security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4577 from @nasbench - Multiple Fixes & Updates
Create Release / Create Release (push) Has been cancelled
Details

Browse Source 
fix: Access To Windows Credential History File By Uncommon Application - Enhance FP filters
fix: Access To Windows DPAPI Master Keys By Uncommon Application - Enhance FP filters
fix: Amsi.DLL Load By Uncommon Process - Moved to threat hunting folder and update false positive filters to remove hardcoded C:
fix: Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Typo in condition
fix: Credential Manager Access By Uncommon Application - Enhance FP filters
fix: Elevated System Shell Spawned From Uncommon Parent Location - Enhance FP filters
fix: Execution of Suspicious File Type Extension - Add new extensions to reduce FP
fix: Important Windows Eventlog Cleared - Update selection to remove "Application" log as it was generating a lot of FP in some environments
fix: Malicious PowerShell Commandlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: Potential Direct Syscall of NtOpenProcess - Add "Adobe" filter
fix: Potential Shim Database Persistence via Sdbinst.EXE - Update FP filter for "iisexpressshim" sdb
fix: Potentially Suspicious AccessMask Requested From LSASS - Add new FP filter for "procmon" process
fix: PowerView PowerShell Cmdlets - ScriptBlock - Remove some part of the selection due to FP matches as they were generic cmdlet names
fix: PSScriptPolicyTest Creation By Uncommon Process - Add new filter for "sdiagnhost"
fix: Relevant Anti-Virus Signature Keywords In Application Log - Update false positive filters
fix: Remote Access Tool Services Have Been Installed - Security - Fix typo in field name
fix: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Remove RECYCLE.BIN\ as it was added as a typo and is a legitimate location.
fix: Uncommon Child Process Of Conhost.EXE - Add new FP filters
fix: Uncommon File Created In Office Startup Folder - Add new extension to filter out FP generated with MS Access databases
fix: Uncommon PowerShell Hosts - Moved to threat hunting folder and updated false positive filter list
fix: Use Of Remove-Item to Delete File - ScriptBlock - Moved to threat hunting folder and Update logic to be more accurate
fix: User with Privileges Logon - Move to placeholder rules and update the FP filter to account for different workstations
fix: Windows Event Auditing Disabled - Enhance list of false positive filters with additional GUID
fix: WMI Module Loaded By Uncommon Process - Moved to threat hunting folder and update and restructure false positive filters
new: Communication To Uncommon Destination Ports
new: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
remove: Credential Dumping Tools Service Execution
remove: New Service Uses Double Ampersand in Path
remove: Powershell File and Directory Discovery
remove: PowerShell Scripts Run by a Services
remove: Security Event Log Cleared
remove: Suspicious Get-WmiObject
remove: Windows Defender Threat Detection Disabled
update: Access To Browser Credential Files By Uncommon Application - Increase level to medium and enhance filters and selections
update: Add Potential Suspicious New Download Source To Winget - Reduce level to medium
update: ADFS Database Named Pipe Connection By Uncommon Tool - Enhance coverage by improving paths selection
update: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Reduce level to low
update: Copy From Or To Admin Share Or Sysvol Folder - Enhance selection to be more accurate
update: Eventlog Cleared - Update FP filter to remove "Application" log and increase coverage
update: Failed Code Integrity Checks - Reduce level to informational
update: HH.EXE Execution - Reduce level to low
update: Locked Workstation - Reduce level to informational
update: Malicious Driver Load By Name - Increase coverage based on LOLDrivers data
update: Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Reduce level to high and restructure selections
update: Meterpreter or Cobalt Strike Getsystem Service Installation - System - Reduce level to high and restructure selections
update: Potential Credential Dumping Activity Via LSASS - Reduce level to medium and comment out noisy access masks
