From 18d974c7510c4bb677074e6f2b7e8c977d309960 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:29:38 +0100 Subject: [PATCH 001/115] feat: new test for references case --- tests/test_rules.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index ca972a980..d4e6f1e60 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -672,6 +672,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") + def test_references_in_description(self): + # This test checks for the presence of a links and special keywords in the "description" field while there is no "references" field. + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + references = self.get_rule_part( + file_path=file, part_name="references") + # Reference field doesn't exist + if not references: + descriptionfield = self.get_rule_part( + file_path=file, part_name="description") + if descriptionfield: + for i in ["http://", "https://", "Internal Research"]: # Extends the list with other common references starters + if i in descriptionfield: + print(Fore.RED + "Rule {} has malformed description field that contain references to external links.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'description' fields. (links and external references have to be in a seperate field named 'references'. see specification https://github.com/SigmaHQ/sigma-specification)") + def test_references_plural(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 92965e6f7eca419179e1c7cff168ebeb28d82599 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:43:03 +0100 Subject: [PATCH 002/115] fix: fix broken description --- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 06376a5b0..35990eb17 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -1,7 +1,10 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 status: experimental -description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ +description: Detects Bitsadmin connections to domains with uncommon TLDs +references: + - https://twitter.com/jhencinski/status/1102695118455349248 + - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth, Tim Shelton date: 2019/03/07 modified: 2022/08/16 From c2e85f4080482096c7b2a82a5bef9e6babd2a8ef Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:06:10 +0100 Subject: [PATCH 003/115] feat: update the test to test for lowercase Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- tests/test_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index d4e6f1e60..8c2890d27 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -683,8 +683,8 @@ class TestRules(unittest.TestCase): descriptionfield = self.get_rule_part( file_path=file, part_name="description") if descriptionfield: - for i in ["http://", "https://", "Internal Research"]: # Extends the list with other common references starters - if i in descriptionfield: + for i in ["http://", "https://", "internal research"]: # Extends the list with other common references starters + if i in descriptionfield.lower(): print(Fore.RED + "Rule {} has malformed description field that contain references to external links.".format(file)) faulty_rules.append(file) From 25c41ea73c949d443789524f951d9a02ab7b7c44 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:21:24 +0100 Subject: [PATCH 004/115] fix: update error message Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 8c2890d27..407a30624 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -685,7 +685,7 @@ class TestRules(unittest.TestCase): if descriptionfield: for i in ["http://", "https://", "internal research"]: # Extends the list with other common references starters if i in descriptionfield.lower(): - print(Fore.RED + "Rule {} has malformed description field that contain references to external links.".format(file)) + print(Fore.RED + "Rule {} has a field that contains references to external links but no references set. Add a 'references' key and add URLs as list items.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + From ce803476de454d558531b1e2c5f51cc60dd5e228 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 1 Dec 2022 14:02:15 +0100 Subject: [PATCH 005/115] refactor: rule with ??? causing issues in some backends --- .../registry/registry_set/registry_set_uac_bypass_sdclt.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index 23c3d9908..cac6abb8f 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -7,7 +7,7 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2022/06/26 +modified: 2022/12/01 tags: - attack.defense_evasion - attack.privilege_escalation @@ -23,7 +23,7 @@ detection: selection2: EventType: SetValue TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue' - Details|contains: '-1???\Software\Classes\' + Details|re: '-1[0-9]{3}\\Software\\Classes\\' condition: 1 of selection* falsepositives: - Unknown From 7b1d23621c6adc16d615693f473c7babbc114388 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 20:17:39 +0900 Subject: [PATCH 006/115] refactor: remove unnesessary escape. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 53ca1e6a4..934b65cf7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index c2fcb76a1..d66aac660 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 834abcae1..84cd69bd0 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index fdc6069f9..8370a7eb7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index ac368db0c..2a0cef3d2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown From 2f44ed315b5ea0d37abfbe3915253763f4da02d1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Dec 2022 13:07:41 +0100 Subject: [PATCH 007/115] refactor: extend ngrok rule --- .../proc_creation_win_susp_ngrok_pua.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml index 58ebf8f64..85c41f1f8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml @@ -9,10 +9,11 @@ references: - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection - - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/. + - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/ + - https://twitter.com/xorJosh/status/1598646907802451969 author: Florian Roth date: 2021/05/14 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.command_and_control - attack.t1572 @@ -39,6 +40,12 @@ detection: - ' tcp ' - ' http ' - ' authtoken ' + selection4: + CommandLine|contains: '.exe authtoken ' + selection5: + CommandLine|contains|all: + - '.exe wget ' + - ' -outfile ' condition: 1 of selection* falsepositives: - Another tool that uses the command line switches of Ngrok From b09842f60615dd0b6164dc7acb4cc127a41f0245 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:21:36 +1100 Subject: [PATCH 008/115] Create proc_creation_win_susp_secedit.yml (#3725) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_secedit.yml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_secedit.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_secedit.yml b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml new file mode 100644 index 000000000..337be8505 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml @@ -0,0 +1,50 @@ +title: Potential Suspicious Activity Using SeCEdit +id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb +status: experimental +description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy +references: + - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit +author: Janantha Marasinghe +date: 2022/11/18 +tags: + - attack.discovery + - attack.persistence + - attack.defense_evasion + - attack.credential_access + - attack.privilege_escalation + - attack.t1562.002 + - attack.t1547.001 + - attack.t1505.005 + - attack.t1556.002 + - attack.t1562 + - attack.t1574.007 + - attack.t1564.002 + - attack.t1546.008 + - attack.t1546.007 + - attack.t1547.014 + - attack.t1547.010 + - attack.t1547.002 + - attack.t1557 + - attack.t1082 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\secedit.exe' + - OriginalFileName: 'SeCEdit' + selection_flags_discovery: + CommandLine|contains|all: + - '/export' + - '/cfg' + selection_flags_configure: + CommandLine|contains|all: + - '/configure' + - '/db' + filter: + SubjectUserName|endswith: '$' + condition: selection_img and (1 of selection_flags_*) and not filter +falsepositives: + - Legitimate administrative use +level: medium From a05742b4207f69277682cfdaa570d38fe44775a7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 21:26:45 +0900 Subject: [PATCH 009/115] refactor: remove unnesessary escape. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_via_var.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 934b65cf7..fc66daaec 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index cd0de1227..93f2d66d1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 84cd69bd0..feb1b5446 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c' # FPs with |\/r + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 8370a7eb7..8bca2eca5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 2a0cef3d2..8b7dbcfc3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 8b94e1e34..00d3ebee5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4104 falsepositives: - Unknown From ead6831b2582641af693aacc3e027508471b3c53 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 21:57:37 +0900 Subject: [PATCH 010/115] update modified date. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_via_var.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index fc66daaec..94e7993f4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index d66aac660..a121dcb1a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 93f2d66d1..15597a1fd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index feb1b5446..fe9edfa52 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 8bca2eca5..91814308c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 8b7dbcfc3..95f709d0b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 00d3ebee5..0a2966fbf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 From 0f3eefdc9cb13995c4bdb0f4c9e42b21dfb356d5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 2 Dec 2022 18:10:43 +0100 Subject: [PATCH 011/115] Update title (#3746) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../file_event_win_apt_unidentified_nov_18.yml | 4 ++-- .../file_event_win_cscript_wscript_dropper.yml | 4 ++-- .../file/file_event/file_event_win_hack_dumpert.yml | 4 ++-- .../file/file_event/file_event_win_mal_adwind.yml | 4 ++-- .../file_event/file_event_win_pingback_backdoor.yml | 4 ++-- .../file_event_win_wmiprvse_wbemcomn_dll_hijack.yml | 4 ++-- ...mage_load_alternate_powershell_hosts_moduleload.yml | 4 ++-- .../image_load/image_load_pingback_backdoor.yml | 4 ++-- .../image_load/image_load_tttracer_mod_load.yml | 4 ++-- .../powershell_classic/posh_pc_downgrade_attack.yml | 4 ++-- .../posh_pc_susp_athremotefxvgpudisablementcommand.yml | 4 ++-- .../powershell_classic/posh_pc_susp_zip_compress.yml | 4 ++-- .../powershell_classic/posh_pc_xor_commandline.yml | 4 ++-- .../posh_pm_alternate_powershell_hosts.yml | 4 ++-- .../posh_pm_clear_powershell_history.yml | 4 ++-- .../powershell/powershell_module/posh_pm_powercat.yml | 4 ++-- .../posh_pm_susp_athremotefxvgpudisablementcommand.yml | 4 ++-- .../powershell_module/posh_pm_susp_download.yml | 4 ++-- .../posh_pm_susp_get_nettcpconnection.yml | 3 ++- .../posh_pm_susp_invocation_generic.yml | 4 ++-- .../posh_pm_susp_invocation_specific.yml | 4 ++-- .../powershell_module/posh_pm_susp_smb_share_reco.yml | 3 ++- .../powershell_module/posh_pm_susp_zip_compress.yml | 4 ++-- .../posh_pm_syncappvpublishingserver_exe.yml | 4 ++-- .../posh_ps_clear_powershell_history.yml | 4 ++-- .../posh_ps_root_certificate_installed.yml | 4 ++-- .../posh_ps_set_policies_to_unsecure_level.yml | 4 ++-- .../powershell_script/posh_ps_software_discovery.yml | 4 ++-- .../powershell_script/posh_ps_susp_download.yml | 4 ++-- .../posh_ps_susp_win32_shadowcopy.yml | 3 ++- .../posh_ps_susp_win32_shadowcopy_deletion.yml | 3 ++- .../powershell_script/posh_ps_susp_zip_compress.yml | 4 ++-- .../proc_creation_win_apt_lazarus_activity_apr21.yml | 4 ++-- .../proc_creation_win_apt_lazarus_activity_dec20.yml | 4 ++-- .../proc_creation_win_apt_turla_commands_critical.yml | 2 +- .../proc_creation_win_apt_turla_commands_medium.yml | 4 ++-- .../process_creation/proc_creation_win_mal_ryuk.yml | 4 ++-- ...in_office_from_proxy_executing_regsvr32_payload.yml | 6 +++++- ...n_office_from_proxy_executing_regsvr32_payload2.yml | 10 +++++++--- ...oc_creation_win_office_spawning_wmi_commandline.yml | 4 ++-- ...eation_win_powershell_cmdline_susp_comb_methods.yml | 4 ++-- .../proc_creation_win_susp_ntlmrelay.yml | 3 ++- 42 files changed, 91 insertions(+), 78 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml index ba06ae6e2..22a3c70fb 100644 --- a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml +++ b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml @@ -1,4 +1,4 @@ -title: Unidentified Attacker November 2018 +title: Unidentified Attacker November 2018 - File id: 3a3f81ca-652c-482b-adeb-b1c804727f74 related: - id: 7453575c-a747-40b9-839b-125a0aae324b @@ -9,7 +9,7 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 author: '@41thexplorer, Microsoft Defender ATP' date: 2018/11/20 -modified: 2021/09/19 +modified: 2022/12/02 tags: - attack.execution - attack.t1218.011 diff --git a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml index 3f2a81958..771b72aec 100644 --- a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml @@ -1,4 +1,4 @@ -title: WScript or CScript Dropper +title: WScript or CScript Dropper - File id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 related: - id: cea72823-df4d-4567-950c-0b579eaf0846 @@ -9,7 +9,7 @@ references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton date: 2022/01/10 -modified: 2022/01/11 +modified: 2022/12/02 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml index a80f7ffeb..3a4290d13 100755 --- a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml +++ b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml @@ -1,4 +1,4 @@ -title: Dumpert Process Dumper +title: Dumpert Process Dumper Default File id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 related: - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 @@ -10,7 +10,7 @@ references: - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth date: 2020/02/04 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/file/file_event/file_event_win_mal_adwind.yml b/rules/windows/file/file_event/file_event_win_mal_adwind.yml index c4ce26312..1b454703c 100644 --- a/rules/windows/file/file_event/file_event_win_mal_adwind.yml +++ b/rules/windows/file/file_event/file_event_win_mal_adwind.yml @@ -1,4 +1,4 @@ -title: Adwind RAT / JRAT +title: Adwind RAT / JRAT File Artifact id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 related: - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 @@ -10,7 +10,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml b/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml index 01e27932c..e34e274bd 100644 --- a/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml +++ b/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml @@ -1,4 +1,4 @@ -title: Pingback Backdoor +title: Pingback Backdoor - File id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 status: test description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj date: 2021/05/05 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.persistence - attack.t1574.001 diff --git a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml index dd0c53af5..eff3e341d 100644 --- a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,4 +1,4 @@ -title: Wmiprvse Wbemcomn DLL Hijack +title: Wmiprvse Wbemcomn DLL Hijack - File id: 614a7e17-5643-4d89-b6fe-f9df1a79641c status: test description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml index 198a753af..6b1b71242 100644 --- a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml @@ -1,4 +1,4 @@ -title: Alternate PowerShell Hosts +title: Alternate