg4win to encrypt/decrypt files located in potential suspicious locations. +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2022/11/30 +modified: 2023/08/09 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + - Product: 'GNU Privacy Guard (GnuPG)' + - Description: 'GnuPG’s OpenPGP tool' + selection_cli: + CommandLine|contains: '-passphrase' + selection_paths: + CommandLine|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml deleted file mode 100644 index f8d2e371a..000000000 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Gpg4Win Decrypt Files From Suspicious Locations -id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d -status: experimental -description: Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI -references: - - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html -author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) -date: 2022/11/30 -tags: - - attack.command_and_control - - attack.t1219 -logsource: - category: process_creation - product: windows -detection: - selection_metadata: - - Image|endswith: '\gpg2.exe' - - Product: 'GNU Privacy Guard (GnuPG)' - - Company: 'g10 Code GmbH' - selection_cli: - CommandLine|contains: '-passphrase' - selection_paths: - CommandLine|contains: - - '\AppData\Roaming\' - - 'C:\Perflogs\' - - 'C:\Windows\Temp\' - - 'C:\temp' - condition: all of selection_* -falsepositives: - - Legitimate use -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_portable_gpg.yml b/rules/windows/process_creation/proc_creation_win_portable_gpg.yml deleted file mode 100644 index b0ca847ae..000000000 --- a/rules/windows/process_creation/proc_creation_win_portable_gpg.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Gpg.exe Portable Use -id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41 -status: experimental -description: Detects the use of gpg.exe as a portable tool. May indicate ransomware activity like CrypVault or Qwerty. -references: - - https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a - - https://securelist.com/locked-out/68960/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md -author: frack113 -date: 2023/08/06 -tags: - - attack.impact - - attack.t1486 -logsource: - category: process_creation - product: windows -detection: - selection: - - OriginalFileName: 'gpg.exe' - - Description: 'GnuPG’s OpenPGP tool' - filter_legit: - Image: 'C:\Program Files (x86)\GnuPG\bin\gpg.exe' - condition: selection and not filter_legit -level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml new file mode 100644 index 000000000..bf29e2ae3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_gpg4win.yml @@ -0,0 +1,23 @@ +title: Renamed Gpg.EXE Execution +id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592 +status: experimental +description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. +references: + - https://securelist.com/locked-out/68960/ +author: Nasreddine Bencherchali (Nextron Systems), frack113 +date: 2023/08/09 +tags: + - attack.impact + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: 'gpg.exe' + filter_main_img: + Image|endswith: + - '\gpg.exe' + - '\gpg2.exe' + condition: selection and not 1 of filter_main_* +level: high From 158a1c6cc154cbbee9f67a11ac00493566a4f822 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 9 Aug 2023 19:04:37 +0200 Subject: [PATCH 29/33] fix: wording --- .../process_creation/proc_creation_win_gpg4win_decryption.yml | 4 ++-- .../process_creation/proc_creation_win_gpg4win_encryption.yml | 4 ++-- .../proc_creation_win_gpg4win_susp_location.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml index 3b7637bb7..856b5a3d7 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml @@ -1,7 +1,7 @@ -title: Files Decryption Using Gpg4win +title: File Decryption Using Gpg4win id: 037dcd71-33a8-4392-bb01-293c94663e5a status: experimental -description: Detects usage of the Gpg4win to decrypt files +description: Detects usage of Gpg4win to decrypt files references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://www.gpg4win.de/documentation.html diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml index df070eb64..3691d1022 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml @@ -1,7 +1,7 @@ -title: Files Encryption Using Gpg4win +title: File Encryption Using Gpg4win id: 550bbb84-ce5d-4e61-84ad-e590f0024dcd status: experimental -description: Detects usage of the Gpg4win to encrypt files +description: Detects usage of Gpg4win to encrypt files references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://www.gpg4win.de/documentation.html diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml index 0f8be51d9..24f49c3c5 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml @@ -1,7 +1,7 @@ title: File Encryption/Decryption Via Gpg4win From Suspicious Locations id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d status: experimental -description: Detects usage of the Gpg4win to encrypt/decrypt files located in potential suspicious locations. +description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. references: - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html - https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ From 450b619c13b81a58d6dd6af3ffe9ff8a26628f9e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 10 Aug 2023 06:21:38 +0200 Subject: [PATCH 30/33] Change field name in detection --- .../azure_identity_protectection_anomalous_token.