update: Potential PowerShell Execution Policy Tampering - Remove "RemoteSigned" as it doesn't fit with the current logic
update: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Reduce level to medium and update logic
update: Potentially Suspicious Malware Callback Communication - Increase coverage by adding new additional ports
update: PUA - Nmap/Zenmap Execution - Reduce level to medium
update: PUA - Process Hacker Execution - Reduce level to medium
update: PUA - Radmin Viewer Utility Execution - Reduce level to medium
update: Rundll32 Execution With Uncommon DLL Extension - Enhance DLL extension list
update: SASS Access From Non System Account - Reduce level to medium and enhance false positive filters
update: Suspicious Executable File Creation - Enhance coverage by removing hardocded "C:"
update: Suspicious Program Location with Network Connections - Increase accuracy by enhancing the selection to focus on the start of the folder and partition
update: Suspicious Schtasks From Env Var Folder - Reduce level to medium
update: Suspicious Shim Database Patching Activity - Add new processes to increase coverage
update: Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Reduce level to medium
update: Whoami Utility Execution - Reduce level to low
update: Whoami.EXE Execution With Output Option - Reduce level to medium
update: Windows Defender Malware Detection History Deletion - Reduce level to informational
update: WMI Event Consumer Created Named Pipe - Reduce leve to medium

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Thanks: @Blackmore-Robert
Thanks: @swachchhanda000
Thanks: @celalettin-turgut
Thanks: @AaronS97
This commit is contained in:
Nasreddine Bencherchali
2023-12-21 21:04:18 +01:00
committed by GitHub
parent 2cb6ccd04d
commit e052677142
126 changed files with 6679 additions and 5037 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml
-31
View File
@@ -1,31 +0,0 @@
title: Powershell File and Directory Discovery
id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
status: test
description: |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: frack113
date: 2021/12/15
modified: 2022/12/25
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- ls
- get-childitem
- gci
recurse:
ScriptBlockText|contains: '-recurse'
condition: selection and recurse
falsepositives:
- Unknown
level: low
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+23 -20
View File
@@ -32,7 +32,7 @@ references:
- https://github.com/adrecon/AzureADRecon
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017/03/05
modified: 2023/04/17
modified: 2023/11/22
tags:
- attack.execution
- attack.discovery
@@ -57,17 +57,13 @@ detection:
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
@@ -76,8 +72,11 @@ detection:
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ADIDNSNodeAttribute'
- 'Get-ADIDNSNodeOwner'
- 'Get-ADIDNSNodeTombstoned'
- 'Get-ADIDNSPermission'
- 'Get-ADIDNSZone'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
@@ -86,8 +85,6 @@ detection:
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
@@ -98,7 +95,6 @@ detection:
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
@@ -114,9 +110,6 @@ detection:
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
@@ -218,30 +211,40 @@ detection:
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-WebcamRecorder'
- 'VolumeShadowCopyTools'
# - 'Check-VM'
# - 'Disable-MachineAccount'
# - 'Enable-MachineAccount'
# - 'Get-ApplicationHost'
# - 'Get-MachineAccountAttribute'
# - 'Get-MachineAccountCreator'
# - 'Get-Screenshot'
# - 'HTTP-Login'
# - 'Install-ServiceBinary'
# - 'Install-SSP'
# - 'New-DNSRecordArray'
# - 'New-MachineAccount'
# - 'Port-Scan'
# - 'Remove-MachineAccount'
# - 'Set-MacAttribute'
# - 'Set-MachineAccountAttribute'
# - 'Set-Wallpaper'
filter_optional_amazon_ec2:
ScriptBlockText|contains:
- Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml
+64 -59
View File
@@ -1,10 +1,10 @@
title: Malicious PowerView PowerShell Commandlets
title: PowerView PowerShell Cmdlets - ScriptBlock
id: dcd74b95-3f36-4ed9-9598-0490951643aa
related:
- id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
type: similar
status: test
description: Detects Commandlet names from PowerView of PowerSploit exploitation framework.
