From dfdaecc52ca385c66d1b16971ce867e81bdce82e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 25 Oct 2022 12:00:56 +0200 Subject: [PATCH] Order yaml field --- .../create_remote_thread_win_bumblebee.yml | 12 +- .../create_remote_thread_win_cactustorch.yml | 16 +- ...ead_win_cobaltstrike_process_injection.yml | 11 +- .../create_remote_thread_win_loadlibrary.yml | 8 +- ...ote_thread_win_password_dumper_keepass.yml | 8 +- ...emote_thread_win_password_dumper_lsass.yml | 14 +- ...e_thread_win_powershell_code_injection.yml | 8 +- ...te_thread_win_susp_powershell_rundll32.yml | 12 +- ...e_thread_win_susp_remote_thread_source.yml | 21 +- ...e_thread_win_susp_remote_thread_target.yml | 11 +- .../create_remote_thread_win_susp_targets.yml | 10 +- .../create_remote_thread_win_ttdinjec.yml | 8 +- .../create_stream_hash_ads_executable.yml | 42 +- ...ate_stream_hash_creation_internet_file.yml | 2 +- .../create_stream_hash_hacktool_download.yml | 378 +++++++++--------- ...eate_stream_hash_regedit_export_to_ads.yml | 8 +- ...eate_stream_hash_susp_domain_ext_combo.yml | 24 +- ..._stream_hash_susp_domain_ext_combo_med.yml | 24 +- .../create_stream_hash_susp_ip_domains.yml | 8 +- ...s_query_remote_access_software_domains.yml | 6 +- .../dns_query_win_anonymfiles_com.yml | 6 +- .../dns_query_win_lobas_appinstaller.yml | 14 +- .../dns_query_win_mal_cobaltstrike.yml | 6 +- .../dns_query_win_possible_dns_rebinding.yml | 70 ++-- ...ns_query_win_regsvr32_network_activity.yml | 6 +- .../dns_query/dns_query_win_susp_ldap.yml | 14 +- .../dns_query_win_susp_teamviewer.yml | 12 +- .../dns_query/dns_query_win_tor_onion.yml | 6 +- .../dns_query/dns_query_win_ufile_io.yml | 12 +- .../driver_load_mal_creddumper.yml | 6 +- ...tstrike_getsystem_service_installation.yml | 6 +- .../driver_load/driver_load_susp_temp_use.yml | 8 +- ...er_load_vuln_avast_anti_rootkit_driver.yml | 8 +- .../driver_load_vuln_dell_driver.yml | 12 +- .../driver_load/driver_load_vuln_drivers.yml | 8 +- .../driver_load_vuln_drivers_names.yml | 2 +- .../driver_load_vuln_gigabyte_driver.yml | 10 +- .../driver_load_vuln_hevd_driver.yml | 8 +- .../driver_load_vuln_hw_driver.yml | 14 +- .../driver_load_vuln_winring0_driver.yml | 8 +- .../driver_load/driver_load_windivert.yml | 8 +- ...reated_alternate_powershell_hosts_pipe.yml | 8 +- .../pipe_created_apt_turla_namedpipes.yml | 10 +- ...pe_created_cred_dump_tools_named_pipes.yml | 14 +- ...ipe_created_diagtrack_eop_default_pipe.yml | 6 +- .../pipe_created_efspotato_namedpipe.yml | 10 +- .../pipe_created_koh_default_pipe.yml | 12 +- .../pipe_created_mal_namedpipes.yml | 18 +- ...pipe_created_powershell_execution_pipe.yml | 8 +- .../pipe_created_psexec_default_pipe.yml | 6 +- ...psexec_default_pipe_from_susp_location.yml | 4 +- .../pipe_created_psexec_pipes_artifacts.yml | 12 +- ...created_susp_adfs_namedpipe_connection.yml | 10 +- ..._disk_access_using_illegitimate_tools.yml} | 12 +- ...napi_in_powershell_credentials_dumping.yml | 6 +- .../sysmon/sysmon_config_modification.yml | 10 +- .../sysmon_config_modification_error.yml | 8 +- .../sysmon_config_modification_status.yml | 8 +- .../windows/sysmon/sysmon_file_block_exe.yml | 6 +- .../sysmon/sysmon_process_hollowing.yml | 6 +- .../sysmon_wmi_event_subscription.yml | 30 +- .../sysmon_wmi_susp_encoded_scripts.yml | 6 +- .../wmi_event/sysmon_wmi_susp_scripting.yml | 36 +- 63 files changed, 565 insertions(+), 556 deletions(-) rename rules/windows/raw_access_thread/{sysmon_raw_disk_access_using_illegitimate_tools.yml => raw_access_thread_disk_access_using_illegitimate_tools.yml} (97%) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml index 47999251e..63d3deebd 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml @@ -2,10 +2,15 @@ title: Bumblebee Remote Thread Creation id: 994cac2b-92c2-44bf-8853-14f6ca39fbda status: experimental description: Detects remote thread injection events based on action seen used by bumblebee -author: Nasreddine Bencherchali references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ +author: Nasreddine Bencherchali date: 2022/09/27 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.011 + - attack.t1059.001 logsource: product: windows category: create_remote_thread @@ -17,11 +22,6 @@ detection: - '\ImagingDevices.exe' TargetImage|endswith: '\rundll32.exe' condition: selection -tags: - - attack.defense_evasion - - attack.execution - - attack.t1218.011 - - attack.t1059.001 falsepositives: - Unknown level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml index 42ab44305..5b95de930 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml @@ -1,13 +1,20 @@ title: CACTUSTORCH Remote Thread Creation id: 2e4e488a-6164-4811-9ea1-f960c7359c40 +status: experimental description: Detects remote thread creation from CACTUSTORCH as described in references. references: - https://twitter.com/SBousseaden/status/1090588499517079552 - https://github.com/mdsecactivebreach/CACTUSTORCH -status: experimental author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019/02/01 modified: 2021/11/12 +tags: + - attack.defense_evasion + - attack.t1055.012 + - attack.execution + - attack.t1059.005 + - attack.t1059.007 + - attack.t1218.005 logsource: product: windows category: create_remote_thread @@ -22,13 +29,6 @@ detection: TargetImage|contains: '\SysWOW64\' StartModule: null condition: selection -tags: - - attack.defense_evasion - - attack.t1055.012 - - attack.execution - - attack.t1059.005 - - attack.t1059.007 - - attack.t1218.005 falsepositives: - Unknown level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml index daf111a32..2512095bd 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml @@ -1,22 +1,22 @@ title: CobaltStrike Process Injection id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 +status: experimental description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ -tags: - - attack.defense_evasion - - attack.t1055.001 -status: experimental author: Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community date: 2018/11/30 modified: 2021/11/20 +tags: + - attack.defense_evasion + - attack.t1055.001 logsource: product: windows category: create_remote_thread detection: selection: - StartAddress|endswith: + StartAddress|endswith: - '0B80' - '0C7C' - '0C88' @@ -24,4 +24,3 @@ detection: falsepositives: - Unknown level: high - diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml b/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml index 66f9b1bfb..8e401260c 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml @@ -2,11 +2,14 @@ title: CreateRemoteThread API and LoadLibrary id: 052ec6f6-1adc-41e6-907a-f1c813478bee status: test description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process -author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html +author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/11 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1055.001 logsource: product: windows category: create_remote_thread @@ -18,6 +21,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1055.001 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml index d435036cd..1efcac162 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml @@ -1,13 +1,16 @@ title: KeePass Password Dumping id: 77564cc2-7382-438b-a7f6-395c2ae53b9a +status: experimental description: Detects remote thread creation in KeePass.exe indicating password dumping activity references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a - https://github.com/denandz/KeeFarce - https://github.com/GhostPack/KeeThief -status: experimental author: Timon Hackenjos date: 2022/04/22 +tags: + - attack.credential_access + - attack.t1555.005 logsource: product: windows category: create_remote_thread @@ -15,9 +18,6 @@ detection: selection: TargetImage|endswith: '\KeePass.exe' condition: selection -tags: - - attack.credential_access - - attack.t1555.005 falsepositives: - Unknown level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml index 958d88cea..6acfcd87c 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml @@ -1,12 +1,18 @@ title: Password Dumper Remote Thread in LSASS id: f239b326-2f41-4d6b-9dfa-c846a60ef505 -description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. +status: stable +description: | + Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. + The process in field Process is the malicious program. A single execution can lead to hundreds of events. references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm -status: stable author: Thomas Patzke date: 2017/02/19 modified: 2021/06/21 +tags: + - attack.credential_access + - attack.s0005 + - attack.t1003.001 logsource: product: windows category: create_remote_thread @@ -15,10 +21,6 @@ detection: TargetImage|endswith: '\lsass.exe' StartModule: '' condition: selection -tags: - - attack.credential_access - - attack.s0005 - - attack.t1003.001 falsepositives: - Antivirus products level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml index 50c53ef0a..867aa2938 