PowerShell Hosts - Image id: fe6e002f-f244-4278-9263-20e4b593827f status: experimental description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/09/12 -modified: 2022/11/22 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml index 7b8c90b68..f26a922ae 100644 --- a/rules/windows/image_load/image_load_pingback_backdoor.yml +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -1,4 +1,4 @@ -title: Pingback Backdoor +title: Pingback Backdoor - Image id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj date: 2021/05/05 -modified: 2022/08/14 +modified: 2022/12/02 tags: - attack.persistence - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_tttracer_mod_load.yml b/rules/windows/image_load/image_load_tttracer_mod_load.yml index 43e405e1f..a6f3981b7 100644 --- a/rules/windows/image_load/image_load_tttracer_mod_load.yml +++ b/rules/windows/image_load/image_load_tttracer_mod_load.yml @@ -1,4 +1,4 @@ -title: Time Travel Debugging Utility Usage +title: Time Travel Debugging Utility Usage - Image id: e76c8240-d68f-4773-8880-5c6f63595aaf status: test description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. @@ -8,7 +8,7 @@ references: - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/06 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.credential_access diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 9ce7332e3..8c46b03d4 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -1,4 +1,4 @@ -title: PowerShell Downgrade Attack +title: PowerShell Downgrade Attack - PowerShell id: 6331d09b-4785-4c13-980f-f96661356249 status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 @@ -6,7 +6,7 @@ references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.execution diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml index d81b9e4e6..6a079219a 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml @@ -1,4 +1,4 @@ -title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell id: f65e22f9-819e-4f96-9c7b-498364ae7a25 related: - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 date: 2021/07/13 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index 78d439ab8..394ae9e8a 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell id: 71ff406e-b633-4989-96ec-bc49d825a412 related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index ccb752a5d..77839f775 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -1,4 +1,4 @@ -title: Suspicious XOR Encoded PowerShell Command Line +title: Suspicious XOR Encoded PowerShell Command Line - PowerShell id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 status: experimental description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/06/29 -modified: 2022/07/07 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 7f7928774..69e2ce0b7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -1,4 +1,4 @@ -title: Alternate PowerShell Hosts +title: Alternate PowerShell Hosts - PowerShell Module id: 64e8e417-c19a-475a-8d19-98ea705394cc status: test description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/11 -modified: 2022/10/10 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 08affa1ba..95535ca0b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -1,4 +1,4 @@ -title: Clear PowerShell History +title: Clear PowerShell History - PowerShell Module id: f99276ad-d122-4989-a09a-d00904a5f9d2 related: - id: dfba4ce1-e0ea-495f-986e-97140f31af2d @@ -9,7 +9,7 @@ references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2019/10/25 -modified: 2022/05/10 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml index d0e211da3..c2c8b233a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml @@ -1,4 +1,4 @@ -title: Netcat The Powershell Version +title: Netcat The Powershell Version - PowerShell Module id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: experimental description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md author: frack113 date: 2021/07/21 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.command_and_control - attack.t1095 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index d7bd34858..6e59a9f24 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -1,4 +1,4 @@ -title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module id: 38a7625e-b2cb-485d-b83d-aff137d859f4 status: experimental description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 date: 2021/07/13 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 5f36c7b73..0f8d9c8af 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Download +title: Suspicious PowerShell Download - PowerShell Module id: de41232e-12e8-49fa-86bc-c05c7e722df9 related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell download command author: Florian Roth date: 2017/03/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 0be65ca51..c5ffd17ef 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -1,4 +1,4 @@ -title: Use Get-NetTCPConnection +title: Use Get-NetTCPConnection - PowerShell Module id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 +modified: 2022/12/02 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 58ab9a87c..e37c54b48 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Invocations - Generic +title: Suspicious PowerShell Invocations - Generic - PowerShell Module id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 related: - id: 3d304fda-78aa-43ed-975c-d740798a49c1 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule) date: 2017/03/12 -modified: 2021/12/02 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index 0a8f13c05..8c224599e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Invocations - Specific +title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 -modified: 2022/02/21 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index fed54bbf6..76ec86dc2 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -1,4 +1,4 @@ -title: Suspicious Get Information for SMB Share +title: Suspicious Get Information for SMB Share - PowerShell Module id: 6942bd25-5970-40ab-af49-944247103358 status: experimental description: | @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 date: 2021/12/15 +modified: 2022/12/02 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 1cd4292c4..0579a4f7a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module id: daf7eb81-35fd-410d-9d7a-657837e602bb related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index ec7d8c72a..ed0d1c132 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -1,4 +1,4 @@ -title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a related: - id: fde7929d-8beb-4a4c-b922-be9974671667 @@ -11,7 +11,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020/10/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index 6793baf4e..12f875418 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -1,4 +1,4 @@ -title: Clear PowerShell History +title: Clear PowerShell History - PowerShell id: 26b692dc-1722-49b2-b496-a8258aa6371d related: - id: dfba4ce1-e0ea-495f-986e-97140f31af2d @@ -9,7 +9,7 @@ references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2022/01/25 -modified: 2022/05/10 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 7340abc67..269775a91 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -1,4 +1,4 @@ -title: Root Certificate Installed +title: Root Certificate Installed - PowerShell id: 42821614-9264-4761-acfc-5772c3286f76 status: experimental description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/10 -modified: 2021/12/04 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1553.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 48c6e97fe..862c5127a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -1,4 +1,4 @@ -title: Change PowerShell Policies to an Insecure Level +title: Change PowerShell Policies to an Insecure Level - PowerShell id: 61d0475c-173f-4844-86f7-f3eebae1c66b status: experimental description: Detects use of Set-ExecutionPolicy to set insecure policies @@ -8,7 +8,7 @@ references: - https://adsecurity.org/?p=2604 author: frack113 date: 2021/10/20 -modified: 2022/09/10 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 5e3bb6aec..1e7e08871 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -1,4 +1,4 @@ -title: Detected Windows Software Discovery +title: Detected Windows Software Discovery - PowerShell id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 status: experimental description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. @@ -7,7 +7,7 @@ references: - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 -modified: 2021/11/12 +modified: 2022/12/02 tags: - attack.discovery - attack.t1518 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index a216f6416..b8a2e0a53 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Download +title: Suspicious PowerShell Download - Powershell Script id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell download command author: Florian Roth date: 2017/03/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index c3c9de7a3..863835803 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -1,4 +1,4 @@ -title: Delete Volume Shadow Copies via WMI with PowerShell +title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script id: e17121b4-ef2a-4418-8a59-12fb1631fa9e status: test description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 date: 2021/12/26 +modified: 2022/12/02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index 97e19d2b6..5e1e90771 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -1,4 +1,4 @@ -title: Deletion of Volume Shadow Copies via WMI with PowerShell +title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script id: c1337eb8-921a-4b59-855b-4ba188ddcc42 related: - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e @@ -12,6 +12,7 @@ references: - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch date: 2022/09/20 +modified: 2022/12/02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index e8f63ef62..5c4423415 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml index fa062bb0d..fea8a4164 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -1,4 +1,4 @@ -title: Lazarus Activity +title: Lazarus Activity Apr21 id: 4a12fa47-c735-4032-a214-6fab5b120670 status: test description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity @@ -6,7 +6,7 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ author: Bhabesh Raj date: 2021/04/20 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0032 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml index bf721ab56..cb8a67a3f 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml @@ -1,4 +1,4 @@ -title: Lazarus Activity +title: Lazarus Activity Dec20 id: 24c4d154-05a4-4b99-b57d-9b977472443a status: test description: Detects different process creation events as described in various threat reports on Lazarus group activity @@ -7,7 +7,7 @@ references: - https://www.hvs-consulting.de/lazarus-report/ author: Florian Roth date: 2020/12/23 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0032 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml index 5a05aff7b..b06bba960 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml @@ -1,4 +1,4 @@ -title: Turla Group Lateral Movement +title: Turla Group Lateral Movement id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: test description: Detects automated lateral movement by Turla group diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml index 86c0f3bf0..817a4cc14 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml @@ -1,4 +1,4 @@ -title: Turla Group Lateral Movement +title: Automated Turla Group Lateral Movement id: 75925535-ca97-4e0a-a850-00b5c00779dc status: test description: Detects automated lateral movement by Turla group @@ -6,7 +6,7 @@ references: - https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis date: 2017/11/07 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0010 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml index acecd619c..da6d670b4 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml @@ -1,4 +1,4 @@ -title: Ryuk Ransomware +title: Ryuk Ransomware Command Line Activity id: 0acaad27-9f02-4136-a243-c357202edd74 status: stable description: Detects Ryuk Ransomware command lines @@ -6,7 +6,7 @@ references: - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ author: Vasiliy Burov date: 2019/08/06 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.execution - attack.t1204 diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml index 900099c2e..a400d0df0 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -1,7 +1,11 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 status: experimental -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 623ebbfac..24c808893 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -1,13 +1,17 @@ -title: Excel Proxy Executing Regsvr32 With Payload +title: Excel Proxy Executing Regsvr32 With Payload Alternate id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 status: experimental -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' date: 2021/08/23 -modified: 2022/07/07 +modified: 2022/12/02 tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml index aeabf14ca..4ca453a34 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml @@ -1,4 +1,4 @@ -title: Office Applications Spawning Wmi Cli +title: Office Applications Spawning Wmi Cli Alternate id: 04f5363a-6bca-42ff-be70-0d28bf629ead status: experimental description: Initial execution of malicious document calls wmic to execute the file with regsvr32 @@ -7,7 +7,7 @@ references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' date: 2021/08/23 -modified: 2022/06/16 +modified: 2022/12/02 tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml index 7cc2ab57f..3085e60f1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml @@ -1,4 +1,4 @@ -title: Suspicious Encoded PowerShell Command Line +title: Suspicious Xor PowerShell Command Line id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 related: - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f @@ -9,7 +9,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton date: 2022/07/06 -modified: 2022/07/14 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml index f24eb0b05..4713f9807 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml @@ -1,4 +1,4 @@ -title: Suspicious WebDav Client Execution +title: Suspicious NTLM Authentication on the Printer Spooler Service id: bb76d96b-821c-47cf-944b-7ce377864492 status: experimental description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service @@ -7,6 +7,7 @@ references: - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml author: Elastic (idea), Tobias Michalski date: 2022/05/04 +modified: 2022/12/02 tags: - attack.privilege_escalation - attack.credential_access From b5e783a6d5f2ea0a77f68fb646bfb1b2304e3996 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Fri, 2 Dec 2022 13:44:44 -0500 Subject: [PATCH 012/115] =?UTF-8?q?Update=20and=20rename=20proc=5Fcreation?= =?UTF-8?q?=5Fwin=5Frundll32=5Fnot=5Ffrom=5Fc=5Fdrive.yml=20to=20=E2=80=A6?= =?UTF-8?q?=20(#3609)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ..._creation_win_lolbin_not_from_c_drive.yml} | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) rename rules/windows/process_creation/{proc_creation_win_rundll32_not_from_c_drive.yml => proc_creation_win_lolbin_not_from_c_drive.yml} (57%) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml index fdb843257..906b0a985 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml @@ -1,12 +1,13 @@ -title: Rundll32 From Abnormal Drive +title: LOLBIN From Abnormal Drive id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87 status: experimental -description: Detects rundll32.exe executing from an abnormal drive such as a mounted ISO. -references: - - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +description: Detects LOLBINs executing from an abnormal drive such as a mounted ISO. author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2022/01/25 modified: 2022/02/14 +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ + - https://www.scythe.io/library/threat-emulation-qakbot tags: - attack.t1218.001 logsource: @@ -14,8 +15,15 @@ logsource: product: windows detection: selection: - Image|endswith: '\rundll32.exe' - filter: + - '\rundll32.exe' + - '\calc.exe' + - '\mshta.