description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
@@ -12,7 +12,7 @@ references:
- https://adsecurity.org/?p=2277
author: Bhabesh Raj
date: 2021/05/18
modified: 2023/04/20
modified: 2023/11/22
tags:
- attack.execution
- attack.t1059.001
@@ -23,14 +23,6 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- 'Add-DomainGroupMember'
- 'Add-DomainObjectAcl'
- 'Add-ObjectAcl'
- 'Add-RemoteConnection'
- 'Convert-ADName'
- 'ConvertFrom-UACValue'
- 'Convert-NameToSid'
- 'ConvertTo-SID'
- 'Export-PowerViewCSV'
- 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
@@ -46,61 +38,28 @@ detection:
- 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
# - 'Get-ADObject' # prone to FPs
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
- 'Get-DNSRecord'
- 'Get-DNSZone'
# - 'Get-Domain' # too many FPs # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
- 'Get-DomainComputer'
- 'Get-DomainController'
- 'Get-DomainDFSShare'
- 'Get-DomainDNSRecord'
- 'Get-DomainDNSZone'
- 'Get-DomainFileServer'
- 'Get-DomainGPO' # Covers also: Get-DomainGPOComputerLocalGroupMapping, Get-DomainGPOLocalGroup, Get-DomainGPOUserLocalGroupMapping
- 'Get-DomainGroup'
- 'Get-DomainGroupMember'
- 'Get-DomainManagedSecurityGroup'
- 'Get-DomainObject'
- 'Get-DomainObjectAcl'
- 'Get-DomainOU'
- 'Get-DomainPolicy'
- 'Get-DomainSID'
- 'Get-DomainSite'
- 'Get-DomainSPNTicket'
- 'Get-DomainSubnet'
- 'Get-DomainUser'
- 'Get-DomainUserEvent'
- 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
- 'Get-IPAddress'
- 'Get-DomainGPOComputerLocalGroupMapping'
- 'Get-DomainGPOLocalGroup'
- 'Get-DomainGPOUserLocalGroupMapping'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetComputer' # Covers: Get-NetComputerSiteName
- 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
- 'Get-NetFileServer'
- 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust
- 'Get-NetGPO' # Covers: Get-NetGPOGroup
- 'Get-NetGroup' # Covers: Get-NetGroupMember
- 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
- 'Get-NetLoggedon'
- 'Get-NetOU'
- 'Get-NetGPOGroup'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-NetSession'
- 'Get-NetShare'
- 'Get-NetSite'
- 'Get-NetSubnet'
- 'Get-NetUser'
- 'Get-ObjectAcl'
- 'Get-PathAcl'
- 'Get-Proxy'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
- 'Get-SiteName'
- 'Get-UserEvent'
- 'Get-WMIProcess'
- 'Get-WMIReg' # Covers: Get-WMIRegCachedRDPConnection, Get-WMIRegLastLoggedOn, Get-WMIRegMountedDrive, WMIRegProxy
- 'Get-WMIRegCachedRDPConnection'
- 'Get-WMIRegLastLoggedOn'
- 'Get-WMIRegMountedDrive'
- 'Get-WMIRegProxy'
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-EnumerateLocalAdmin'
@@ -113,16 +72,62 @@ detection:
- 'Invoke-ShareFinder'
- 'Invoke-UserHunter'
- 'Invoke-UserImpersonation'
- 'New-DomainGroup'
- 'New-DomainUser'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
- 'Resolve-IPAddress'
- 'Set-ADObject'
- 'Set-DomainObject'
- 'Set-DomainUserPassword'
- 'Test-AdminAccess'
