diff --git a/rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml b/rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml new file mode 100644 index 000000000..bfaa398ff --- /dev/null +++ b/rules/network/zeek/zeek-dce_rpc_domain_user_enumeration.yml @@ -0,0 +1,35 @@ +title: Domain User Enumeration Network Recon 01 +description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29 +id: 66a0bdc6-ee04-441a-9125-99d2eb547942 +references: + - "https://github.com/OTRF/detection-hackathon-apt29" + - "https://github.com/OTRF/detection-hackathon-apt29/issues/37" +author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)' +date: 2020/05/03 +modified: 2020/05/03 +tags: + - attack.discovery + - attack.t1087 + - attack.t1082 +logsource: + product: zeek + service: dce_rpc +detection: + selection: + operation: + #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon + #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call + - LsarLookupNames3 #method translates a batch of security principal names to their SID form + - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms + - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of + - SamrLookupIdsInDomain #method translates a set of RIDs into account names + - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs + - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object + - SamrQueryInformationGroup #obtains attributes from a group object + timeframe: 30s + condition: selection | count(operation) by src_ip > 4 +falsepositives: + - Devices that may do authentication like a VPN or a firewall that looksup IPs to username + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium +status: experimental \ No newline at end of file diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml index a4494f036..4e79ed023 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml @@ -1,7 +1,7 @@ title: MITRE BZAR Indicators for ATT&CK Execution id: b640c0b8-87f8-4daa-aef8-95a24261dd1d description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.' -author: '@neu5ron, @SOC_Prime' +author: '@neu5ron, SOC Prime' date: 2020/03/19 references: - https://github.com/mitre-attack/bzar#indicators-for-attck-execution diff --git a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml index cfeffe917..3cce80d46 100644 --- a/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml +++ b/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml @@ -1,7 +1,7 @@ title: MITRE BZAR Indicators for ATT&CK Persistence id: 53389db6-ba46-48e3-a94c-e0f2cefe1583 description: 'Windows DCE-RPC functions which indicate an ATT&CK-like Persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.' -author: '@neu5ron, @SOC_Prime' +author: '@neu5ron, SOC Prime' date: 2020/03/19 references: - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml new file mode 100644 index 000000000..47cfdcbf2 --- /dev/null +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -0,0 +1,26 @@ +title: Executable from Webdav +description: "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/" +id: aac2fd97-bcba-491b-ad66-a6edf89c71bf +author: 'SOC Prime, Adam Swan' +references: + - http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html + - https://github.com/OTRF/detection-hackathon-apt29 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: zeek + service: http +date: 2020/05/01 +detection: + selection_webdav: + - c-useragent: '*WebDAV*' + - c-uri: '*webdav*' + selection_executable: + - resp_mime_types: '*dosexec*' + - c-uri: '*.exe' + condition: selection_webdav AND selection_executable +falsepositives: + - unknown +level: medium +status: experimental \ No newline at end of file diff --git a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml index 69ef0801b..17a3704f5 100644 --- a/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml +++ b/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml @@ -16,8 +16,8 @@ logsource: service: smb_files detection: selection: - name: \\*\IPC$ - path: atsvc + path: \\*\IPC$ + name: atsvc #Accesses: '*WriteData*' condition: selection falsepositives: diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 35552f341..16e2f3188 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -13,8 +13,8 @@ logsource: service: smb_files detection: selection: - name: '\\*ADMIN$' - path: '*SYSTEM32\\*.tmp' + path: '\\*ADMIN$' + name: '*SYSTEM32\\*.tmp' condition: selection falsepositives: - 'unknown' diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index 1b0b92b5c..eecef7a99 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -14,10 +14,10 @@ logsource: service: smb_files detection: selection1: - name: \\*\IPC$ + path: \\*\IPC$ selection2: - name: \\*\IPC$ - path: + path: \\*\IPC$ + name: - 'atsvc' - 'samr' - 'lsarpc' diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 2086a287c..044d6f966 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -13,8 +13,8 @@ logsource: service: smb_files detection: selection1: - name: \\*\IPC$ - path: + path: \\*\IPC$ + name: - '*-stdin' - '*-stdout' - '*-stderr' diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 95045f9d6..fa7f41f0a 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -11,7 +11,7 @@ logsource: service: smb_files detection: selection: - path: + name: - '*.pst' - '*.ost' - '*.msg' diff --git a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml index 7724e097f..060189f40 100644 --- a/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml +++ b/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml @@ -13,7 +13,7 @@ logsource: service: smb_files detection: selection: - path: + name: - '\mimidrv' - '\lsass' - '\windows\minidump\'