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\regsvr32.exe' + - '\installutil.exe' + - '\cmstp.exe' + filter_currentdirectory: - CurrentDirectory|contains: 'C:\' - CurrentDirectory: '' filter_null: From b6492e731bbe81541b75454f5c0acd55b8c6b674 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:16:03 +0100 Subject: [PATCH 013/115] feat: general updates and fixes --- ..._from_proxy_executing_regsvr32_payload.yml | 2 +- ...from_proxy_executing_regsvr32_payload2.yml | 2 +- .../win_bits_client_susp_domain.yml | 5 +- ...eate_stream_hash_susp_domain_ext_combo.yml | 5 ++ ..._stream_hash_susp_domain_ext_combo_med.yml | 5 ++ ...ile_event_win_create_non_existent_dlls.yml | 30 ++++++++++++ .../image_load/image_load_side_load_scm.yml | 29 +++++++++++ .../image_load_side_load_vmguestlib.yml | 29 +++++++++++ ...mage_load_susp_dll_load_system_process.yml | 8 +++- .../net_connection_win_binary_susp_com.yml | 6 ++- ...ion_win_bitsadmin_download_susp_domain.yml | 6 ++- .../proc_creation_win_gpg4win_susp_usage.yml | 33 +++++++++++++ ...oc_creation_win_office_proxy_exec_wmic.yml | 48 +++++++++++++++++++ .../proc_creation_win_tool_nircmd.yml | 5 +- ...proc_creation_win_wsudo_susp_execution.yml | 32 +++++++++++++ 15 files changed, 237 insertions(+), 8 deletions(-) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml (98%) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml (98%) create mode 100644 rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml create mode 100644 rules/windows/image_load/image_load_side_load_scm.yml create mode 100644 rules/windows/image_load/image_load_side_load_vmguestlib.yml create mode 100644 rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml create mode 100644 rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml rename to rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml index a400d0df0..990b256e8 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -1,6 +1,6 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 -status: experimental +status: deprecated description: | Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml rename to rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 24c808893..9d70c250c 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -1,6 +1,6 @@ title: Excel Proxy Executing Regsvr32 With Payload Alternate id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 -status: experimental +status: deprecated description: | Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index 2f3880ab4..c3a6c072c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -8,7 +8,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: Florian Roth date: 2022/06/28 -modified: 2022/08/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.persistence @@ -35,6 +35,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' condition: selection falsepositives: - Unknown diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml index 1e94c3ad2..5babf5085 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml @@ -4,8 +4,10 @@ status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/08/24 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.s0139 @@ -32,6 +34,9 @@ detection: - 'storage.googleapis.com' - 'anonfiles.com' - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' selection_extension: TargetFilename|contains: - '.exe:Zone' diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml index a32c292cc..b47dc0e17 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml @@ -4,8 +4,10 @@ status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/08/24 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.s0139 @@ -32,6 +34,9 @@ detection: - 'storage.googleapis.com' - 'anonfiles.com' - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' selection_extension: TargetFilename|contains: - '.ps1:Zone' diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml new file mode 100644 index 000000000..9c9c65693 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -0,0 +1,30 @@ +title: Creation Of Non-Existent DLLs In System Folders +id: df6ecb8b-7822-4f4b-b412-08f524b4576c +status: experimental +description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename: + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + filter: + Image|startswith: 'C:\Windows\System32\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_scm.yml b/rules/windows/image_load/image_load_side_load_scm.yml new file mode 100644 index 000000000..fd244a0c5 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_scm.yml @@ -0,0 +1,29 @@ +title: SCM DLL Sideload +id: bc3cc333-48b9-467a-9d1f-d44ee594ef48 +status: experimental +description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded: + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + Image: 'C:\Windows\System32\svchost.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml new file mode 100644 index 000000000..28b560800 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -0,0 +1,29 @@ +title: SCM DLL Sideload +id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff +status: experimental +description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|contains: + - '\VMware\VMware Tools\vmStatsProvider\win32' + - '\vmGuestLib.dll' + Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe' + filter: + Signed: 'true' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 38f4572c2..fc2acbb2e 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) author: Nasreddine Bencherchali date: 2022/07/17 -modified: 2022/10/12 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070 @@ -28,6 +28,12 @@ detection: - ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - Image: + - 'C:\Windows\SysWOW64\rundll32.exe' # Typical for installers and updaters + - 'C:\Windows\System32\rundll32.exe' # Typical for installers and updaters + - CommandLine|contains|all: + - '\AppData\Local\Temp\' # Typical for installers and updaters + - '\setup.exe' filter_cleanmgr: # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C: # Sometimes the DLL gets loaded from %temp% diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 0a98c4d82..25641aa89 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -6,9 +6,10 @@ references: - https://twitter.com/M_haggis/status/900741347035889665 - https://twitter.com/M_haggis/status/1032799638213066752 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2018/08/30 -modified: 2022/08/09 +modified: 2022/12/02 tags: - attack.lateral_movement - attack.t1105 @@ -33,6 +34,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' Image|startswith: - 'C:\Windows\' - 'C:\Users\Public\' diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml index 78a3f092b..4b40ae44b 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml @@ -7,9 +7,10 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/06/28 -modified: 2022/11/11 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.persistence @@ -45,6 +46,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' condition: all of selection_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml new file mode 100644 index 000000000..7f6b929e6 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -0,0 +1,33 @@ +title: Gpg4Win Decrypt Files From Suspicious Locations +id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d +status: experimental +description: Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html +author: Nasreddine Bencherchali, X__Junior +date: 2022/11/30 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg2.exe' + - Product: 'GNU Privacy Guard (GnuPG)' + - Company: 'g10 Code GmbH' + selection_cli: + CommandLine|contains: '-passphrase' + selection_paths: + CommandLine|contains: + - '\AppData\Roaming\' + - 'C:\Perflogs\' + - 'C:\Windows\Temp\' + - 'C:\temp' + - '' + condition: all of selection_* +falsepositives: + - Legitimate use +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml b/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml new file mode 100644 index 000000000..071b258dc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml @@ -0,0 +1,48 @@ +title: Office Processes Proxy Execution Through WMIC +id: e1693bc8-7168-4eab-8718-cdcaa68a1738 +related: + - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 + type: obsoletes + - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 + type: obsoletes +status: experimental +description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' +date: 2021/08/23 +modified: 2022/12/02 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + selection_wmic: + - Image|endswith: '\wbem\WMIC.exe' + - OriginalFileName: 'wmic.exe' + selection_parent: + ParentImage|endswith: + - '\winword.exe' + - '\excel.exe' + - '\powerpnt.exe' + CommandLine|contains|all: + - 'process' + - 'create' + - 'call' + CommandLine|contains: + # Add more suspicious LOLBINs as you see fit + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index 07538331c..b9162caf8 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -8,7 +8,7 @@ references: - https://www.nirsoft.net/utils/nircmd2.html#using author: Florian Roth, Nasreddine Bencherchali date: 2022/01/24 -modified: 2022/08/08 +modified: 2022/11/30 tags: - attack.execution - attack.t1569.002 @@ -18,7 +18,8 @@ logsource: product: windows detection: selection_org: - OriginalFileName: 'NirCmd.exe' + - Image|endswith: '\NirCmd.exe' + - OriginalFileName: 'NirCmd.exe' selection_cmd: CommandLine|contains: - ' execmd ' diff --git a/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml new file mode 100644 index 000000000..015d42d08 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml @@ -0,0 +1,32 @@ +title: Wsudo Suspicious Execution +id: bdeeabc9-ff2a-4a51-be59-bb253aac7891 +status: experimental +description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) +references: + - https://github.com/M2Team/Privexec/ +author: Nasreddine Bencherchali +date: 2022/12/02 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: '\wsudo.exe' + - OriginalFileName: 'wsudo.exe' + - Description: 'Windows sudo utility' + - ParentImage|endswith: '\wsudo-bridge.exe' + selection_cli: + CommandLine|contains: + - '-u System' + - '-uSystem' + - '-u TrustedInstaller' + - '-uTrustedInstaller' + - ' --ti ' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high From 3c90fb1c33f1f7274e3dcdbdac98fe2349536988 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:22:23 +0100 Subject: [PATCH 014/115] fix: fix metadata information --- .../windows/image_load/image_load_side_load_vmguestlib.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 28b560800..9f07a60cb 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -1,7 +1,7 @@ -title: SCM DLL Sideload +title: VMGuestLib DLL Sideload id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff status: experimental -description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. references: - https://decoded.avast.io/martinchlumecky/png-steganography/ author: Nasreddine Bencherchali @@ -25,5 +25,5 @@ detection: Signed: 'true' condition: selection and not filter falsepositives: - - Unknown + - FP could occure if the legitimate version of vmGuestLib already exists level: medium From 0c3a0d4c39f1b6b19794fc0b60535e59aab5a56a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:38:18 +0100 Subject: [PATCH 015/115] fix: fp metadata --- rules/windows/image_load/image_load_side_load_vmguestlib.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 9f07a60cb..2951701a7 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -25,5 +25,5 @@ detection: Signed: 'true' condition: selection and not filter falsepositives: - - FP could occure if the legitimate version of vmGuestLib already exists + - FP could occure if the legitimate version of vmGuestLib already exists on the system level: medium From 6e0417b65c9b0fd71f5e3518ef27c433274f91fd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 3 Dec 2022 09:13:37 +0100 Subject: [PATCH 016/115] refactor: ngrok rule --- .../proc_creation_win_susp_ngrok_pua.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml index 85c41f1f8..c6cbee48c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml @@ -11,6 +11,7 @@ references: - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/ - https://twitter.com/xorJosh/status/1598646907802451969 + - https://www.softwaretestinghelp.com/how-to-use-ngrok/ author: Florian Roth date: 2021/05/14 modified: 2022/12/02 @@ -41,11 +42,9 @@ detection: - ' http ' - ' authtoken ' selection4: - CommandLine|contains: '.exe authtoken ' - selection5: - CommandLine|contains|all: - - '.exe wget ' - - ' -outfile ' + CommandLine|contains: + - '.exe authtoken ' + - '.exe start --all' condition: 1 of selection* falsepositives: - Another tool that uses the command line switches of Ngrok From cb5c19d696f047bede4cfbe1ec59427b49092bbc Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Sat, 3 Dec 2022 09:35:34 +0100 Subject: [PATCH 017/115] fix: FPs found in testing env (#3743) --- .../proc_creation_win_run_executable_invalid_extension.yml | 5 ++++- .../proc_creation_win_susp_parent_of_conhost.yml | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 7009302df..b5243e4bc 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2022/07/27 +modified: 2022/12/02 logsource: category: process_creation product: windows @@ -32,6 +32,9 @@ detection: ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\' filter_localserver_fp: CommandLine|contains: ' -localserver ' + filter_mcafee: + - ParentCommandLine|startswith: 'C:\Windows\system32\rundll32.exe" "C:\Program Files\McAfee\MSC\mcmscins.dll",DllUninstallFunction ' + - CommandLine|startswith: 'C:\Windows\system32\rundll32.exe" /uninstall /longpath "C:\Program Files\McAfee\MSC\mscrem.inf' condition: selection and not 1 of filter* fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml index ee024ae05..03e60f2b4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml @@ -6,7 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch date: 2022/09/28 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.execution - attack.t1059 @@ -36,7 +36,9 @@ detection: ParentCommandLine|contains: - '-k apphost -s AppHostSvc' - '-k imgsvc' + - '-k localService -p -s RemoteRegistry' - '-k LocalSystemNetworkRestricted -p -s NgcSvc' + - '-k NetSvcs -p -s NcaSvc' - '-k netsvcs -p -s NetSetupSvc' - '-k netsvcs -p -s wlidsvc' - '-k NetworkService -p -s DoSvc' From 77b12345726278078a4197d51b38af4d9bd069c0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 3 Dec 2022 11:55:54 +0100 Subject: [PATCH 018/115] fix: apply code review changes --- rules/windows/image_load/image_load_side_load_vmguestlib.yml | 2 +- .../process_creation/proc_creation_win_gpg4win_susp_usage.yml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 2951701a7..952edea99 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - ImageLoaded|contains: + ImageLoaded|contains|all: - '\VMware\VMware Tools\vmStatsProvider\win32' - '\vmGuestLib.dll' Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe' diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml index 7f6b929e6..5f1dbf8fc 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection_metadata: - - Image|endswith: - - '\gpg2.exe' + - Image|endswith: '\gpg2.exe' - Product: 'GNU Privacy Guard (GnuPG)' - Company: 'g10 Code GmbH' selection_cli: From 3ab7ed6436054afab55b543d07876d9b65de8e93 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 3 Dec 2022 13:09:50 +0100 Subject: [PATCH 019/115] Update proc_creation_win_gpg4win_susp_usage.yml --- .../process_creation/proc_creation_win_gpg4win_susp_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml index 5f1dbf8fc..23a623135 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -25,7 +25,7 @@ detection: - 'C:\Perflogs\' - 'C:\Windows\Temp\' - 'C:\temp' - - '' + #- '' condition: all of selection_* falsepositives: - Legitimate use From 9c76aac1fc070a7d78f81e7aeb275dd7ef2f2c1c Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 3 Dec 2022 21:56:00 +0900 Subject: [PATCH 020/115] refactor: remove unnesessary escape. --- .../windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml | 4 ++-- .../powershell_script/posh_ps_invoke_obfuscation_stdin.