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml index 3875b3828..7e28e0337 100644 --- a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml +++ b/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml @@ -15,7 +15,7 @@ logsource: service: riskdetection detection: selection: - properties.message: anomalousToken + riskEventType: 'anomalousToken' condition: selection falsepositives: - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. From 2259a57b9b22269d8993581c90500579783fe7fc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 10 Aug 2023 11:20:34 +0200 Subject: [PATCH 31/33] fix: duplicate ids and missing selections --- .../win_system_service_install_csexecsvc.yml | 2 +- .../win_system_service_install_sliver.yml | 4 ++-- .../windows/file/file_event/file_event_win_remcom_service.yml | 2 +- .../proc_creation_win_vsdiagnostics_execution_proxy.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml index 82f3740c8..e4333da73 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_csexecsvc.yml @@ -19,7 +19,7 @@ detection: selection_service: - ServiceName: 'csexecsvc' - ImagePath|endswith: '\csexecsvc.exe' - condition: selection + condition: all of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml index e6bccf83c..d3cbccac0 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml @@ -19,9 +19,9 @@ detection: selection_eid: Provider_Name: 'Service Control Manager' EventID: 7045 - selection_service1: + selection_service_1: ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe' - selection_service2: + selection_service_2: ServiceName: - 'Sliver' - 'Sliver implant' diff --git a/rules/windows/file/file_event/file_event_win_remcom_service.yml b/rules/windows/file/file_event/file_event_win_remcom_service.yml index db011fb6e..7aee299ac 100644 --- a/rules/windows/file/file_event/file_event_win_remcom_service.yml +++ b/rules/windows/file/file_event/file_event_win_remcom_service.yml @@ -1,5 +1,5 @@ title: RemCom Service File Creation -id: f0e2b768-5220-47dd-b891-d57b96fc0ec1 +id: 7eff1a7f-dd45-4c20-877a-f21e342a7611 status: test description: Detects default RemCom service filename which indicates RemCom service installation and execution references: diff --git a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml index aafcf1061..c3716f59a 100644 --- a/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml +++ b/rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml @@ -1,5 +1,5 @@ title: Potential Binary Proxy Execution Via VSDiagnostics.EXE -id: 43103702-5886-11ed-9b6a-0242ac120002 +id: ac1c92b4-ac81-405a-9978-4604d78cc47e status: experimental description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. references: From 32e0100af2c99cc5fbd1f3c05a3153f052c7fac6 Mon Sep 17 00:00:00 2001 From: Swachchhanda Poudel Date: Fri, 11 Aug 2023 15:33:10 +0545 Subject: [PATCH 32/33] Added two new lolbas rules and slight modifications on exisiting rules --- .../proc_creation_win_lolbin_ftp.yml | 9 +++--- .../proc_creation_win_lolbin_susp_msedge.yml | 29 +++++++++++++++++++ .../proc_creation_win_lolbin_susp_teams.yml | 29 +++++++++++++++++++ .../registry_set_persistence_office_vsto.yml | 7 +++-- 4 files changed, 68 insertions(+), 6 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml index 93f7abf93..fc9086edc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml @@ -1,12 +1,12 @@ title: LOLBIN Execution Of The FTP.EXE Binary id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e status: test -description: Detects execution of ftp.exe script execution with the "-s" flag and any child processes ran by ftp.exe +description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ -author: Victor Sergeev, oscd.community +author: Victor Sergeev, oscd.community, Swachchhanda Shrawan Poudel date: 2020/10/09 -modified: 2022/11/10 +modified: 2023/08/11 tags: - attack.execution - attack.t1059 @@ -22,7 +22,8 @@ detection: - Image|endswith: '\ftp.exe' - OriginalFileName: 'ftp.exe' selection_ftp_cli: - CommandLine|contains: '-s:' + - CommandLine|contains: '-s:' + - CommandLine|contains: '/s:' condition: selection_parent or all of selection_ftp_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml new file mode 100644 index 000000000..91f8b94e7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml @@ -0,0 +1,29 @@ +title: Indirect Command Execution by Microsoft Edge Browser +id: d6947e89-2a7f-4c91-bad6-8e5c3b0f78a2 +status: experimental +description: Detects indirect command execution via Microsoft Edge browser +references: + - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ +author: Swachchhanda Shrawan Poudel +date: 2023/08/11 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\msedge.exe' + - OriginalFileName: 'msedge.exe' + selection_cmd: + - CommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + - ParentCommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + condition: selection_img and selection_cmd +falsepositives: + - Unlikely +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml new file mode 100644 index 000000000..c7d0cd53b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml @@ -0,0 +1,29 @@ +title: Indirect Command Execution by Microsoft Teams +id: 8abf3e61-91a2-4b34-bcc7-728d5fa92e49 +status: experimental +description: Detects indirect command execution via Microsoft teams +references: + - https://lolbas-project.github.io/lolbas/Binaries/Teams/ +author: Swachchhanda Shrawan Poudel +date: 2023/08/11 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\Teams.exe' + - OriginalFileName: 'Teams.exe' + selection_cmd: + - CommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + - ParentCommandLine|contains|all: + - '--gpu-launcher=' + - '&&' + condition: selection_img and selection_cmd +falsepositives: + - Unlikely +level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index 76bec65c2..cca2e001d 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -5,9 +5,9 @@ description: Detects persistence via Visual Studio Tools for Office (VSTO) add-i references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ -author: Bhabesh Raj +author: Bhabesh Raj, Swachchhanda Shrawan Poudel date: 2021/01/10 -modified: 2023/06/28 +modified: 2023/08/11 tags: - attack.t1137.006 - attack.persistence @@ -34,6 +34,9 @@ detection: - '\integrator.exe' - '\OfficeClickToRun.exe' - '\winword.exe' + filter_teams: + Image|endswith: + - '\Teams.exe' filter_avg: Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' From 0a5d38140d07c916edf688cac6c573090ee88a7d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 11 Aug 2023 12:55:33 +0200 Subject: [PATCH 33/33] fix: remove already covered rules and fix metadata --- .../proc_creation_win_lolbin_ftp.yml | 10 +++---- .../proc_creation_win_lolbin_susp_msedge.yml | 29 ------------------- .../proc_creation_win_lolbin_susp_teams.yml | 29 ------------------- .../registry_set_persistence_office_vsto.yml | 5 ++-- 4 files changed, 6 insertions(+), 67 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml index fc9086edc..23af4f593 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml @@ -4,7 +4,7 @@ status: test description: Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe references: - https://lolbas-project.github.io/lolbas/Binaries/Ftp/ -author: Victor Sergeev, oscd.community, Swachchhanda Shrawan Poudel +author: Victor Sergeev, oscd.community date: 2020/10/09 modified: 2023/08/11 tags: @@ -22,12 +22,10 @@ detection: - Image|endswith: '\ftp.exe' - OriginalFileName: 'ftp.exe' selection_ftp_cli: - - CommandLine|contains: '-s:' - - CommandLine|contains: '/s:' + CommandLine|contains: + - '-s:' + - '/s:' condition: selection_parent or all of selection_ftp_* -fields: - - CommandLine - - ParentImage falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml deleted file mode 100644 index 91f8b94e7..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_msedge.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Indirect Command Execution by Microsoft Edge Browser -id: d6947e89-2a7f-4c91-bad6-8e5c3b0f78a2 -status: experimental -description: Detects indirect command execution via Microsoft Edge browser -references: - - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ -author: Swachchhanda Shrawan Poudel -date: 2023/08/11 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\msedge.exe' - - OriginalFileName: 'msedge.exe' - selection_cmd: - - CommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - - ParentCommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - condition: selection_img and selection_cmd -falsepositives: - - Unlikely -level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml deleted file mode 100644 index c7d0cd53b..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_teams.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Indirect Command Execution by Microsoft Teams -id: 8abf3e61-91a2-4b34-bcc7-728d5fa92e49 -status: experimental -description: Detects indirect command execution via Microsoft teams -references: - - https://lolbas-project.github.io/lolbas/Binaries/Teams/ -author: Swachchhanda Shrawan Poudel -date: 2023/08/11 -tags: - - attack.defense_evasion - - attack.t1218 -logsource: - category: process_creation - product: windows -detection: - selection_img: - - Image|endswith: '\Teams.exe' - - OriginalFileName: 'Teams.exe' - selection_cmd: - - CommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - - ParentCommandLine|contains|all: - - '--gpu-launcher=' - - '&&' - condition: selection_img and selection_cmd -falsepositives: - - Unlikely -level: high \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index cca2e001d..bb303830e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -5,7 +5,7 @@ description: Detects persistence via Visual Studio Tools for Office (VSTO) add-i references: - https://twitter.com/_vivami/status/1347925307643355138 - https://vanmieghem.io/stealth-outlook-persistence/ -author: Bhabesh Raj, Swachchhanda Shrawan Poudel +author: Bhabesh Raj date: 2021/01/10 modified: 2023/08/11 tags: @@ -35,8 +35,7 @@ detection: - '\OfficeClickToRun.exe' - '\winword.exe' filter_teams: - Image|endswith: - - '\Teams.exe' + Image|endswith: '\Teams.exe' filter_avg: Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'