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml @@ -2,11 +2,14 @@ title: Accessing WinAPI in PowerShell. Code Injection id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 status: test description: Detects the creation of a remote thread from a Powershell process to another process -author: Nikita Nazarov, oscd.community references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +author: Nikita Nazarov, oscd.community date: 2020/10/06 modified: 2022/08/12 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: create_remote_thread @@ -22,6 +25,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml index 075b35c59..e74f78bcc 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml @@ -2,11 +2,16 @@ title: PowerShell Rundll32 Remote Thread Creation id: 99b97608-3e21-4bfe-8217-2a127c396a0e status: experimental description: Detects PowerShell remote thread creation in Rundll32.exe -author: Florian Roth references: - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html +author: Florian Roth date: 2018/06/25 modified: 2022/07/14 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.011 + - attack.t1059.001 logsource: product: windows category: create_remote_thread @@ -17,11 +22,6 @@ detection: - '\pwsh.exe' TargetImage|endswith: '\rundll32.exe' condition: selection -tags: - - attack.defense_evasion - - attack.execution - - attack.t1218.011 - - attack.t1059.001 falsepositives: - Unknown level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml index dfed28430..be58155f7 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml @@ -1,22 +1,23 @@ title: Suspicious Remote Thread Source id: 66d31e5f-52d6-40a4-9615-002d3789a119 -description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. -notes: - - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental -date: 2019/10/27 -modified: 2022/08/26 -author: Perez Diego (@darkquassar), oscd.community +description: | + Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. + This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. + It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. references: - Personal research, statistical analysis - https://lolbas-project.github.io -logsource: - product: windows - category: create_remote_thread +author: Perez Diego (@darkquassar), oscd.community +date: 2019/10/27 +modified: 2022/08/26 tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1055 +logsource: + product: windows + category: create_remote_thread detection: selection: SourceImage|endswith: @@ -103,3 +104,5 @@ fields: falsepositives: - Unknown level: high +notes: + - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml index 859b8a1ec..d94edda2d 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml @@ -1,12 +1,15 @@ title: Suspicious Remote Thread Target id: f016c716-754a-467f-a39e-63c06f773987 -description: Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. status: experimental -date: 2022/08/25 -modified: 2022/08/29 -author: Florian Roth +description: | + Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. + This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. + It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. references: - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ +author: Florian Roth +date: 2022/08/25 +modified: 2022/08/29 logsource: product: windows category: create_remote_thread diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index afc3db3f9..197553068 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -3,10 +3,14 @@ id: a1a144b7-5c9b-4853-a559-2172be8d4a03 status: experimental description: Detects a remote thread creation in suspicious target images references: - - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection + - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth date: 2022/03/16 modified: 2022/09/29 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.003 logsource: product: windows category: create_remote_thread @@ -30,7 +34,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055.003 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml index 5a863f56b..5f640ae91 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml @@ -2,11 +2,14 @@ title: Remote Thread Creation Ttdinject.exe Proxy id: c15e99a3-c474-48ab-b9a7-84549a7a9d16 status: experimental description: Detects a remote thread creation of Ttdinject.exe used as proxy -author: frack113 references: - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ +author: frack113 date: 2022/05/16 modified: 2022/06/02 +tags: + - attack.defense_evasion + - attack.t1127 logsource: product: windows category: create_remote_thread @@ -17,6 +20,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1127 diff --git a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml index b5a5a1169..5cdff8f14 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml @@ -2,28 +2,28 @@ title: Executable in ADS id: b69888d4-380c-45ce-9cf9-d9ce46e67821 status: test description: Detects the creation of an ADS data stream that contains an executable (non-empty imphash) -author: Florian Roth, @0xrawsec references: - - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 + - https://twitter.com/0xrawsec/status/1002478725605273600?s=21 +author: Florian Roth, @0xrawsec date: 2018/06/03 modified: 2022/08/24 -logsource: - product: windows - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' -detection: - selection: - Hashes|contains: 'IMPHASH=' - filter: - Hashes|contains: 'IMPHASH=00000000000000000000000000000000' - condition: selection and not filter -fields: - - TargetFilename - - Image -falsepositives: - - Unknown -level: medium tags: - - attack.defense_evasion - - attack.s0139 - - attack.t1564.004 + - attack.defense_evasion + - attack.s0139 + - attack.t1564.004 +logsource: + product: windows + category: create_stream_hash + definition: 'Requirements: Sysmon config with Imphash logging activated' +detection: + selection: + Hashes|contains: 'IMPHASH=' + filter: + Hashes|contains: 'IMPHASH=00000000000000000000000000000000' + condition: selection and not filter +fields: + - TargetFilename + - Image +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml index 9b8d49c54..d32af123c 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml @@ -2,9 +2,9 @@ title: Creation Of a Suspicious ADS File Outside a Browser Download id: 573df571-a223-43bc-846e-3f98da481eca status: experimental description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers -author: frack113 references: - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ +author: frack113 date: 2022/10/22 tags: - attack.defense_evasion diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index 06ff73e49..87734617e 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -2,201 +2,201 @@ title: Hacktool Download id: 19b041f6-e583-40dc-b842-d6fa8011493f status: experimental description: Detects the creation of a file on disk that has an imphash of a well-known hack tool -author: Florian Roth references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 +author: Florian Roth date: 2022/08/24 modified: 2022/09/07 tags: - - attack.defense_evasion - - attack.s0139 - - attack.t1564.004 + - attack.defense_evasion + - attack.s0139 + - attack.t1564.004 logsource: - product: windows - category: create_stream_hash -definition: 'Requirements: Sysmon config with Imphash logging activated' + product: windows + category: create_stream_hash + definition: Requirements Sysmon config with Imphash logging activated detection: - selection: - - Imphash: - - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG - - 6118619783fc175bc7ebecff0769b46e # RoguePotato - - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato - - 563233bfa169acc7892451f71ad5850a # RoguePotato - - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato - - 13f08707f759af6003837a150a371ba1 # Pwdump - - 1781f06048a7e58b323f0b9259be798b # Pwdump - - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump - - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump - - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump - - 713c29b396b907ed71a72482759ed757 # Pwdump - - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump - - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump - - 8b114550386e31895dfab371e741123d # Pwdump - - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX - - 9d68781980370e00e0bd939ee5e6c141 # Pwdump - - b18a1401ff8f444056d29450fbc0a6ce # Pwdump - - cb567f9498452721d77a451374955f5f # Pwdump - - 730073214094cd328547bf1f72289752 # Htran - - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons - - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons - - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons - - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons - - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump - - 0588081ab0e63ba785938467e1b10cca # PPLDump - - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump - - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump - - 4da924cf622d039d58bce71cdf05d242 # NanoDump - - e7a3a5c377e2d29324093377d7db1c66 # NanoDump - - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump - - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump - - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump - - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump - - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump - - e6f9d5152da699934b30daab206471f6 # NanoDump - - 3ad59991ccf1d67339b319b15a41b35d # NanoDump - - ffdd59e0318b85a3e480874d9796d872 # NanoDump - - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump - - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump - - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump - - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz - - 0e2216679ca6e1094d63322e3412d650 # HandleKatz - - ada161bf41b8e5e9132858cb54cab5fb # DripLoader - - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader - - 11083e75553baae21dc89ce8f9a195e4 # DripLoader - - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader - - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump - - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi - - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi - - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi - - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi - - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi - - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi - - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi - - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi - - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi - - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi - - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi - - a53a02b997935fd8eedcb5f7abab9b9f # WCE - - e96a73c7bf33a464c510ede582318bf2 # WCE - - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers - - 09D278F9DE118EF09163C6140255C690 # Dumpert - - 03866661686829d806989e2fc5a72606 # Dumpert - - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - 19584675d94829987952432e018d5056 # SysmonQuiet - - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG - - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato - - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato - - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato - - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato - - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump - - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump - - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump - - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump - - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump - - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump - - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump - - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump - - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump - - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX - - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump - - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump - - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump - - IMPHASH=730073214094CD328547BF1F72289752 # Htran - - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons - - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons - - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons - - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons - - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump - - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump - - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump - - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump - - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump - - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump - - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump - - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump - - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump - - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump - - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump - - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump - - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump - - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump - - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump - - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump - - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump - - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz - - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz - - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader - - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader - - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader - - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader - - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump - - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi - - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi - - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi - - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi - - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi - - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi - - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi - - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi - - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi - - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi - - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi - - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE - - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE - - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers - - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert - - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert - - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert - - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - condition: selection + selection: + - Imphash: + - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam + - 3a19059bd7688cb88e70005f18efc439 # PetitPotam + - bf6223a49e45d99094406777eb6004ba # PetitPotam + - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz + - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz + - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz + - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz + - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz + - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz + - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz + - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz + - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz + - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz + - 9da6d5d77be11712527dcab86df449a3 # Mimikatz + - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz + - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz + - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz + - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz + - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato + - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato + - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG + - 6118619783fc175bc7ebecff0769b46e # RoguePotato + - 959a83047e80ab68b368fdb3f4c6e4ea # RoguePotato + - 563233bfa169acc7892451f71ad5850a # RoguePotato + - 87575cb7a0e0700eb37f2e3668671a08 # RoguePotato + - 13f08707f759af6003837a150a371ba1 # Pwdump + - 1781f06048a7e58b323f0b9259be798b # Pwdump + - 233f85f2d4bc9d6521a6caae11a1e7f5 # Pwdump + - 24af2584cbf4d60bbe5c6d1b31b3be6d # Pwdump + - 632969ddf6dbf4e0f53424b75e4b91f2 # Pwdump + - 713c29b396b907ed71a72482759ed757 # Pwdump + - 749a7bb1f0b4c4455949c0b2bf7f9e9f # Pwdump + - 8628b2608957a6b0c6330ac3de28ce2e # Pwdump + - 8b114550386e31895dfab371e741123d # Pwdump + - 94cb940a1a6b65bed4d5a8f849ce9793 # PwDumpX + - 9d68781980370e00e0bd939ee5e6c141 # Pwdump + - b18a1401ff8f444056d29450fbc0a6ce # Pwdump + - cb567f9498452721d77a451374955f5f # Pwdump + - 730073214094cd328547bf1f72289752 # Htran + - 17b461a082950fc6332228572138b80c # Cobalt Strike beacons + - dc25ee78e2ef4d36faa0badf1e7461c9 # Cobalt Strike beacons + - 819b19d53ca6736448f9325a85736792 # Cobalt Strike beacons + - 829da329ce140d873b4a8bde2cbfaa7e # Cobalt Strike beacons + - c547f2e66061a8dffb6f5a3ff63c0a74 # PPLDump + - 0588081ab0e63ba785938467e1b10cca # PPLDump + - 0d9ec08bac6c07d9987dfd0f1506587c # NanoDump + - bc129092b71c89b4d4c8cdf8ea590b29 # NanoDump + - 4da924cf622d039d58bce71cdf05d242 # NanoDump + - e7a3a5c377e2d29324093377d7db1c66 # NanoDump + - 9a9dbec5c62f0380b4fa5fd31deffedf # NanoDump + - af8a3976ad71e5d5fdfb67ddb8dadfce # NanoDump + - 0c477898bbf137bbd6f2a54e3b805ff4 # NanoDump + - 0ca9f02b537bcea20d4ea5eb1a9fe338 # NanoDump + - 3ab3655e5a14d4eefc547f4781bf7f9e # NanoDump + - e6f9d5152da699934b30daab206471f6 # NanoDump + - 3ad59991ccf1d67339b319b15a41b35d # NanoDump + - ffdd59e0318b85a3e480874d9796d872 # NanoDump + - 0cf479628d7cc1ea25ec7998a92f5051 # NanoDump + - 07a2d4dcbd6cb2c6a45e6b101f0b6d51 # NanoDump + - d6d0f80386e1380d05cb78e871bc72b1 # NanoDump + - 38d9e015591bbfd4929e0d0f47fa0055 # HandleKatz + - 0e2216679ca6e1094d63322e3412d650 # HandleKatz + - ada161bf41b8e5e9132858cb54cab5fb # DripLoader + - 2a1bc4913cd5ecb0434df07cb675b798 # DripLoader + - 11083e75553baae21dc89ce8f9a195e4 # DripLoader + - a23d29c9e566f2fa8ffbb79267f5df80 # DripLoader + - 4a07f944a83e8a7c2525efa35dd30e2f # CreateMiniDump + - 767637c23bb42cd5d7397cf58b0be688 # UACMe Akagi + - 14c4e4c72ba075e9069ee67f39188ad8 # UACMe Akagi + - 3c782813d4afce07bbfc5a9772acdbdc # UACMe Akagi + - 7d010c6bb6a3726f327f7e239166d127 # UACMe Akagi + - 89159ba4dd04e4ce5559f132a9964eb3 # UACMe Akagi + - 6f33f4a5fc42b8cec7314947bd13f30f # UACMe Akagi + - 5834ed4291bdeb928270428ebbaf7604 # UACMe Akagi + - 5a8a8a43f25485e7ee1b201edcbc7a38 # UACMe Akagi + - dc7d30b90b2d8abf664fbed2b1b59894 # UACMe Akagi + - 41923ea1f824fe63ea5beb84db7a3e74 # UACMe Akagi + - 3de09703c8e79ed2ca3f01074719906b # UACMe Akagi + - a53a02b997935fd8eedcb5f7abab9b9f # WCE + - e96a73c7bf33a464c510ede582318bf2 # WCE + - 32089b8851bbf8bc2d014e9f37288c83 # Sliver Stagers + - 09D278F9DE118EF09163C6140255C690 # Dumpert + - 03866661686829d806989e2fc5a72606 # Dumpert + - e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - 19584675d94829987952432e018d5056 # SysmonQuiet + - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam + - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam + - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam + - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz + - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz + - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz + - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz + - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz + - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz + - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz + - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz + - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz + - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz + - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz + - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz + - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz + - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz + - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz + - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato + - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato + - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG + - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato + - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato + - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato + - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato + - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump + - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump + - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump + - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump + - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump + - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump + - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump + - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump + - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump + - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX + - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump + - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump + - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump + - IMPHASH=730073214094CD328547BF1F72289752 # Htran + - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons + - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons + - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons + - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons + - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump + - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump + - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump + - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump + - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump + - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump + - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump + - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump + - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump + - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump + - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump + - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump + - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump + - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump + - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump + - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump + - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump + - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz + - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz + - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader + - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader + - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader + - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader + - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump + - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi + - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi + - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi + - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi + - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi + - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi + - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi + - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi + - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi + - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi + - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi + - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE + - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE + - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers + - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert + - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert + - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert + - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte + - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet + - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + condition: selection fields: - - TargetFilename - - Image + - TargetFilename + - Image falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml index ead5ffc81..b53fff6b8 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml @@ -2,12 +2,15 @@ title: Exports Registry Key To an Alternate Data Stream id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 status: test description: Exports the target Registry key and hides it in the specified alternate data stream. -author: Oddvar Moe, Sander Wiebing, oscd.community references: - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +author: Oddvar Moe, Sander Wiebing, oscd.community date: 2020/10/07 modified: 2021/11/27 +tags: + - attack.defense_evasion + - attack.t1564.004 logsource: product: windows category: create_stream_hash @@ -20,6 +23,3 @@ fields: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1564.004 diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml index 2d66f5530..1e94c3ad2 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml @@ -2,14 +2,18 @@ title: Suspicious File Download from File Sharing Domain id: 52182dfb-afb7-41db-b4bc-5336cb29b464 status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain -author: Florian Roth references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 +author: Florian Roth date: 2022/08/24 +tags: + - attack.defense_evasion + - attack.s0139 + - attack.t1564.004 logsource: - product: windows - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' + product: windows + category: create_stream_hash + definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection_domain: Contents|contains: @@ -35,12 +39,8 @@ detection: - '.dll:Zone' condition: all of selection* fields: - - TargetFilename - - Image + - TargetFilename + - Image falsepositives: - - Unknown + - Unknown level: high -tags: - - attack.defense_evasion - - attack.s0139 - - attack.t1564.004 diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml index 4a45cd316..a32c292cc 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml @@ -2,14 +2,18 @@ title: Unusual File Download from File Sharing Domain id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99 status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain -author: Florian Roth references: - - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 +author: Florian Roth date: 2022/08/24 +tags: + - attack.defense_evasion + - attack.s0139 + - attack.t1564.004 logsource: - product: windows - category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' + product: windows + category: create_stream_hash + definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection_domain: Contents|contains: @@ -34,12 +38,8 @@ detection: - '.bat:Zone' condition: all of selection* fields: - - TargetFilename - - Image + - TargetFilename + - Image falsepositives: - - Unknown + - Unknown level: medium -tags: - - attack.defense_evasion - - attack.s0139 - - attack.t1564.004 diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index 8e5e50eae..e173ec41c 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -2,10 +2,13 @@ title: Unusual File Download from Direct IP Address id: 025bd229-fd1f-4fdb-97ab-20006e1a5368 status: experimental description: Detects the download of suspicious file type from URLs with IP -author: Nasreddine Bencherchali references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md +author: Nasreddine Bencherchali date: 2022/09/07 +tags: + - attack.defense_evasion + - attack.t1564.004 logsource: product: windows category: create_stream_hash @@ -33,6 +36,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1564.004 diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml index 3fb6d2b0c..6ed440658 100644 --- a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml @@ -20,6 +20,9 @@ references: author: frack113 date: 2022/07/11 modified: 2022/09/19 +tags: + - attack.command_and_control + - attack.t1219 logsource: product: windows category: dns_query @@ -35,6 +38,3 @@ detection: falsepositives: - FP may be caused in legitimate usage of the softwares mentioned above level: medium -tags: - - attack.command_and_control - - attack.t1219 diff --git a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml index 8911f4930..4d5d8a6d6 100644 --- a/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml +++ b/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml @@ -1,11 +1,11 @@ title: DNS Query for Anonfiles.com Domain id: 065cceea-77ec-4030-9052-fc0affea7110 -description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes status: experimental -date: 2022/07/15 -author: pH-T +description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes references: - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte +author: pH-T +date: 2022/07/15 tags: - attack.exfiltration - attack.t1567.002 diff --git a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml b/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml index bf34c6179..79c39f19d 100644 --- a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml @@ -1,15 +1,15 @@ title: AppInstaller Attempts From URL by DNS id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a -description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL status: experimental -date: 2021/11/24 -author: frack113 -tags: - - attack.command_and_control - - attack.t1105 +description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL references: - https://twitter.com/notwhickey/status/1333900137232523264 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ +author: frack113 +date: 2021/11/24 +tags: + - attack.command_and_control + - attack.t1105 logsource: product: windows category: dns_query @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml index 7c80fd93b..fe3e9ccf0 100644 --- a/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml +++ b/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml @@ -2,11 +2,11 @@ title: Suspicious Cobalt Strike DNS Beaconing id: f356a9c4-effd-4608-bbf8-408afd5cd006 status: experimental description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons -author: Florian Roth -date: 2021/11/09 references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ +author: Florian Roth +date: 2021/11/09 tags: - attack.command_and_control - attack.t1071.004 @@ -16,7 +16,7 @@ logsource: detection: selection1: QueryName|startswith: - - 'aaa.stage.' + - 'aaa.stage.' - 'post.1' selection2: QueryName|contains: '.stage.123456.' diff --git a/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml b/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml index a6cfdc3b1..c8e882404 100644 --- a/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml +++ b/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml @@ -2,42 +2,42 @@ title: Possible DNS Rebinding id: eb07e747-2552-44cd-af36-b659ae0958e4 status: test description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). -author: Ilyas Ochkov, oscd.community references: - - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2021/11/27 -logsource: - product: windows - category: dns_query -detection: - dns_answer: - QueryName: '*' - QueryStatus: '0' - filter_int_ip: - QueryResults|startswith: - - '(::ffff:)?10.' - - '(::ffff:)?192.168.' - - '(::ffff:)?172.16.' - - '(::ffff:)?172.17.' - - '(::ffff:)?172.18.' - - '(::ffff:)?172.19.' - - '(::ffff:)?172.20.' - - '(::ffff:)?172.21.' - - '(::ffff:)?172.22.' - - '(::ffff:)?172.23.' - - '(::ffff:)?172.24.' - - '(::ffff:)?172.25.' - - '(::ffff:)?172.26.' - - '(::ffff:)?172.27.' - - '(::ffff:)?172.28.' - - '(::ffff:)?172.29.' - - '(::ffff:)?172.30.' - - '(::ffff:)?172.31.' - - '(::ffff:)?127.' - timeframe: 30s - condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 -level: medium tags: - - attack.initial_access - - attack.t1189 + - attack.initial_access + - attack.t1189 +logsource: + product: windows + category: dns_query +detection: + dns_answer: + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 +level: medium diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml index 5254f8c26..b57f6a221 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml @@ -23,12 +23,12 @@ detection: selection: Image|endswith: '\regsvr32.exe' condition: selection -falsepositives: - - Unknown -level: high fields: - ComputerName - User - Image - DestinationIp - DestinationPort +falsepositives: + - Unknown +level: high diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index 8acfb3fce..d1ce97530 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -1,12 +1,15 @@ title: Suspicious LDAP Domain Access id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e -description: Detect suspicious LDAP request from non-Windows application status: experimental -date: 2022/08/20 -modified: 2022/09/21 -author: frack113 +description: Detect suspicious LDAP request from non-Windows application references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md +author: frack113 +date: 2022/08/20 +modified: 2022/09/21 +tags: + - attack.discovery + - attack.t1482 logsource: product: windows category: dns_query @@ -29,6 +32,3 @@ detection: falsepositives: - Programs that also lookup the observed domain level: medium -tags: - - attack.discovery - - attack.t1482 diff --git a/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml b/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml index ddfe7f510..c15d2f009 100644 --- a/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml +++ b/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml @@ -1,12 +1,12 @@ title: Suspicious TeamViewer Domain Access id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e -description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) status: experimental -date: 2022/01/30 -modified: 2022/02/08 -author: Florian Roth +description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) references: - https://www.teamviewer.com/en-us/ +author: Florian Roth +date: 2022/01/30 +modified: 2022/02/08 tags: - attack.command_and_control - attack.t1219 @@ -15,7 +15,7 @@ logsource: category: dns_query detection: dns_request: - QueryName: + QueryName: - 'taf.teamviewer.com' - 'udp.ping.teamviewer.com' filter: @@ -24,4 +24,4 @@ detection: falsepositives: - Unknown binary names of TeamViewer - Other programs that also lookup the observed domain -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/dns_query/dns_query_win_tor_onion.yml b/rules/windows/dns_query/dns_query_win_tor_onion.yml index 07f86ecb8..00c07a185 100644 --- a/rules/windows/dns_query/dns_query_win_tor_onion.yml +++ b/rules/windows/dns_query/dns_query_win_tor_onion.yml @@ -6,6 +6,9 @@ references: - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ author: frack113 date: 2022/02/20 +tags: + - attack.command_and_control + - attack.t1090.003 logsource: product: windows category: dns_query @@ -16,6 +19,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.command_and_control - - attack.t1090.003 diff --git a/rules/windows/dns_query/dns_query_win_ufile_io.yml b/rules/windows/dns_query/dns_query_win_ufile_io.yml index 1e666b0c3..0d171d615 100644 --- a/rules/windows/dns_query/dns_query_win_ufile_io.yml +++ b/rules/windows/dns_query/dns_query_win_ufile_io.yml @@ -1,11 +1,14 @@ title: DNS Query for Ufile.io Upload Domain id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b -description: Detects DNS queries for subdomains used for upload to ufile.io status: experimental -date: 2022/06/23 -author: yatinwad and TheDFIRReport +description: Detects DNS queries for subdomains used for upload to ufile.io references: - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +author: yatinwad and TheDFIRReport +date: 2022/06/23 +tags: + - attack.exfiltration + - attack.t1567.002 logsource: product: windows category: dns_query @@ -13,9 +16,6 @@ detection: selection: QueryName|contains: ufile.io condition: selection -tags: - - attack.exfiltration - - attack.t1567.002 falsepositives: - Legitimate Ufile upload level: high diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_mal_creddumper.yml index b9be2da02..c8aa60090 100644 --- a/rules/windows/driver_load/driver_load_mal_creddumper.yml +++ b/rules/windows/driver_load/driver_load_mal_creddumper.yml @@ -3,13 +3,13 @@ id: df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2 related: - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed type: derived -description: Detects well-known credential dumping tools execution via service execution events status: experimental +description: Detects well-known credential dumping tools execution via service execution events +references: + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 modified: 2021/11/10 -references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: - attack.credential_access - attack.execution diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index a927e7883..b3afed27b 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -44,11 +44,11 @@ detection: - '.dll,a' - '/p:' condition: selection -falsepositives: - - Highly unlikely -level: critical fields: - ComputerName - SubjectDomainName - SubjectUserName - ImagePath +falsepositives: + - Highly unlikely +level: critical diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index 0c5f94caf..50c864855 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -5,6 +5,10 @@ description: Detects a driver load from a temporary directory author: Florian Roth date: 2017/02/12 modified: 2021/11/27 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 logsource: category: driver_load product: windows @@ -15,7 +19,3 @@ detection: falsepositives: - There is a relevant set of false positives depending on applications in the environment level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml index f1e5c9bbd..3d34cd8c1 100644 --- a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml @@ -2,11 +2,14 @@ title: Vulnerable AVAST Anti Rootkit Driver Load id: 7c676970-af4f-43c8-80af-ec9b49952852 status: experimental description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products -author: Nasreddine Bencherchali references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ +author: Nasreddine Bencherchali date: 2022/07/28 modified: 2022/08/24 +tags: + - attack.privilege_escalation + - attack.t1543.003 logsource: product: windows category: driver_load @@ -29,6 +32,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index 6b43cccbb..ace8676d0 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -1,19 +1,19 @@ title: Vulnerable Dell BIOS Update Driver Load id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 -description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 status: experimental +description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 +references: + - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ author: Florian Roth date: 2021/05/05 modified: 2022/07/27 -references: - - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ -logsource: - category: driver_load - product: windows tags: - attack.privilege_escalation - cve.2021.21551 - attack.t1543 +logsource: + category: driver_load + product: windows detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 9eb3e6b5f..018868c3b 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -2,7 +2,6 @@ title: Vulnerable Driver Load id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8 status: experimental description: Detects the load of known vulnerable drivers by hash value -author: Nasreddine Bencherchali references: - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules @@ -20,8 +19,12 @@ references: - https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/ - https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444 - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part +author: Nasreddine Bencherchali date: 2022/08/18 modified: 2022/10/19 +tags: + - attack.privilege_escalation + - attack.t1543.003 logsource: product: windows category: driver_load @@ -1062,6 +1065,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 48f4c6d16..36e520478 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -5,7 +5,6 @@ related: type: derived status: experimental description: Detects the load of known vulnerable drivers via their names only. -author: Nasreddine Bencherchali references: - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules @@ -19,6 +18,7 @@ references: - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ - https://eclypsium.com/2019/11/12/mother-of-all-drivers/ - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969 +author: Nasreddine Bencherchali date: 2022/10/03 modified: 2022/10/17 tags: diff --git a/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml index 03b85cf1e..42d3e4bff 100644 --- a/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml @@ -2,21 +2,24 @@ title: Vulnerable GIGABYTE Driver Load id: 7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647 status: experimental description: Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation -author: Florian Roth references: - https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b - https://twitter.com/malmoeb/status/1551449425842786306 - https://github.com/fengjixuchui/gdrv-loader - https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details - https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details +author: Florian Roth date: 2022/07/25 modified: 2022/07/26 +tags: + - attack.privilege_escalation + - attack.t1543.003 logsource: product: windows category: driver_load detection: selection_sysmon: - Hashes|contains: + Hashes|contains: - 'MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3' - 'MD5=C832A4313FF082258240B61B88EFA025' - 'SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39' @@ -37,6 +40,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml index 910c51f8a..ba0d94fc1 100644 --- a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml @@ -2,10 +2,13 @@ title: Vulnerable HackSys Extreme Vulnerable Driver Load id: 295c9289-acee-4503-a571-8eacaef36b28 status: experimental description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors -author: Nasreddine Bencherchali references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver +author: Nasreddine Bencherchali date: 2022/08/18 +tags: + - attack.privilege_escalation + - attack.t1543.003 logsource: product: windows category: driver_load @@ -24,6 +27,3 @@ detection: falsepositives: - Unlikely level: high -tags: - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_vuln_hw_driver.yml index b213f2b9d..13997bf2a 100644 --- a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_hw_driver.yml @@ -2,11 +2,14 @@ title: Vulnerable HW Driver Load id: 9bacc538-d1b9-4d42-862e-469eafc05a41 status: experimental description: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation -author: Florian Roth references: - https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/ - https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details +author: Florian Roth date: 2022/07/26 +tags: + - attack.privilege_escalation + - attack.t1543.003 logsource: product: windows category: driver_load @@ -14,7 +17,7 @@ detection: selection_name: ImageLoaded|endswith: '\HW.sys' selection_sysmon: - Hashes|contains: + Hashes|contains: - 'SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8' - 'SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA' - 'SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5' @@ -25,11 +28,11 @@ detection: - 'MD5=376B1E8957227A3639EC1482900D9B97' - 'MD5=45C2D133D41D2732F3653ED615A745C8' selection_other: - - SHA256: + - SHA256: - '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8' - '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa' - '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5' - - SHA1: + - SHA1: - '74e4e3006b644392f5fcea4a9bae1d9d84714b57' - '18f34a0005e82a9a1556ba40b997b0eae554d5fd' - '4e56e0b1d12664c05615c69697a2f5c5d893058a' @@ -41,6 +44,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml index ed5c900f7..020a5b49c 100644 --- a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml @@ -2,12 +2,15 @@ title: Vulnerable WinRing0 Driver Load id: 1a42dfa6-6cb2-4df9-9b48-295be477e835 status: experimental description: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation -author: Florian Roth references: - https://github.com/xmrig/xmrig/tree/master/bin/WinRing0 - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ +author: Florian Roth date: 2022/07/26 modified: 2022/10/03 +tags: + - attack.privilege_escalation + - attack.t1543.003 logsource: product: windows category: driver_load @@ -27,6 +30,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.privilege_escalation - - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_windivert.yml index c806b7e6c..1601358c5 100644 --- a/rules/windows/driver_load/driver_load_windivert.yml +++ b/rules/windows/driver_load/driver_load_windivert.yml @@ -2,12 +2,12 @@ title: WinDivert Driver Load id: 679085d5-f427-4484-9f58-1dc30a7c426d status: experimental description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows -author: Florian Roth -date: 2021/07/30 -modified: 2022/07/27 references: - https://reqrypt.org/windivert-doc.html - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ +author: Florian Roth +date: 2021/07/30 +modified: 2022/07/27 tags: - attack.collection - attack.defense_evasion @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - ImageLoaded|contains: + ImageLoaded|contains: - '\WinDivert.sys' - '\WinDivert64.sys' # Other used names diff --git a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml index 2cf89d293..6f6169c1c 100644 --- a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml @@ -2,11 +2,14 @@ title: Alternate PowerShell Hosts Pipe id: 58cb02d5-78ce-4692-b3e1-dce850aae41a status: test description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe -author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html +author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019/09/12 modified: 2022/10/10 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: pipe_created @@ -48,6 +51,3 @@ fields: falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter. level: medium -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml b/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml index ddd613e74..a5e2b7c44 100755 --- a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml @@ -2,12 +2,16 @@ title: Turla Group Named Pipes id: 739915e4-1e70-4778-8b8a-17db02f66db1 status: test description: Detects a named pipe used by Turla group samples -author: Markus Neis references: - Internal Research - https://attack.mitre.org/groups/G0010/ +author: Markus Neis date: 2017/11/06 modified: 2021/11/27 +tags: + - attack.g0010 + - attack.execution + - attack.t1106 logsource: product: windows category: pipe_created @@ -25,7 +29,3 @@ detection: falsepositives: - Unknown level: critical -tags: - - attack.g0010 - - attack.execution - - attack.t1106 diff --git a/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml index 1bda24430..374c1b428 100644 --- a/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml @@ -2,11 +2,17 @@ title: Cred Dump-Tools Named Pipes id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e status: test description: Detects well-known credential dumping tools execution via specific named pipes -author: Teymur Kheirkhabarov, oscd.community references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +author: Teymur Kheirkhabarov, oscd.community date: 2019/11/01 modified: 2021/11/27 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 logsource: product: windows category: pipe_created @@ -21,9 +27,3 @@ detection: falsepositives: - Legitimate Administrator using tool for password recovery level: critical -tags: - - attack.credential_access - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.005 diff --git a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml b/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml index 1fd4d0658..31b2a0ff1 100644 --- a/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml @@ -2,10 +2,12 @@ title: DiagTrackEoP Default Named Pipe id: 1f7025a6-e747-4130-aac4-961eb47015f1 status: experimental description: Detects creation of default named pipe used by the DiagTrackEoP POC -author: Nasreddine Bencherchali references: - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 +author: Nasreddine Bencherchali date: 2022/08/03 +tags: + - attack.privilege_escalation logsource: product: windows category: pipe_created @@ -17,5 +19,3 @@ detection: falsepositives: - Unlikely level: critical -tags: - - attack.privilege_escalation diff --git a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml b/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml index 9a8626cb5..7c3987afc 100644 --- a/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml +++ b/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml @@ -5,9 +5,13 @@ description: Detects the pattern of a pipe name as used by the tool EfsPotato references: - https://twitter.com/SBousseaden/status/1429530155291193354?s=20 - https://github.com/zcgonvh/EfsPotato +author: Florian Roth date: 2021/08/23 modified: 2022/06/20 -author: Florian Roth +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 logsource: product: windows category: pipe_created @@ -20,10 +24,6 @@ detection: filter: PipeName|contains: '\CtxShare' condition: selection and not filter -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 falsepositives: - Unknown level: high diff --git a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml index 9718d4287..7a853237e 100644 --- a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml @@ -2,10 +2,15 @@ title: Koh Default Named Pipes id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a status: experimental description: Detects creation of default named pipes used by the Koh tool -author: Nasreddine Bencherchali references: - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 +author: Nasreddine Bencherchali date: 2022/07/08 +tags: + - attack.privilege_escalation + - attack.credential_access + - attack.t1528 + - attack.t1134.001 logsource: product: windows category: pipe_created @@ -19,8 +24,3 @@ detection: falsepositives: - Unlikely level: critical -tags: - - attack.privilege_escalation - - attack.credential_access - - attack.t1528 - - attack.t1134.001 diff --git a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml index a6b57712a..caec93643 100644 --- a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml @@ -15,16 +15,20 @@ references: - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/ - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +author: Florian Roth, blueteam0ps, elhoim date: 2017/11/06 modified: 2022/03/15 -author: Florian Roth, blueteam0ps, elhoim +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 logsource: - product: windows - category: pipe_created - definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' detection: selection: - PipeName: + PipeName: - '\isapi_http' # Uroburos Malware - '\isapi_dg' # Uroburos Malware - '\isapi_dg2' # Uroburos Malware @@ -54,10 +58,6 @@ detection: - '\testPipe' # Emissary Panda Hyperbro - '\dce_3d' #Qbot condition: selection -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055 falsepositives: - Unknown level: critical diff --git a/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml index 97525768e..d60444ecc 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml @@ -2,11 +2,14 @@ title: PowerShell Execution Via Named Pipe id: ac7102b4-9e1e-4802-9b4f-17c5524c015c status: test description: Detects execution of PowerShell via creation of named pipe starting with PSHost -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/09/12 modified: 2022/08/04 +tags: + - attack.execution + - attack.t1059.001 logsource: product: windows category: pipe_created @@ -18,6 +21,3 @@ detection: falsepositives: - Unknown level: informational -tags: - - attack.execution - - attack.t1059.001 diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml index b5bc6fdfb..cec8dc439 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml @@ -23,9 +23,6 @@ detection: selection: PipeName: '\PSEXESVC' condition: selection -falsepositives: - - Unknown -level: low fields: - EventID - CommandLine @@ -34,3 +31,6 @@ fields: - ServiceFileName - TargetFilename - PipeName +falsepositives: + - Unknown +level: low diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml b/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml index 1c33fa1a5..ad29185eb 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml +++ b/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml @@ -5,11 +5,11 @@ related: type: derived status: experimental description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack -author: Nasreddine Bencherchali -date: 2022/08/04 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet +author: Nasreddine Bencherchali +date: 2022/08/04 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml index 066d4f876..a0429bc59 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml +++ b/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml @@ -2,11 +2,16 @@ title: PsExec Pipes Artifacts id: 9e77ed63-2ecf-4c7b-b09d-640834882028 status: test description: Detecting use PsExec via Pipe Creation/Access to pipes -author: Nikita Nazarov, oscd.community references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Nikita Nazarov, oscd.community date: 2020/05/10 modified: 2021/11/27 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.execution + - attack.t1569.002 logsource: product: windows category: pipe_created @@ -22,8 +27,3 @@ detection: falsepositives: - Legitimate Administrator activity level: medium -tags: - - attack.lateral_movement - - attack.t1021.002 - - attack.execution - - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml index 7b63942ab..bb295ea69 100644 --- a/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml +++ b/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml @@ -1,14 +1,16 @@ title: ADFS Database Named Pipe Connection id: 1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3 -description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. status: experimental -date: 2021/10/08 -modified: 2022/02/16 -author: Roberto Rodriguez @Cyb3rWard0g +description: | + Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). + Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. references: - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml - https://o365blog.com/post/adfs/ - https://github.com/Azure/SimuLand +author: Roberto Rodriguez @Cyb3rWard0g +date: 2021/10/08 +modified: 2022/02/16 tags: - attack.collection - attack.t1005 diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml similarity index 97% rename from rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml rename to rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml index 6011077e3..72d7c605f 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml @@ -1,12 +1,12 @@ title: Raw Disk Access Using Illegitimate Tools id: db809f10-56ce-4420-8c86-d6a7d793c79c -description: Raw disk access using illegitimate tools, possible defence evasion -author: Teymur Kheirkhabarov, oscd.community status: test -date: 2019/10/22 -modified: 2022/03/15 +description: Raw disk access using illegitimate tools, possible defence evasion references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +author: Teymur Kheirkhabarov, oscd.community +date: 2019/10/22 +modified: 2022/03/15 tags: - attack.defense_evasion - attack.t1006 @@ -63,5 +63,5 @@ fields: - Device falsepositives: - Legitimate Administrator using tool for raw access or ongoing forensic investigation -level: low # far too many false positives - +# far too many false positives +level: low diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 894338ad9..4e9cb06cb 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -1,12 +1,12 @@ title: Accessing WinAPI in PowerShell for Credentials Dumping id: 3f07b9d1-2082-4c56-9277-613a621983cc -description: Detects Accessing to lsass.exe by Powershell status: experimental +description: Detects Accessing to lsass.exe by Powershell +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova date: 2020/10/06 modified: 2022/07/14 -references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 245de30dc..91f919ff9 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -1,11 +1,13 @@ title: Sysmon Configuration Change id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 -description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration status: experimental -author: frack113 -date: 2022/01/12 +description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon +author: frack113 +date: 2022/01/12 +tags: + - attack.defense_evasion logsource: product: windows service: sysmon @@ -20,5 +22,3 @@ detection: falsepositives: - Legitimate administrative action level: medium -tags: - - attack.defense_evasion diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index 36358a27e..418cc7334 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -1,13 +1,13 @@ title: Sysmon Configuration Error id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8 -description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages status: experimental -author: frack113 -date: 2021/06/04 -modified: 2022/07/07 +description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html +author: frack113 +date: 2021/06/04 +modified: 2022/07/07 tags: - attack.defense_evasion - attack.t1564 diff --git a/rules/windows/sysmon/sysmon_config_modification_status.yml b/rules/windows/sysmon/sysmon_config_modification_status.yml index 76d5f973d..aabad87fb 100644 --- a/rules/windows/sysmon/sysmon_config_modification_status.yml +++ b/rules/windows/sysmon/sysmon_config_modification_status.yml @@ -1,13 +1,13 @@ title: Sysmon Configuration Modification id: 1f2b5353-573f-4880-8e33-7d04dcf97744 -description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it status: test -author: frack113 -date: 2021/06/04 -modified: 2022/08/02 +description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html +author: frack113 +date: 2021/06/04 +modified: 2022/08/02 tags: - attack.defense_evasion - attack.t1564 diff --git a/rules/windows/sysmon/sysmon_file_block_exe.yml b/rules/windows/sysmon/sysmon_file_block_exe.yml index 80a2aaa4f..327ba2557 100644 --- a/rules/windows/sysmon/sysmon_file_block_exe.yml +++ b/rules/windows/sysmon/sysmon_file_block_exe.yml @@ -1,12 +1,12 @@ title: Sysmon Blocked Executable id: 23b71bc5-953e-4971-be4c-c896cda73fc2 -description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set status: experimental +description: Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set +references: + - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e author: Nasreddine Bencherchali date: 2022/08/16 modified: 2022/09/12 -references: - - https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e tags: - attack.defense_evasion logsource: diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml index cd2eb1610..47201e255 100644 --- a/rules/windows/sysmon/sysmon_process_hollowing.yml +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -2,12 +2,12 @@ title: Sysmon Process Hollowing Detection id: c4b890e5-8d8c-4496-8c66-c805753817cd status: experimental description: Detects when a memory process image does not match the disk image, indicative of process hollowing. -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S -date: 2022/01/25 -modified: 2022/02/01 references: - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S +date: 2022/01/25 +modified: 2022/02/01 tags: - attack.defense_evasion - attack.privilege_escalation diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index 118eb0d4c..797e4361a 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -5,19 +5,19 @@ description: Detects creation of WMI event subscription persistence method author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 modified: 2021/11/27 -logsource: - product: windows - category: wmi_event -detection: - selection: - EventID: - - 19 - - 20 - - 21 - condition: selection -falsepositives: - - Exclude legitimate (vetted) use of WMI event subscription in your network -level: medium tags: - - attack.persistence - - attack.t1546.003 + - attack.persistence + - attack.t1546.003 +logsource: + product: windows + category: wmi_event +detection: + selection: + EventID: + - 19 + - 20 + - 21 + condition: selection +falsepositives: + - Exclude legitimate (vetted) use of WMI event subscription in your network +level: medium diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml index 5cc7e9a4b..513a3d3cd 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml @@ -22,9 +22,9 @@ detection: - 'This program cannot be run in DOS mode' - 'This program must be run under Win32' condition: selection_destination -falsepositives: - - Unknown -level: high fields: - User - Operation +falsepositives: + - Unknown +level: high diff --git a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index 74e864baf..9c1f7b3d7 100644 --- a/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -2,36 +2,39 @@ title: Suspicious Scripting in a WMI Consumer id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 status: experimental description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers -author: Florian Roth, Jonhnathan Ribeiro references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ - https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19 - https://github.com/RiccardoAncarani/LiquidSnake +author: Florian Roth, Jonhnathan Ribeiro date: 2019/04/15 modified: 2022/07/07 +tags: + - attack.execution + - attack.t1059.005 logsource: product: windows category: wmi_event detection: selection_destination: - Destination|contains|all: - - 'new-object' - - 'net.webclient' - - '.downloadstring' + - 'new-object' + - 'net.webclient' + - '.downloadstring' - Destination|contains|all: - - 'new-object' - - 'net.webclient' - - '.downloadfile' + - 'new-object' + - 'net.webclient' + - '.downloadfile' - Destination|contains: - - ' iex(' - - 'WScript.shell' - - ' -nop ' - - ' -noprofile ' - - ' -decode ' - - ' -enc ' + - ' iex(' + - 'WScript.shell' + - ' -nop ' + - ' -noprofile ' + - ' -decode ' + - ' -enc ' - Destination|contains: - - 'WScript.Shell' - - 'System.Security.Cryptography.FromBase64Transform' + - 'WScript.Shell' + - 'System.Security.Cryptography.FromBase64Transform' condition: selection_destination fields: - User @@ -39,6 +42,3 @@ fields: falsepositives: - Legitimate administrative scripts level: high -tags: - - attack.execution - - attack.t1059.005