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml index 3dcd47c86..079e16feb 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml @@ -7,7 +7,7 @@ references: - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth date: 2021/07/30 -modified: 2022/10/09 +modified: 2022/12/03 tags: - attack.defense_evasion - attack.privilege_escalation @@ -23,7 +23,7 @@ detection: - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}' - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}' - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}' - - PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}' + - PipeName|re: '\\\\mypipe-(?:f|h)[0-9a-f]{2}' - PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}' - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index a38955b7f..3d3d7da09 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/03 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"' condition: selection_4104 falsepositives: - Unknown From 75c6f44f124d90cf1670aebb4d67ed80ec32c359 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 4 Dec 2022 11:18:11 +0100 Subject: [PATCH 021/115] Update Workflow (#3752) --- .github/workflows/sigma-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 5cf624347..98de59882 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -22,13 +22,13 @@ jobs: - uses: actions/checkout@v2 with: submodules: true - - name: Set up Python 3.8 + - name: Set up Python 3.11 uses: actions/setup-python@v1 with: - python-version: 3.8 + python-version: 3.11 - name: Install dependencies run: | - pip install sigma-cli~=0.3.2 + pip install sigma-cli~=0.5.3 - name: Test Sigma Rule Syntax run: | sigma check rules From 0db7f7f7cc900d4bf4d48b6c722ee703de5bdf5e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 4 Dec 2022 14:36:04 +0100 Subject: [PATCH 022/115] rule: SysmonEOP --- .../proc_creation_win_hack_sysmoneop.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml diff --git a/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml b/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml new file mode 100644 index 000000000..6b400e6a5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml @@ -0,0 +1,29 @@ +title: SysmonEOP Hack Tool +id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9 +status: experimental +description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 +references: + - https://github.com/Wh04m1001/SysmonEoP +author: Florian Roth +date: 2022/12/04 +tags: + - cve.2022.41120 + - attack.t1068 + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\SysmonEOP.exe' + selection_hash: + - Hashes: + - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5' + - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC' + - Imphash: + - '22f4089eb8aba31e1bb162c6d9bf72e5' + - '5123fa4c4384d431cd0d893eeb49bbec' + condition: 1 of selection* +falsepositives: + - Unlikely +level: critical From 54739006a9ec0f35cf47d92755d6c783f630912b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 4 Dec 2022 15:29:08 +0100 Subject: [PATCH 023/115] Fix workflow warning --- .../win_security_service_installation_by_unusal_client.yml | 5 +++-- .../builtin/system/win_system_lpe_indicators_tabtip.yml | 3 ++- ...n_system_system_service_installation_by_unusal_client.yml | 3 ++- .../process_creation/proc_creation_win_susp_wermgr.yml | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index e49c724d3..f9f4dc85c 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -10,6 +10,7 @@ references: - https://twitter.com/SBousseaden/status/1490608838701166596 author: Tim Rauch date: 2022/09/15 +modified: 2022/12/04 tags: - attack.privilege_escalation - attack.t1543 @@ -21,8 +22,8 @@ detection: selection: EventID: 4697 selection_pid: - - ClientProcessId: '0' - - ParentProcessId: '0' + - ClientProcessId: 0 + - ParentProcessId: 0 condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml index 2672ae2db..3ad2ff0ad 100644 --- a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml @@ -6,6 +6,7 @@ references: - https://github.com/antonioCoco/JuicyPotatoNG author: Florian Roth date: 2022/10/07 +modified: 2022/12/04 tags: - attack.execution - attack.t1557.001 @@ -16,7 +17,7 @@ detection: selection: EventID: 10001 param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # is the Binary starting/started - param2: '2147943140' # is ERROR id + param2: 2147943140 # is ERROR id param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # is DCOM Server condition: selection falsepositives: diff --git a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml index cfd318f9a..d5d3b1ff0 100644 --- a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml @@ -9,6 +9,7 @@ references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html author: Tim Rauch date: 2022/09/15 +modified: 2022/12/04 tags: - attack.privilege_escalation - attack.t1543 @@ -19,7 +20,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ProcessId: '0' + ProcessId: 0 condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml index c82b820ef..0b0bee2dd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml @@ -1,5 +1,5 @@ title: Suspicious WERMGR Process Patterns -id: CBEC226F-63D9-4ECA-9F52-DFB6652F24DF +id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e status: experimental description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc. references: @@ -7,6 +7,7 @@ references: - https://www.echotrail.io/insights/search/wermgr.exe author: Florian Roth date: 2022/10/14 +modified: 2022/12/04 logsource: category: process_creation product: windows From e343d016e9d6a62cd56ee08d04de8efe3e78f62f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 00:31:51 +0100 Subject: [PATCH 024/115] feat: change check to lower --- tests/test_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 407a30624..5d88c97e9 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -336,12 +336,12 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) faulty_rules.append(file) - elif id in dict_id.keys(): + elif id.lower() in dict_id.keys(): print( Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file, dict_id[id])) faulty_rules.append(file) else: - dict_id[id] = file + dict_id[id.lower()] = file self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") From 122cb47d71f0a5e7ab31c56a5336960ae3537b61 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 5 Dec 2022 10:39:58 +0100 Subject: [PATCH 025/115] Gs3cl patch 1 (#3753) --- ...e_event_win_powershell_exploit_scripts.yml | 12 ++++++++++-- .../posh_ps_malicious_commandlets.yml | 19 ++++++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index acbf6fb28..ea8c16054 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -15,9 +15,11 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 -author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec +author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2022/10/28 +modified: 2022/12/04 tags: - attack.execution - attack.t1059.001 @@ -145,12 +147,15 @@ detection: - '\Invoke-Get-RBCD-Threaded.ps1' - '\Invoke-Gopher.ps1' - '\Invoke-Grouper2.ps1' + - '\Invoke-Grouper3.ps1' - '\Invoke-HandleKatz.ps1' - '\Invoke-Internalmonologue.ps1' + - '\Invoke-KrbRelay.ps1' - '\Invoke-KrbRelayUp.ps1' - '\Invoke-LdapSignCheck.ps1' - '\Invoke-Lockless.ps1' - '\Invoke-MITM6.ps1' + - '\Invoke-MalSCCM.ps1' - '\Invoke-NanoDump.ps1' - '\Invoke-OxidResolver.ps1' - '\Invoke-P0wnedshell.ps1' @@ -184,6 +189,7 @@ detection: - '\Invoke-SharpPrintNightmare.ps1' - '\Invoke-SharpPrinter.ps1' - '\Invoke-SharpRDP.ps1' + - '\Invoke-SharpSCCM.ps1' - '\Invoke-SharpSSDP.ps1' - '\Invoke-SharpSecDump.ps1' - '\Invoke-SharpSniper.ps1' @@ -191,6 +197,7 @@ detection: - '\Invoke-SharpSpray.ps1' - '\Invoke-SharpStay.ps1' - '\Invoke-SharpUp.ps1' + - '\Invoke-SharpWSUS.ps1' - '\Invoke-SharpWatson.ps1' - '\Invoke-Sharphound2.ps1' - '\Invoke-Sharphound3.ps1' @@ -205,6 +212,7 @@ detection: - '\Invoke-StickyNotesExtract.ps1' - '\Invoke-Thunderfox.ps1' - '\Invoke-Tokenvator.ps1' + - '\Invoke-TotalExec.ps1' - '\Invoke-UrbanBishop.ps1' - '\Invoke-Whisker.ps1' - '\Invoke-WireTap.ps1' diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index acb76e795..91ccf529d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -9,9 +9,11 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 -author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update) + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update) date: 2017/03/05 -modified: 2022/10/28 +modified: 2022/12/04 tags: - attack.execution - attack.t1059.001 @@ -128,13 +130,14 @@ detection: - 'Invoke-Farmer' - 'Invoke-Get-RBCD-Threaded' - 'Invoke-Gopher' - - 'Invoke-Grouper2' + - 'Invoke-Grouper' # cover Invoke-GrouperX - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' - - 'Invoke-KrbRelayUp' + - 'Invoke-KrbRelay' - 'Invoke-LdapSignCheck' - 'Invoke-Lockless' - 'Invoke-MITM6' + - 'Invoke-MalSCCM' - 'Invoke-NanoDump' - 'Invoke-OxidResolver' - 'Invoke-P0wnedshell' @@ -144,6 +147,7 @@ detection: - 'Invoke-SafetyKatz' - 'Invoke-SauronEye' - 'Invoke-Seatbelt' + - 'Invoke-ShadowSpray' - 'Invoke-SharPersist' - 'Invoke-SharpAllowedToAct' - 'Invoke-SharpBlock' @@ -157,7 +161,6 @@ detection: - 'Invoke-SharpGPOAbuse' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' - - 'Invoke-SharpHound4' - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' @@ -167,6 +170,7 @@ detection: - 'Invoke-SharpPrintNightmare' - 'Invoke-SharpPrinter' - 'Invoke-SharpRDP' + - 'Invoke-SharpSCCM' - 'Invoke-SharpSSDP' - 'Invoke-SharpSecDump' - 'Invoke-SharpSniper' @@ -174,9 +178,9 @@ detection: - 'Invoke-SharpSpray' - 'Invoke-SharpStay' - 'Invoke-SharpUp' + - 'Invoke-SharpWSUS' - 'Invoke-SharpWatson' - - 'Invoke-Sharphound2' - - 'Invoke-Sharphound3' + - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. - 'Invoke-Sharplocker' - 'Invoke-Sharpshares' - 'Invoke-Sharpview' @@ -185,6 +189,7 @@ detection: - 'Invoke-Spoolsample' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' + - 'Invoke-TotalExec' - 'Invoke-Thunderfox' - 'Invoke-Tokenvator' - 'Invoke-UrbanBishop' From 3bcce887866bddf7c053a2f130906a4586bb4108 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:18:14 +0100 Subject: [PATCH 026/115] fix: fix issue #3742 --- ..._creation_win_creation_mavinject_process_injection.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml index 1754f8f63..b42c2bcfa 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml @@ -12,9 +12,11 @@ references: - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.privilege_escalation @@ -26,6 +28,8 @@ logsource: detection: selection_flag: CommandLine|contains: ' /INJECTRUNNING ' + filter_parent: + ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" selection_renamed: OriginalFileName: - 'mavinject32.exe' @@ -34,7 +38,7 @@ detection: Image|endswith: - '\mavinject32.exe' - '\mavinject64.exe' - condition: selection_flag or (selection_renamed and not filter_renamed) + condition: (selection_flag and not filter_parent) or (selection_renamed and not filter_renamed) fields: - ComputerName - User From d50739ed3e8d3d6f917c0e201ead299b0abc19b1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:18:51 +0100 Subject: [PATCH 027/115] fix: rename rule for lolbin convention --- ...l => proc_creation_win_lolbin_mavinject_process_injection.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_win_creation_mavinject_process_injection.yml => proc_creation_win_lolbin_mavinject_process_injection.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml From f81a960044060d7e533a5fdd541895a5b69ddbaa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:23:48 +0100 Subject: [PATCH 028/115] fix: split mavinject rule --- ...win_lolbin_mavinject_process_injection.yml | 23 +++--------- .../proc_creation_win_renamed_mavinject.yml | 36 +++++++++++++++++++ 2 files changed, 41 insertions(+), 18 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index b42c2bcfa..2229928fb 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -4,7 +4,7 @@ related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 type: obsoletes status: experimental -description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md @@ -26,24 +26,11 @@ logsource: category: process_creation product: windows detection: - selection_flag: + selection: CommandLine|contains: ' /INJECTRUNNING ' - filter_parent: + filter: ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" - selection_renamed: - OriginalFileName: - - 'mavinject32.exe' - - 'mavinject64.exe' - filter_renamed: - Image|endswith: - - '\mavinject32.exe' - - '\mavinject64.exe' - condition: (selection_flag and not filter_parent) or (selection_renamed and not filter_renamed) -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml new file mode 100644 index 000000000..cc6c21e46 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -0,0 +1,36 @@ +title: Rename Mavinject Execution +id: e6474a1b-5390-49cd-ab41-8d88655f7394 +status: experimental +description: Detects execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md + - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection +author: frack113, Florian Roth +date: 2022/12/05 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.001 + - attack.t1218.013 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' + filter: + Image|endswith: + - '\mavinject32.exe' + - '\mavinject64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high From dbf114e7cb395b2b506fb0e7404efebc1819aa26 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 23:52:11 +0100 Subject: [PATCH 029/115] feat: add rules related to scheduled tasks --- .../win_security_disable_event_logging.yml | 4 +- ..._security_susp_scheduled_task_creation.yml | 60 +++++++++++++++++++ ...in_security_susp_scheduled_task_delete.yml | 41 +++++++++++++ ...in_security_susp_scheduled_task_update.yml | 60 +++++++++++++++++++ .../win_rare_schtask_creation.yml | 1 + ...win_task_scheduler_susp_task_locations.yml | 35 +++++++++++ ...proc_creation_win_susp_schtasks_delete.yml | 2 +- 7 files changed, 200 insertions(+), 3 deletions(-) create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml create mode 100644 rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml diff --git a/rules/windows/builtin/security/win_security_disable_event_logging.yml b/rules/windows/builtin/security/win_security_disable_event_logging.yml index f088c7d46..6b3e4985b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_security_disable_event_logging.yml @@ -7,7 +7,7 @@ description: | Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. references: - - https://bit.ly/WinLogsZero2Hero + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron' date: 2017/11/19 modified: 2021/11/27 @@ -23,7 +23,7 @@ detection: EventID: 4719 AuditPolicyChanges|contains: - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml new file mode 100644 index 000000000..9678fc815 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Creation +id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 +status: experimental +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags...etc +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: 4698 + selection_paths: + TaskContent|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContent|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml new file mode 100644 index 000000000..b19494759 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -0,0 +1,41 @@ +title: Important Scheduled Task Deleted/Disabled +id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad +related: + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 + type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: similar +status: experimental +description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: + - 4699 # Task Deleted Event + - 4701 # Task Disabled Event + TaskName|contains: + # Add more important tasks> + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml new file mode 100644 index 000000000..6c487bf1b --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Update +id: 614cf376-6651-47c4-9dcc-6b9527f749f4 +status: experimental +description: Detects update to a scheduled task event that contain suspicious keywords. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection_eid: + EventID: 4702 + selection_paths: + TaskContentNew|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContentNew|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index a3e475175..c614618fc 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: taskscheduler + definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work detection: selection: EventID: 106 diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml new file mode 100644 index 000000000..57ef589c5 --- /dev/null +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -0,0 +1,35 @@ +title: Suspicious Scheduled Tasks Locations +id: 424273ea-7cf8-43a6-b712-375f925e481f +status: test +description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: 129 # Created Task Process + Path|contains: + - 'C:\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Users\Public\' + - 'C:\Temp\' + # Add more suspicious LOLBINs below + - 'C:\Windows\System32\calc.exe' + - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\System32\rundll32.exe' + # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it + #filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index 84bb696c4..18bf23836 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -4,7 +4,7 @@ related: - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 type: derived status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali From 4184d05e8074361fa06a73c0e2080772cb771bc1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 00:16:09 +0100 Subject: [PATCH 030/115] fix: escape special "?" character --- .../process_creation/proc_creation_win_susp_conhost.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 74aca0737..11935cf0d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -46,8 +46,9 @@ detection: Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: - - '\??\C:\WINDOWS\system32\conhost.exe 0x4' - - '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) + - '\\?\?\C:\WINDOWS\system32\conhost.exe 0x4' + - '\\?\?\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' From 72bba4c8224280677105a77fd1c72a370e0119f0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 00:37:07 +0100 Subject: [PATCH 031/115] fix: update rule to be more generic --- .../registry_event_persistence_recycle_bin.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index c60319ecb..337c3cd4e 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -4,8 +4,11 @@ status: experimental description: Detects persistence registry keys for Recycle Bin references: - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf + - https://persistence-info.github.io/Data/recyclebin.html + - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 date: 2021/11/18 +modified: 2022/12/06 tags: - attack.persistence - attack.t1547 @@ -15,10 +18,10 @@ logsource: detection: selection_create: EventType: RenameKey - NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open' selection_set: EventType: SetValue - TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)' condition: 1 of selection_* falsepositives: - Unknown From c541d52d44c77595d423fe92dca4fc9a41f4e68c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 01:32:46 +0100 Subject: [PATCH 032/115] fix: update mitre tags and `OriginalFileName` --- .../proc_creation_win_lolbin_wlrmdr.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index 3fbfaedfd..f8610ea4c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -6,15 +6,18 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ author: frack113 date: 2022/02/16 -modified: 2022/11/09 +modified: 2022/12/06 tags: - attack.defense_evasion + - attack.t1218 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wlrmdr.exe' + selection_img: + - Image|endswith: '\wlrmdr.exe' + - OriginalFileName: 'WLRMNDR.EXE' + selection_cli: CommandLine|contains|all: - '-s ' - '-f ' @@ -26,7 +29,7 @@ detection: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: selection and not 1 of filter* + condition: all of selection_* and not 1 of filter* falsepositives: - Unknown level: medium From f673ac923575e20c2c358baa0cabf12b860806eb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 01:41:18 +0100 Subject: [PATCH 033/115] feat: add parent selection --- .../proc_creation_win_lolbin_wlrmdr.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index f8610ea4c..9849fbac3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -4,7 +4,7 @@ status: experimental description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ -author: frack113 +author: frack113, manasmbellani date: 2022/02/16 modified: 2022/12/06 tags: @@ -14,22 +14,25 @@ logsource: category: process_creation product: windows detection: - selection_img: + selection_child_img: - Image|endswith: '\wlrmdr.exe' - OriginalFileName: 'WLRMNDR.EXE' - selection_cli: + selection_child_cli: CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag + ParentImage|endswith: '\wlrmdr.exe' filter: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: all of selection_* and not 1 of filter* + condition: selection_parent or (all of selection_child_* and not 1 of filter*) falsepositives: - Unknown level: medium From 96574466473d3c62eeb1dc459004658440033ad2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 10:53:57 +0100 Subject: [PATCH 034/115] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../security/win_security_susp_scheduled_task_creation.yml | 2 +- .../taskscheduler/win_task_scheduler_susp_task_locations.yml | 2 +- .../process_creation/proc_creation_win_susp_conhost.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 9678fc815..0351da356 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -1,7 +1,7 @@ title: Suspicious Scheduled Task Creation id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 status: experimental -description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags...etc +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml index 57ef589c5..3a4008f9c 100644 --- a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -1,6 +1,6 @@ title: Suspicious Scheduled Tasks Locations id: 424273ea-7cf8-43a6-b712-375f925e481f -status: test +status: experimental description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task author: Nasreddine Bencherchali date: 2022/12/05 diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 11935cf0d..9fc6350aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -47,8 +47,8 @@ detection: filter_image_conhost2: ParentCommandLine: # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) - - '\\?\?\C:\WINDOWS\system32\conhost.exe 0x4' - - '\\?\?\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' From 1c5e4371e7f98eaa7abd690292d9f688b9f29e5e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 10:56:06 +0100 Subject: [PATCH 035/115] fix: add missing modified date --- .../windows/process_creation/proc_creation_win_susp_conhost.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 9fc6350aa..fe79e160d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/11/08 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1202 From 4b82b00ae95af48a4eec39efa3946fa1eaf39264 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 6 Dec 2022 12:12:43 +0100 Subject: [PATCH 036/115] Sysmoneop CMd shell (#3760) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_cmd.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_cmd.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml new file mode 100644 index 000000000..0878576b8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -0,0 +1,35 @@ +title: Suspicious Elevated System Shell +id: 178e615d-e666-498b-9630-9ed363038101 +status: experimental +description: Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges. +references: + - https://github.com/Wh04m1001/SysmonEoP +author: frack113 +date: 2022/12/05 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.execution + - attack.t1059 +logsource: + product: windows + category: process_creation +detection: + selection_shell: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\cmd.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'Cmd.Exe' + selection_user: + User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + LogonId: '0x3e7' + condition: all of selection_* +falsepositives: + - Unknown +level: high From 42b99b165dd8ba35ed4305d2729c24b27c4c8462 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 12:13:20 +0100 Subject: [PATCH 037/115] feat: new rules and fixes (#3759) Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../win_security_disable_event_logging.yml | 4 +- ..._security_susp_scheduled_task_creation.yml | 60 +++++++++++++++++++ ...in_security_susp_scheduled_task_delete.yml | 41 +++++++++++++ ...in_security_susp_scheduled_task_update.yml | 60 +++++++++++++++++++ .../win_rare_schtask_creation.yml | 1 + ...win_task_scheduler_susp_task_locations.yml | 35 +++++++++++ ...in_lolbin_mavinject_process_injection.yml} | 27 +++------ .../proc_creation_win_lolbin_wlrmdr.yml | 16 +++-- .../proc_creation_win_renamed_mavinject.yml | 36 +++++++++++ .../proc_creation_win_susp_conhost.yml | 7 ++- ...proc_creation_win_susp_schtasks_delete.yml | 2 +- ...registry_event_persistence_recycle_bin.yml | 7 ++- 12 files changed, 265 insertions(+), 31 deletions(-) create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml create mode 100644 rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml rename rules/windows/process_creation/{proc_creation_win_creation_mavinject_process_injection.yml => proc_creation_win_lolbin_mavinject_process_injection.yml} (68%) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml diff --git a/rules/windows/builtin/security/win_security_disable_event_logging.yml b/rules/windows/builtin/security/win_security_disable_event_logging.yml index f088c7d46..6b3e4985b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_security_disable_event_logging.yml @@ -7,7 +7,7 @@ description: | Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. references: - - https://bit.ly/WinLogsZero2Hero + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron' date: 2017/11/19 modified: 2021/11/27 @@ -23,7 +23,7 @@ detection: EventID: 4719 AuditPolicyChanges|contains: - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml new file mode 100644 index 000000000..0351da356 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Creation +id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 +status: experimental +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: 4698 + selection_paths: + TaskContent|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContent|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml new file mode 100644 index 000000000..b19494759 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -0,0 +1,41 @@ +title: Important Scheduled Task Deleted/Disabled +id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad +related: + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 + type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: similar +status: experimental +description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: + - 4699 # Task Deleted Event + - 4701 # Task Disabled Event + TaskName|contains: + # Add more important tasks> + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml new file mode 100644 index 000000000..6c487bf1b --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Update +id: 614cf376-6651-47c4-9dcc-6b9527f749f4 +status: experimental +description: Detects update to a scheduled task event that contain suspicious keywords. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection_eid: + EventID: 4702 + selection_paths: + TaskContentNew|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContentNew|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index a3e475175..c614618fc 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: taskscheduler + definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work detection: selection: EventID: 106 diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml new file mode 100644 index 000000000..3a4008f9c --- /dev/null +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -0,0 +1,35 @@ +title: Suspicious Scheduled Tasks Locations +id: 424273ea-7cf8-43a6-b712-375f925e481f +status: experimental +description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: 129 # Created Task Process + Path|contains: + - 'C:\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Users\Public\' + - 'C:\Temp\' + # Add more suspicious LOLBINs below + - 'C:\Windows\System32\calc.exe' + - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\System32\rundll32.exe' + # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it + #filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml similarity index 68% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index 1754f8f63..2229928fb 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -4,7 +4,7 @@ related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 type: obsoletes status: experimental -description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md @@ -12,9 +12,11 @@ references: - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.privilege_escalation @@ -24,22 +26,11 @@ logsource: category: process_creation product: windows detection: - selection_flag: + selection: CommandLine|contains: ' /INJECTRUNNING ' - selection_renamed: - OriginalFileName: - - 'mavinject32.exe' - - 'mavinject64.exe' - filter_renamed: - Image|endswith: - - '\mavinject32.exe' - - '\mavinject64.exe' - condition: selection_flag or (selection_renamed and not filter_renamed) -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + filter: + ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" + condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index 3fbfaedfd..9849fbac3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -4,29 +4,35 @@ status: experimental description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ -author: frack113 +author: frack113, manasmbellani date: 2022/02/16 -modified: 2022/11/09 +modified: 2022/12/06 tags: - attack.defense_evasion + - attack.t1218 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wlrmdr.exe' + selection_child_img: + - Image|endswith: '\wlrmdr.exe' + - OriginalFileName: 'WLRMNDR.EXE' + selection_child_cli: CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag + ParentImage|endswith: '\wlrmdr.exe' filter: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: selection and not 1 of filter* + condition: selection_parent or (all of selection_child_* and not 1 of filter*) falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml new file mode 100644 index 000000000..cc6c21e46 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -0,0 +1,36 @@ +title: Rename Mavinject Execution +id: e6474a1b-5390-49cd-ab41-8d88655f7394 +status: experimental +description: Detects execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md + - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection +author: frack113, Florian Roth +date: 2022/12/05 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.001 + - attack.t1218.013 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' + filter: + Image|endswith: + - '\mavinject32.exe' + - '\mavinject64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 74aca0737..fe79e160d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/11/08 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1202 @@ -46,8 +46,9 @@ detection: Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: - - '\??