From e06cf6c43faf7f57a5820bd57582d569829ca061 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 16 Aug 2017 15:16:41 +0200 Subject: [PATCH 01/10] Service install - net user persistence --- rules/windows/builtin/win_mal_service_installs.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index fba8777ea..bade1df84 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -19,12 +19,14 @@ detection: ServiceFileName: '*\DumpSvc.exe' wannacry: ServiceName: 'mssecsvc2.0' + persistence: + ServiceFileName: '* net user *' others: ServiceName: - 'pwdump*' - 'gsecdump*' - 'cachedump*' - condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or others ) + condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others ) falsepositives: - Penetration testing level: critical From 8f4a780c3bb48bc63aa4332531f9c10050ff730a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 20 Aug 2017 23:14:41 +0200 Subject: [PATCH 02/10] Added regsvr32.exe to suspicious child processes --- rules/windows/sysmon/sysmon_office_shell.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index 7c6cffa86..70b9c0d29 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -23,6 +23,7 @@ detection: - '*\sh.exe' - '*\bash.exe' - '*\scrcons.exe' + - '*\regsvr32.exe' - '*\hh.exe' # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100 condition: selection falsepositives: From 332f7d27da3d665ff33578775b2bec7bbb65a589 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 22 Aug 2017 10:02:54 +0200 Subject: [PATCH 03/10] Win WMI Persistence http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/ https://twitter.com/mattifestation/status/899646620148539397 --- rules/windows/other/win_wmi_persistence.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/windows/other/win_wmi_persistence.yml diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml new file mode 100644 index 000000000..a86f812b7 --- /dev/null +++ b/rules/windows/other/win_wmi_persistence.yml @@ -0,0 +1,19 @@ +title: WMI Persistence +status: experimental +description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10) +author: Florian Roth +reference: https://twitter.com/mattifestation/status/899646620148539397 +logsource: + product: windows + service: wmi +detection: + selection: + EventID: 5861 + keywords: + - 'CommandLineEventConsumer' + - 'CommandLineTemplate' + - 'Binding EventFilter' + condition: selection and 1 of keywords +falsepositives: + - Unknown (data set is too small; further testing needed) +level: high From 59821d1bcbdc855a597fbb3289b0315d528a395e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 22 Aug 2017 10:04:22 +0200 Subject: [PATCH 04/10] Office Shell: Reference added to new entry --- rules/windows/sysmon/sysmon_office_shell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index 70b9c0d29..9881f03ce 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -23,7 +23,7 @@ detection: - '*\sh.exe' - '*\bash.exe' - '*\scrcons.exe' - - '*\regsvr32.exe' + - '*\regsvr32.exe' # see https://twitter.com/subTee/status/899283365647458305 - '*\hh.exe' # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100 condition: selection falsepositives: From edf2787402146a7a7adc5888e80278f295b55ce9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 22 Aug 2017 10:04:56 +0200 Subject: [PATCH 05/10] Removed some spaces and added Win 10 WMI eventlog --- tools/config/splunk-windows-all.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/config/splunk-windows-all.yml b/tools/config/splunk-windows-all.yml index f832bc143..754459689 100644 --- a/tools/config/splunk-windows-all.yml +++ b/tools/config/splunk-windows-all.yml @@ -28,12 +28,17 @@ logsources: product: windows service: powershell-classic conditions: - source: 'Windows PowerShell' + source: 'Windows PowerShell' windows-powershell: product: windows service: taskscheduler conditions: source: 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + windows-wmi: + product: windows + service: wmi + conditions: + source: 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' windows-dns-server: product: windows service: dns-server From 09e754a8f9b52b7150b2c96e344b155675e45f11 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans-Martin=20M=C3=BCnch?= Date: Tue, 22 Aug 2017 10:56:25 +0200 Subject: [PATCH 06/10] Small Typo fix --- rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml index 02372bcb8..ca5283258 100644 --- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml +++ b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml @@ -1,4 +1,4 @@ -title: Command Line Executaion with suspicious URL and AppData Strings +title: Command Line Execution with suspicious URL and AppData Strings status: experimental description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) reference: From f46e86fbb11f8394640aea73cd3ac2d7d9288aa3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 24 Aug 2017 18:26:58 +0200 Subject: [PATCH 07/10] WMI persistence modified --- rules/windows/other/win_wmi_persistence.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index a86f812b7..1dc3ef984 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -1,6 +1,6 @@ title: WMI Persistence status: experimental -description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10) +description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 (Windows 10, 2012 and higher) author: Florian Roth reference: https://twitter.com/mattifestation/status/899646620148539397 logsource: @@ -17,3 +17,4 @@ detection: falsepositives: - Unknown (data set is too small; further testing needed) level: high + From 55f4c37e224cd3539f4a4e89575192732d55f049 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 24 Aug 2017 18:27:22 +0200 Subject: [PATCH 08/10] Rule: Microsoft Binary Github Communication --- .../sysmon/sysmon_win_binary_github_com.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_win_binary_github_com.yml diff --git a/rules/windows/sysmon/sysmon_win_binary_github_com.yml b/rules/windows/sysmon/sysmon_win_binary_github_com.yml new file mode 100644 index 000000000..42e2a5c94 --- /dev/null +++ b/rules/windows/sysmon/sysmon_win_binary_github_com.yml @@ -0,0 +1,19 @@ +title: Microsoft Binary Github Communication +status: experimental +description: Detects an executable in the Windows folder accessing github.com +reference: https://twitter.com/M_haggis/status/900741347035889665 +author: Michael Haag (idea), Florian Roth (rule) +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationHostname: '*.github.com' + Image: 'C:\Windows\*' + condition: selection +falsepositives: + - 'Unknown' + - '@subTee in your network' +level: high + From f3f2c14b3ab656eea5193c15658bd557273be15e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Aug 2017 08:45:29 +0200 Subject: [PATCH 09/10] Added reference to regsvr32 rule --- rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml index 5d91e068b..846725995 100644 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml @@ -2,6 +2,7 @@ title: Regsvr32 Anomaly status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth +reference: https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html logsource: product: windows service: sysmon From bfe83784559f1a3c4d737e28be629e2ec9d14e8b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 31 Aug 2017 11:07:45 +0200 Subject: [PATCH 10/10] Rule: Suspicious svchost.exe process --- rules/windows/sysmon/sysmon_susp_svchost.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_susp_svchost.yml diff --git a/rules/windows/sysmon/sysmon_susp_svchost.yml b/rules/windows/sysmon/sysmon_susp_svchost.yml new file mode 100644 index 000000000..811fc71b8 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_svchost.yml @@ -0,0 +1,18 @@ +title: Suspicious Svchost Process +status: experimental +description: Detects a suspicious scvhost process start +author: Florian Roth +date: 2017/08/15 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Image: '*\svchost.exe' + filter: + ParentImage: '*\services.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high