# - 'Get-ADObject' # prone to FPs
# - 'Get-Domain' # too many FPs # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
# - 'Add-DomainGroupMember'
# - 'Add-DomainObjectAcl'
# - 'Add-ObjectAcl'
# - 'Add-RemoteConnection'
# - 'Convert-ADName'
# - 'Convert-NameToSid'
# - 'ConvertFrom-UACValue'
# - 'ConvertTo-SID'
# - 'Get-DNSRecord'
# - 'Get-DNSZone'
# - 'Get-DomainComputer'
# - 'Get-DomainController'
# - 'Get-DomainGroup'
# - 'Get-DomainGroupMember'
# - 'Get-DomainManagedSecurityGroup'
# - 'Get-DomainObject'
# - 'Get-DomainObjectAcl'
# - 'Get-DomainOU'
# - 'Get-DomainPolicy'
# - 'Get-DomainSID'
# - 'Get-DomainSite'
# - 'Get-DomainSPNTicket'
# - 'Get-DomainSubnet'
# - 'Get-DomainUser'
# - 'Get-DomainUserEvent'
# - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
# - 'Get-IPAddress'
# - 'Get-NetComputer' # Covers: Get-NetComputerSiteName
# - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
# - 'Get-NetGroup' # Covers: Get-NetGroupMember
# - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
# - 'Get-NetLoggedon'
# - 'Get-NetOU'
# - 'Get-NetSession'
# - 'Get-NetShare'
# - 'Get-NetSite'
# - 'Get-NetSubnet'
# - 'Get-NetUser'
# - 'Get-ObjectAcl'
# - 'Get-PathAcl'
# - 'Get-Proxy'
# - 'Get-SiteName'
# - 'Get-UserEvent'
# - 'Get-WMIProcess'
# - 'New-DomainGroup'
# - 'New-DomainUser'
# - 'Set-ADObject'
# - 'Set-DomainObject'
# - 'Set-DomainUserPassword'
# - 'Test-AdminAccess'
condition: selection
falsepositives:
- Should not be any as administrators do not use this tool
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml
-30
View File
@@ -1,30 +0,0 @@
title: Use Remove-Item to Delete File
id: b8af5f36-1361-4ebe-9e76-e36128d947bf
status: test
description: Powershell Remove-Item with -Path to delete a file or a folder with "-Recurse"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022/01/15
modified: 2022/03/17
tags:
- attack.defense_evasion
- attack.t1070.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Remove-Item
- '-Path '
filter_reg:
ScriptBlockText|contains:
- 'HKCU:\'
- 'HKLM:\'
condition: selection and not filter_reg
falsepositives:
- Legitimate PowerShell scripts
level: low
rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml
+6 -9
View File
@@ -8,14 +8,14 @@ related:
- id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
type: similar
status: test
description: Detects use of Set-ExecutionPolicy to set insecure policies
description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1
- https://adsecurity.org/?p=2604
author: frack113
date: 2021/10/20
modified: 2022/12/30
modified: 2023/12/14
tags:
- attack.execution
- attack.t1059.001
@@ -24,20 +24,17 @@ logsource:
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
cmdlet:
selection_cmdlet:
ScriptBlockText|contains: 'Set-ExecutionPolicy'
option:
selection_option:
ScriptBlockText|contains:
- 'Unrestricted'
- 'bypass'
- 'RemoteSigned'
filter:
# - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' Powershell event id 4104 do not have ParentImage
filter_optional_chocolatey:
ScriptBlockText|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
- '\AppData\Roaming\Code\'
condition: cmdlet and option and not filter
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Administrator script
level: medium
rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml
-31
View File
@@ -1,31 +0,0 @@
title: Suspicious Get-WmiObject
id: 0332a266-b584-47b4-933d-a00b103e1b37
status: test
description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
references:
- https://attack.mitre.org/datasources/DS0005/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022/01/12
modified: 2022/11/02
tags:
- attack.persistence
- attack.t1546
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Get-WmiObject'
- 'gwmi'
filter_cl_utility:
Path|endswith: '\CL_Utility.ps1'
ScriptBlockText|contains|all:
- 'function Get-FreeSpace'
- 'SELECT * FROM Win32_LogicalDisk WHERE MediaType=12'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate PowerShell scripts
level: low