\C:\WINDOWS\system32\conhost.exe 0x4' - - '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index 84bb696c4..18bf23836 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -4,7 +4,7 @@ related: - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 type: derived status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index c60319ecb..337c3cd4e 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -4,8 +4,11 @@ status: experimental description: Detects persistence registry keys for Recycle Bin references: - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf + - https://persistence-info.github.io/Data/recyclebin.html + - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 date: 2021/11/18 +modified: 2022/12/06 tags: - attack.persistence - attack.t1547 @@ -15,10 +18,10 @@ logsource: detection: selection_create: EventType: RenameKey - NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open' selection_set: EventType: SetValue - TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)' condition: 1 of selection_* falsepositives: - Unknown From 8fa8a7355141b525f5764ad5ff86caf6afc641c7 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 6 Dec 2022 23:10:58 +1100 Subject: [PATCH 038/115] Updated proc_creation_win_iis_service_account_password_dumped.yml (#3682) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...in_iis_service_account_password_dumped.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index 564767cb2..2616aca73 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -4,8 +4,11 @@ status: experimental description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html -author: Tim Rauch -date: 2022/09/28 + - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA + - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ +author: Tim Rauch, Janantha Marasinghe +date: 2022/11/08 +modified: 2022/12/06 tags: - attack.credential_access - attack.t1003 @@ -17,14 +20,14 @@ detection: - Image|endswith: '\appcmd.exe' - OriginalFilename: 'appcmd.exe' selection_list: + CommandLine|contains: 'list ' + selection_cmd: CommandLine|contains: - - ' /list ' - - ' list ' - selection_all: - CommandLine|contains|all: + - ' /@t' # Covers both "/@text:*" and "/@t:*" - ' /text' - - ' password' - condition: all of selection* + - ' /show' + - ' /config' + condition: all of selection_* falsepositives: - Unknown level: high From 850d4fcd50d051fbcd21733be500ce2d9c460482 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 00:20:56 +0100 Subject: [PATCH 039/115] feat: update windefend rules --- .../windefend/win_defender_amsi_trigger.yml | 2 +- .../windefend/win_defender_disabled.yml | 14 +++---- .../windefend/win_defender_exclusions.yml | 10 ++--- .../win_defender_exploit_guard_tamper.yml | 15 ++++---- .../windefend/win_defender_history_delete.yml | 7 ++-- .../win_defender_restored_quarantine_file.yml | 21 ++++++++++ ...defender_suspicious_features_tampering.yml | 38 +++++++++++++++++++ ...win_defender_tamper_protection_trigger.yml | 20 +++++++--- .../builtin/windefend/win_defender_threat.yml | 8 ++-- 9 files changed, 101 insertions(+), 34 deletions(-) create mode 100644 rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml create mode 100644 rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 9f80f5e71..1f80579fe 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -15,7 +15,7 @@ logsource: service: windefend detection: selection: - EventID: 1116 + EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. Source_Name: 'AMSI' condition: selection falsepositives: diff --git a/rules/windows/builtin/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml index 7791cd210..432ddf5d0 100644 --- a/rules/windows/builtin/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/05/06 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -17,11 +17,11 @@ logsource: detection: selection: EventID: - - 5001 - - 5010 - - 5012 - - 5101 + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. condition: selection falsepositives: - - Administrator actions -level: low + - Administrator actions (should be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 37b8c1c4d..580404ce4 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard date: 2021/07/06 -modified: 2022/02/02 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,10 +14,10 @@ logsource: product: windows service: windefend detection: - selection1: - EventID: 5007 - NewValue|contains: '\Microsoft\Windows Defender\Exclusions' - condition: selection1 + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Microsoft\Windows Defender\Exclusions' + condition: selection falsepositives: - Administrator actions level: medium diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index 4840c3746..c2924356e 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -6,18 +6,19 @@ references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali date: 2022/08/05 +modified: 2022/12/06 tags: - - attack.execution - - attack.t1059 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: windefend detection: allowed_apps_key: - EventID: 5007 - NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: - NewValue|contains: + New_Value|contains: # Add more paths you don't allow in your org - '\Users\Public\' - '\AppData\Local\Temp\' @@ -25,9 +26,9 @@ detection: - '\PerfLogs\' - '\Windows\Temp\' protected_folders: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 0cfba55f8..8a0b8629b 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -4,23 +4,22 @@ status: test description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software". references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus + - https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley date: 2020/08/13 modified: 2022/10/09 tags: - attack.defense_evasion - - attack.t1070.001 logsource: product: windows service: windefend detection: selection: - EventID: 1013 - EventType: 4 + EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software. condition: selection fields: - EventID - EventType falsepositives: - Deletion of Defender malware detections history for legitimate reasons -level: high +level: low diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml new file mode 100644 index 000000000..d997b9ae7 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -0,0 +1,21 @@ +title: Win Defender Restored Quarantine File +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +status: experimental +description: Detects the restoration of files from the defender quarantine +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 1009 # The antimalware platform restored an item from quarantine. + condition: selection +falsepositives: + - Legitimate administrator activity restoring a file +level: high diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml new file mode 100644 index 000000000..49431e1f1 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -0,0 +1,38 @@ +title: Windows Defender Suspicious Configuration Changes +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +related: + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar +status: stable +description: Detects suspicious changes to the windows defender configuration +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: + # TODO: Add more suspicious values + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\Features\TamperProtection' + - '\Windows Defender\Scan\DisableRemovableDriveScanning' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen' + - '\Real-Time Protection\SpyNetReporting' + - '\Real-Time Protection\SubmitSamplesConsent' + # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 + condition: selection +falsepositives: + - Administrator activity (must be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 5c7202a37..887b9ac52 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -1,11 +1,13 @@ title: Microsoft Defender Tamper Protection Trigger id: 49e5bc24-8b86-49f1-b743-535f332c2856 status: stable -description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -author: Bhabesh Raj + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Bhabesh Raj, Nasreddine Bencherchali date: 2021/07/05 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,11 +16,17 @@ logsource: service: windefend detection: selection: - EventID: 5013 + EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. Value|endswith: - - '\Windows Defender\DisableAntiSpyware = 0x1()' - - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\DisableAntiVirus' + - '\Windows Defender\Scan\DisableArchiveScanning' + - '\Windows Defender\Scan\DisableScanningNetworkFiles' + - '\Real-Time Protection\DisableRealtimeMonitoring' + - '\Real-Time Protection\DisableBehaviorMonitoring' + - '\Real-Time Protection\DisableIOAVProtection' + - '\Real-Time Protection\DisableScriptScanning' condition: selection falsepositives: - - Administrator actions + - Administrator might try to disable defender features during testing (must be investigated) level: high diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index e2bdd262e..4e917229c 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -15,10 +15,10 @@ logsource: detection: selection: EventID: - - 1006 - - 1116 - - 1015 - - 1117 + - 1006 # The antimalware engine found malware or other potentially unwanted software. + - 1116 # The antimalware platform detected malware or other potentially unwanted software. + - 1015 # The antimalware platform detected suspicious behavior. + - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software. condition: selection falsepositives: - Unlikely From 0d3cb5226691ec196f0f1fd67898000535edffa8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 01:04:25 +0100 Subject: [PATCH 040/115] feat: enhance typos test --- tests/test_rules.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 5d88c97e9..452028809 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -907,12 +907,21 @@ class TestRules(unittest.TestCase): typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): + # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases + # We check first the logsource to handle special cases + logsource = self.get_rule_part(file_path=file, part_name="logsource") + # The current special cases are: + # - 'windefend' + if "windefend" in logsource.values(): + typos_ = typos + [("NewValue", "New_Value"), ("OldValue", "Old_Value")] + else: + typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") if detection: for search_identifier in detection: if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: - for typo in typos: + for typo in typos_: if typo[0] in field: print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field)) faulty_rules.append(file) From a7bfb349eee1daf6565033376dc4cdb11513ade0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:25:52 +0100 Subject: [PATCH 041/115] fix: fix fp found in testing --- .../win_security_user_driver_loaded.yml | 20 ++++++++++--------- .../registry_set_susp_service_installed.yml | 7 +++++-- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 510820c61..32dd4b9af 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2021/11/30 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1562.001 @@ -27,14 +27,16 @@ detection: PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' filter: - ProcessName|endswith: - - '\Windows\System32\Dism.exe' - - '\Windows\System32\rundll32.exe' - - '\Windows\System32\fltMC.exe' - - '\Windows\HelpPane.exe' - - '\Windows\System32\mmc.exe' - - '\Windows\System32\svchost.exe' - - '\Windows\System32\wimserv.exe' + - ProcessName: + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\rundll32.exe' + - 'C:\Windows\System32\fltMC.exe' + - 'C:\Windows\HelpPane.exe' + - 'C:\Windows\System32\mmc.exe' + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\wimserv.exe' + - 'C:\Windows\System32\RuntimeBroker.exe' + - ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index ef1c0a2b7..3952c6ac1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -5,10 +5,10 @@ description: | Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2022/11/22 +modified: 2022/12/07 tags: - attack.t1562.001 - attack.defense_evasion @@ -23,10 +23,13 @@ detection: - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' filter: Image|endswith: + # Please add the full paths that you use in your environment to tighten the rule - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' - '\procmon.exe' + - '\handle.exe' + - '\handle64.exe' Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection and not filter falsepositives: From a425ef65e5bd7e2602ee6fd6762dd8fb1065104f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:26:21 +0100 Subject: [PATCH 042/115] feat: update metadata and add more cases for rules --- ...urity_susp_codeintegrity_check_failure.yml | 2 +- .../file_event_win_susp_dropper.yml | 1 + .../proc_creation_win_chisel_usage.yml | 8 +++-- .../proc_creation_win_sharp_chisel_usage.yml | 23 ++++--------- ...add_renamed_sysinternals_eula_accepted.yml | 32 +++++++++++++------ 5 files changed, 35 insertions(+), 31 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 78d011da9..19f0bf9c4 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Code integrity failures may indicate tampered executables. +description: Detects Code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a signe of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index 3f768d093..ae5f00683 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -80,5 +80,6 @@ detection: falsepositives: - Software installers - Update utilities + - 32bit applications launching their 64bit versions #Please contribute to FP to increase the level level: low diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index 694b2775a..002083247 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu references: - https://github.com/jpillora/chisel/ - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ + - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ author: Florian Roth date: 2022/09/13 +modified: 2022/12/07 tags: - attack.command_and_control - attack.t1090.001 @@ -25,11 +27,11 @@ detection: - 'exe server ' selection_param2: CommandLine|contains: - - ' --socks5' - - ' --reverse' + - '-socks5' + - '-reverse' - ' r:' - ':127.0.0.1:' - - ' --tls-skip-verify ' + - '-tls-skip-verify ' - ':socks' condition: selection_img or all of selection_param* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index 012766883..ed5fe8397 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -18,22 +18,11 @@ logsource: category: process_creation product: windows detection: - selection_1_img: - Image|endswith: '\SharpChisel.exe' - selection_1_pe: - Product: 'SharpChisel' - # Covered by Chisel Rule - # selection_2_client_server: - # CommandLine|contains: - # - 'exe client ' - # - 'exe server ' - # selection_2_flags: - # CommandLine|contains: - # - ' --socks5' - # - ' --reverse' - # - ' r:' - # - ':127.0.0.1:' - condition: 1 of selection* + selection: + - Image|endswith: '\SharpChisel.exe' + - Product: 'SharpChisel' + # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage + condition: selection falsepositives: - - Some false positives may occure with other tools with similar commandlines + - Unlikely level: high diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml index 0bf48f7de..c0e5aab00 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -6,11 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools references: - Internal Research author: Nasreddine Bencherchali date: 2022/08/24 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1588.002 @@ -21,33 +22,44 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + # Please add new values while respecting the alphabetical order + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' + - '\ProcDump' - '\Process Explorer' + - '\PsExec' + - '\PsLoggedon' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\PsPing' + - '\PsService' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: - - '\PsExec.exe' - - '\PsExec64.exe' - - '\procdump.exe' - - '\procdump64.exe' + # Please add new values while respecting the alphabetical order + - '\ADExplorer.exe' + - '\ADExplorer64.exe' - '\handle.exe' - '\handle64.exe' - '\livekd.exe' - '\livekd64.exe' + - '\procdump.exe' + - '\procdump64.exe' - '\procexp.exe' - '\procexp64.exe' + - '\PsExec.exe' + - '\PsExec64.exe' + - '\PsLoggedon.exe' + - '\PsLoggedon64.exe' - '\psloglist.exe' - '\psloglist64.exe' - '\pspasswd.exe' - '\pspasswd64.exe' - - '\ADExplorer.exe' - - '\ADExplorer64.exe' + - '\PsPing.exe' + - '\PsPing64.exe' + - '\PsService.exe' + - '\PsService64.exe' condition: selection and not filter falsepositives: - Unlikely From 899b1606f8165f4e303d45179fd8296f81167426 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:38:19 +0100 Subject: [PATCH 043/115] fix: duplicate id --- .../builtin/windefend/win_defender_restored_quarantine_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index d997b9ae7..81aea09c4 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -1,5 +1,5 @@ title: Win Defender Restored Quarantine File -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b status: experimental description: Detects the restoration of files from the defender quarantine references: From 1d749cee54c6985ce8bf65731aacd3d1c9dc6652 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:44:31 +0100 Subject: [PATCH 044/115] fix: duplicate id --- .../windefend/win_defender_suspicious_features_tampering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 49431e1f1..3f38a6d85 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -1,5 +1,5 @@ title: Windows Defender Suspicious Configuration Changes -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +id: 801bd44f-ceed-4eb6-887c-11544633c0aa related: - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f type: similar From b59566ad0f39ed76c36fcc26086c98dd49299106 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 11:52:38 +0100 Subject: [PATCH 045/115] fix: fix FP found in testing --- .../file/file_event/file_event_win_susp_dropper.yml | 7 ++++++- .../process_creation/proc_creation_win_susp_cmd.yml | 12 +++++++++--- .../proc_creation_win_susp_conhost.yml | 11 +++++++---- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index ae5f00683..c52e47eb5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ references: - Malware Sandbox author: frack113 date: 2022/03/09 -modified: 2022/11/08 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1587.001 @@ -76,6 +76,11 @@ detection: Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' Image|endswith: '\mscorsvw.exe' TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_' + filter_vscode: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\' + Image|endswith: '\Microsoft VS Code\Code.exe' + TargetFilename|contains: '\.vscode\extensions\' condition: selection and not 1 of filter_* falsepositives: - Software installers diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 0878576b8..5af183017 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,6 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113 date: 2022/12/05 +modified: 2022/12/07 tags: - attack.privilege_escalation - attack.defense_evasion @@ -16,11 +17,11 @@ logsource: category: process_creation detection: selection_shell: - - Image|endswith: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' - - OriginalFileName: + - OriginalFileName: - 'PowerShell.EXE' - 'pwsh.dll' - 'Cmd.Exe' @@ -29,7 +30,12 @@ detection: - 'AUTHORI' - 'AUTORI' LogonId: '0x3e7' - condition: all of selection_* + filter_compattelrunner: + ParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun' + OriginalFileName: 'PowerShell.EXE' + CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index fe79e160d..ea149ab69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/12/06 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1202 @@ -42,7 +42,9 @@ detection: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228 Provider_Name: 'Microsoft-Windows-Kernel-Process' - ParentCommandLine|contains: ' cat-file -s ' + ParentCommandLine|contains: + - ' cat-file -s ' + - 'show --textconv' Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: @@ -51,9 +53,10 @@ detection: - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: - ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + ParentCommandLine: + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' Image: 'C:\Program Files\Git\mingw64\bin\git.exe' - CommandLine|contains: 'show --textconv :' condition: selection and not 1 of filter_* fields: - Image From 9a5a0fed207f4a5e3b2c03ed3a55ebdba7ed7211 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:21:05 +0100 Subject: [PATCH 046/115] feat: update test to include more cases --- .../builtin/windefend/win_defender_amsi_trigger.yml | 4 ++-- .../builtin/windefend/win_defender_exclusions.yml | 2 +- .../windefend/win_defender_exploit_guard_tamper.yml | 6 +++--- .../win_defender_suspicious_features_tampering.yml | 2 +- tests/test_rules.py | 13 ++++++++----- 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 1f80579fe..1c18c99c1 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj date: 2020/09/14 -modified: 2021/10/13 +modified: 2022/12/07 tags: - attack.execution - attack.t1059 @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. - Source_Name: 'AMSI' + SourceName: 'AMSI' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 580404ce4..9ecb61821 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: '\Microsoft\Windows Defender\Exclusions' + NewValue|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection falsepositives: - Administrator actions diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index c2924356e..692e62478 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -16,9 +16,9 @@ logsource: detection: allowed_apps_key: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: - New_Value|contains: + NewValue|contains: # Add more paths you don't allow in your org - '\Users\Public\' - '\AppData\Local\Temp\' @@ -28,7 +28,7 @@ detection: protected_folders: EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 3f38a6d85..3fac677bf 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: + NewValue|contains: # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware' - '\Windows Defender\Features\TamperProtection' diff --git a/tests/test_rules.py b/tests/test_rules.py index 452028809..e2cd3cf18 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -909,11 +909,14 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases # We check first the logsource to handle special cases - logsource = self.get_rule_part(file_path=file, part_name="logsource") - # The current special cases are: - # - 'windefend' - if "windefend" in logsource.values(): - typos_ = typos + [("NewValue", "New_Value"), ("OldValue", "Old_Value")] + logsource = self.get_rule_part(file_path=file, part_name="logsource").values() + # add more typos in specific logsources below + if "windefend" in logsource: + typos_ = typos + [("New_Value", "NewValue"), ("Old_Value", "OldValue"), ('Source_Name', 'SourceName'), ("Newvalue", "NewValue"), ("Oldvalue", "OldValue"), ('Sourcename', 'SourceName')] + elif "registry_set" in logsource or "registry_add" in logsource or "registry_event" in logsource: + typos_ = typos + [("Targetobject", "TargetObject"), ("Eventtype", "EventType"), ("Newname", "NewName")] + elif "process_creation" in logsource: + typos_ = typos + [("Parentimage", "ParentImage"), ("Integritylevel", "IntegrityLevel"), ("IntegritiLevel", "IntegrityLevel")] else: typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") From 8482d33708ad31025dc02ab1a588ca356185d322 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:27:14 +0100 Subject: [PATCH 047/115] fix: add rule to fp filter --- .github/workflows/known-FPs.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..696bedc49 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,4 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +801bd44f-ceed-4eb6-887c-11544633c0aa;Windows Defender Suspicious Configuration Changes;.* From b1a657b7de08fd2162dacbd0ebd4172d6ff0b1d9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:27:27 +0100 Subject: [PATCH 048/115] fix: add spaces to avoid fp with other keys --- .../win_defender_suspicious_features_tampering.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 3fac677bf..65117fb6b 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -23,13 +23,13 @@ detection: EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: # TODO: Add more suspicious values - - '\Windows Defender\DisableAntiSpyware' - - '\Windows Defender\Features\TamperProtection' - - '\Windows Defender\Scan\DisableRemovableDriveScanning' - - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan' - - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen' - - '\Real-Time Protection\SpyNetReporting' - - '\Real-Time Protection\SubmitSamplesConsent' + - '\Windows Defender\DisableAntiSpyware ' + - '\Windows Defender\Features\TamperProtection ' + - '\Windows Defender\Scan\DisableRemovableDriveScanning ' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' + - '\Real-Time Protection\SpyNetReporting ' + - '\Real-Time Protection\SubmitSamplesConsent ' # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 condition: selection From f12975bc6b6af39c2f35493f2cfb6f1bb26bd0e2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:34:56 +0100 Subject: [PATCH 049/115] fix: update description Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../security/win_security_susp_codeintegrity_check_failure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 19f0bf9c4..9ea2d5750 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Detects Code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a signe of tampered binaries. +description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 From d393b57c361f1f25c0558e7a1cc9397c34d05a2d Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 11:49:53 +0530 Subject: [PATCH 050/115] Detection for LSASS Shtinkering --- .../file_event_lsass_shtinkering.yml | 23 +++++++++++++ .../proc_creation_lsass_shtinkering.yml | 32 +++++++++++++++++++ .../registry_add_usermode_dumping_enabled.yml | 23 +++++++++++++ ...ass_usermode_dumping_lsass_shtinkering.yml | 24 ++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_lsass_shtinkering.yml create mode 100644 rules/windows/process_creation/proc_creation_lsass_shtinkering.yml create mode 100644 rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml create mode 100644 rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml new file mode 100644 index 000000000..ccd828eff --- /dev/null +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -0,0 +1,23 @@ +title: Suspicious LSASS Dump using LSASS Shtinkering +id: 6902955a-01b7-432c-b32a-6f5f81d8f625 +status: experimental +description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains|all: + - 'lsass.exe' + - 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps' + TargetFilename|endswith: '.dmp' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml new file mode 100644 index 000000000..0bb7a5920 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -0,0 +1,32 @@ +title: Suspicious LSASS Dumping using Windows Error Reporting +id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 +status: experimental +description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: '\Werfault.exe' + - OriginalFileName: 'WerFault.Exe' + - CommandLine|contains: + - '-u ' + - '-p' + - '-ip ' + - '-s ' + # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + selection_parent: + ParentImage|endswith: '\7zFM.exe' + filter_lsass: + ParentImage|endswith: 'C:\Windows\System32\lsass.exe' + condition: selection and not filter_lsass +falsepositives: + - Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine. +level: high diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml new file mode 100644 index 000000000..16cc7d143 --- /dev/null +++ b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml @@ -0,0 +1,23 @@ +title: Adding of a registry key for LSASS Shtinkering +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +status: experimental +description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + category: registry_add + product: windows +detection: + selection: + EventType: CreateKey + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' + condition: selection +falsepositives: + - Legitimate usage of enabling user mode dumping (Not seen in the wild) +level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml new file mode 100644 index 000000000..b282b2d17 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml @@ -0,0 +1,24 @@ +title: Setting of a registry key's value for LSASS Shtinkering +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +status: experimental +description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject: + - HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps + Details: 2 + condition: selection +falsepositives: + - Unknown +level: high From 9ea5fac51c876ed758aa00385f593062b9108aed Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 11:56:40 +0530 Subject: [PATCH 051/115] Update proc_creation_lsass_shtinkering.yml --- .../process_creation/proc_creation_lsass_shtinkering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index 0bb7a5920..e4887f13c 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -16,7 +16,7 @@ detection: selection: - Image|endswith: '\Werfault.exe' - OriginalFileName: 'WerFault.Exe' - - CommandLine|contains: + - CommandLine|contains|all: - '-u ' - '-p' - '-ip ' From 4bb1df9f6e0631585b219cacbe5d0623a9ef680c Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 12:03:02 +0530 Subject: [PATCH 052/115] Update to remove FP --- .../process_creation/proc_creation_lsass_shtinkering.yml | 2 -- .../registry_add/registry_add_usermode_dumping_enabled.yml | 4 +++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index e4887f13c..1aa5c4f40 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -22,8 +22,6 @@ detection: - '-ip ' - '-s ' # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 - selection_parent: - ParentImage|endswith: '\7zFM.exe' filter_lsass: ParentImage|endswith: 'C:\Windows\System32\lsass.exe' condition: selection and not filter_lsass diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml index 16cc7d143..c610cd2d6 100644 --- a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml +++ b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml @@ -17,7 +17,9 @@ detection: EventType: CreateKey TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' - condition: selection + filter: + TargetObject|endswith: '.exe' + condition: selection and not filter falsepositives: - Legitimate usage of enabling user mode dumping (Not seen in the wild) level: high From bea46b2b9ef171d8a989a059085e85196fe7a227 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 12:13:25 +0530 Subject: [PATCH 053/115] Update to modify FP and UUID --- .github/workflows/known-FPs.csv | 1 + ..._shtinkering.yml => registry_set_lsass_usermode_dumping.yml} | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) rename rules/windows/registry/registry_set/{registry_set_lsass_usermode_dumping_lsass_shtinkering.yml => registry_set_lsass_usermode_dumping.yml} (94%) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..9b7911bb3 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,4 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml similarity index 94% rename from rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml rename to rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index b282b2d17..dab1b1a9c 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,5 +1,5 @@ title: Setting of a registry key's value for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. references: From edc99c92a2e2a7eda7516df6f7aef5a562095ef2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:02:56 +0100 Subject: [PATCH 054/115] fix: enhance rules related to Lsass-Shtinkering --- .github/workflows/known-FPs.csv | 1 - .../file_event_lsass_shtinkering.yml | 17 +++++---- .../proc_creation_lsass_shtinkering.yml | 37 +++++++++++-------- .../registry_add_usermode_dumping_enabled.yml | 25 ------------- .../registry_set_lsass_usermode_dumping.yml | 17 +++++---- 5 files changed, 41 insertions(+), 56 deletions(-) delete mode 100644 rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 9b7911bb3..bbb1f00d1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe -33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml index ccd828eff..522ab6eb3 100644 --- a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -1,23 +1,24 @@ -title: Suspicious LSASS Dump using LSASS Shtinkering +title: LSASS Process Dump Artefact In CrashDumps Folder id: 6902955a-01b7-432c-b32a-6f5f81d8f625 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -modified: 2022/12/08 +date: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: file_event detection: selection: - TargetFilename|contains|all: - - 'lsass.exe' - - 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps' + TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' + TargetFilename|contains: 'lsass.exe.' TargetFilename|endswith: '.dmp' condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Rare legitimate dump of the process by the operating system due to a crash of lsass +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index 1aa5c4f40..a88adb413 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -1,30 +1,37 @@ -title: Suspicious LSASS Dumping using Windows Error Reporting +title: Potential Credential Dumping Via Windows Error Reporting id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass references: - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash , Nasreddine Bencherchali' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: process_creation detection: - selection: + selection_img: - Image|endswith: '\Werfault.exe' - - OriginalFileName: 'WerFault.Exe' - - CommandLine|contains|all: - - '-u ' - - '-p' - - '-ip ' - - '-s ' - # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - OriginalFileName: 'WerFault.exe' + selection_cli: + ParentUser|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + User|contains: + - 'AUTHORI' + - 'AUTORI' + CommandLine|contains|all: + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - ' -u -p ' + - ' -ip ' + - ' -s ' filter_lsass: - ParentImage|endswith: 'C:\Windows\System32\lsass.exe' - condition: selection and not filter_lsass + ParentImage: 'C:\Windows\System32\lsass.exe' + condition: all of selection_* and not 1 of filter_* falsepositives: - - Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine. + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. level: high diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml deleted file mode 100644 index c610cd2d6..000000000 --- a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Adding of a registry key for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 -status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. -references: - - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' -date: 2022/12/08 -modified: 2022/12/08 -tags: - - attack.credential_access -logsource: - category: registry_add - product: windows -detection: - selection: - EventType: CreateKey - TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' - filter: - TargetObject|endswith: '.exe' - condition: selection and not filter -falsepositives: - - Legitimate usage of enabling user mode dumping (Not seen in the wild) -level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index dab1b1a9c..c362fe0e6 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,24 +1,27 @@ -title: Setting of a registry key's value for LSASS Shtinkering +title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: category: registry_set product: windows detection: selection: EventType: SetValue - TargetObject: - - HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps - Details: 2 + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType' + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType' + Details: 'DWORD (0x00000002)' # Full Dump condition: selection falsepositives: - - Unknown + - Legitimate application that needs to do a full dump of their process level: high From bfcdcf2b9c21191905f293ae54aaf5599c4c9eb9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:44:59 +0100 Subject: [PATCH 055/115] fix: remove fp filter --- .github/workflows/known-FPs.csv | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 696bedc49..bbb1f00d1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe -801bd44f-ceed-4eb6-887c-11544633c0aa;Windows Defender Suspicious Configuration Changes;.* From 2506d29bc9b0043c6be21a6ccb5c54763139319a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:57:26 +0100 Subject: [PATCH 056/115] feat: add more checks for the test --- tests/test_rules.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 5d88c97e9..22d3bd755 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -882,8 +882,12 @@ class TestRules(unittest.TestCase): continue if selection == "timeframe": continue - if selection in condition: + + # remove special keywords + condition_list = condition.replace("not ", '').replace("1 of ", '').replace("all of ", '').replace(' or ', ' ').replace(' and ', ' ').replace('(', '').replace(')', '').split(" ") + if selection in condition_list: continue + # find all wildcards in condition found = False for wildcard_selection in wildcard_selections.findall(condition): From 0567ca8ca3b055efca601f4f8686d9cdab118b90 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:57:40 +0100 Subject: [PATCH 057/115] fix: fix unused selection --- .../security/win_security_susp_scheduled_task_creation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 0351da356..4da7fb242 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -6,6 +6,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/07 tags: - attack.execution - attack.privilege_escalation @@ -16,7 +17,7 @@ logsource: service: security definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' detection: - selection: + selection_eid: EventID: 4698 selection_paths: TaskContent|contains: From 18c3c8528d3d2df49701c862d20423220581a29a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 12:13:14 +0100 Subject: [PATCH 058/115] fix: remove tamper protection value --- .../windefend/win_defender_suspicious_features_tampering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 65117fb6b..1aa0edf42 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -24,7 +24,7 @@ detection: NewValue|contains: # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware ' - - '\Windows Defender\Features\TamperProtection ' + #- '\Windows Defender\Features\TamperProtection ' # Might produce FP - '\Windows Defender\Scan\DisableRemovableDriveScanning ' - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' From c560baf67337410da12f863dd434c39138acd11b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 16:23:48 +0100 Subject: [PATCH 059/115] feat: enhance test --- tests/test_rules.py | 55 +++++++++++++++++++++++++++++++++------------ 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 22d3bd755..64c355adc 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -838,32 +838,59 @@ class TestRules(unittest.TestCase): "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") def test_selection_list_one_value(self): + + def treat_list(file, values, valid_, selection_name): + # rule with only list of Keywords term + if len(values) == 1 and not isinstance(values[0], str): + print( + Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key) + ) + valid_ = False + elif isinstance(values[0], dict): + valid_ = treat_dict(file, values, valid_, selection_name) + return valid_ + + def treat_dict(file, values, valid_, selection_name): + if isinstance(values, list): + for dict_ in values: + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + else: + dict_ = values + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + return valid_ + faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") if detection: + valid = True for key in detection: + values = detection[key] if isinstance(detection[key], list): - # rule with only list of Keywords term - if len(detection[key]) == 1 and not isinstance(detection[key][0], str): - print( - Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) - valid = False + valid = treat_list(file, values, valid, key) + if isinstance(detection[key], dict): - for sub_key in detection[key]: - # split in 2 if as get a error "int has not len()" - if isinstance(detection[key][sub_key], list): - if len(detection[key][sub_key]) == 1: - print( - Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - valid = False + valid = treat_dict(file, values, valid, key) + if not valid: faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules using list with only 1 element") + "There are rules using list with only 1 element") def test_unused_selection(self): faulty_rules = [] From 80ef3b70dc5eee9b1c0a3ccf20429a0c0ceaf82b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 16:23:58 +0100 Subject: [PATCH 060/115] fix: broken single item lists --- rules/application/antivirus/av_hacktool.yml | 3 +-- .../builtin/system/win_system_service_install_hacktools.yml | 3 +-- .../file_event_win_hivenightmare_file_exports.yml | 3 +-- .../image_load/image_load_abusing_azure_browser_sso.yml | 3 +-- .../image_load/image_load_susp_python_image_load.yml | 3 +-- .../net_connection_win_rdp_reverse_tunnel.yml | 6 ++---- .../net_connection_win_rundll32_net_connections.yml | 3 +-- ...connection_win_susp_prog_location_network_connection.yml | 6 ++---- .../posh_ps_set_policies_to_unsecure_level.yml | 3 +-- .../proc_creation_win_apt_hurricane_panda.yml | 3 +-- .../process_creation/proc_creation_win_mmc_spawn_shell.yml | 3 +-- .../proc_creation_win_mshta_spawn_shell.yml | 3 +-- .../registry_event/registry_event_mal_flowcloud.yml | 3 +-- .../registry_set_susp_reg_persist_explorer_run.yml | 3 +-- 14 files changed, 16 insertions(+), 32 deletions(-) diff --git a/rules/application/antivirus/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml index 8c29fdb92..a00032666 100644 --- a/rules/application/antivirus/av_hacktool.yml +++ b/rules/application/antivirus/av_hacktool.yml @@ -19,8 +19,7 @@ detection: - 'HKTL' - 'SecurityTool' - 'ATK/' # Sophos - - Signature|contains: - - 'Hacktool' + - Signature|contains: 'Hacktool' condition: selection fields: - FileName diff --git a/rules/windows/builtin/system/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/win_system_service_install_hacktools.yml index 69d804443..7441654f1 100644 --- a/rules/windows/builtin/system/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/win_system_service_install_hacktools.yml @@ -28,8 +28,7 @@ detection: - 'pwdump' - 'gsecdump' - 'cachedump' - - ImagePath|contains: - - 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 + - ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 condition: service and selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml index 889b3c559..e5532258a 100644 --- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml @@ -26,8 +26,7 @@ detection: - '\SAM-2023-' # C++ version - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - - TargetFilename: - - 'C:\windows\temp\sam' # C# version of HiveNightmare + - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index d7c7b4b0c..5f9316e43 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -30,8 +30,7 @@ detection: - '\AppData\Local\Microsoft\OneDrive\OneDrive.exe' - '\msedgewebview2.exe' - '\OneDrive.exe' - - Image|startswith: - - 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' + - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image: null condition: selection_dll and not filter_legit falsepositives: diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index d707c3081..4a169cff3 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -18,8 +18,7 @@ detection: selection: Description: 'Python Core' filter_generic: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. + - Image|contains: 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index a031d7218..d2e43c75c 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -22,10 +22,8 @@ detection: Initiated: 'true' SourcePort: 3389 selection2: - - DestinationIp|startswith: - - '127.' - - DestinationIp: - - '::1' + - DestinationIp|startswith: '127.' + - DestinationIp: '::1' condition: selection and selection2 falsepositives: - Unknown diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index 72440a3e0..bfeb4b580 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -43,8 +43,7 @@ detection: - '51.103.' # Microsoft range, caused some FPs - '51.104.' # Microsoft range, caused some FPs - '51.105.' # Microsoft range, caused some FPs - - CommandLine|contains: - - 'PcaSvc.dll,PcaPatchSdbTask' + - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask' filter_update_processes: ParentImage: 'C:\Windows\System32\svchost.exe' RemoteAddress|endswith: ':443' diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0c1c0c605..06c238c9f 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -27,10 +27,8 @@ detection: - '\Windows\Fonts\' - '\Windows\IME\' - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' + - Image|endswith: '\$Recycle.bin' + - Image|startswith: 'C:\Perflogs\' false_positive1: Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location condition: selection and not 1 of false_positive* diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 862c5127a..3bbce1ac4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -25,8 +25,7 @@ detection: - 'bypass' - 'RemoteSigned' filter: - - ParentImage: - - 'C:\ProgramData\chocolatey\choco.exe' + - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' - ScriptBlockText|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index b7c40f826..bb2986d64 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -20,8 +20,7 @@ detection: - 'localgroup' - 'admin' - '/add' - - CommandLine|contains: - - '\Win64.exe' + - CommandLine|contains: '\Win64.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml index 3e83ac024..7fb2f061e 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml @@ -27,8 +27,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml index ff534cdd5..ba499f84d 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml @@ -30,8 +30,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml index d9f20e6c5..dc8b279ac 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml @@ -19,8 +19,7 @@ detection: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - TargetObject|startswith: - - 'HKLM\SYSTEM\Setup\PrintResponsor\' + - TargetObject|startswith: 'HKLM\SYSTEM\Setup\PrintResponsor\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index a288c972d..1c86770c1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -25,8 +25,7 @@ detection: - 'C:\Temp\' - 'C:\Users\Public\' - 'C:\Users\Default\' - - Details|contains: - - '\AppData\' + - Details|contains: '\AppData\' condition: selection and selection2 fields: - Image From c18f634c021c0ba75c28323fa3640e7ea6071c03 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Thu, 8 Dec 2022 21:08:01 +0500 Subject: [PATCH 061/115] Added more FPs --- .../proc_creation_win_msiexec_execute_dll.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 3a6122f98..67f0c66df 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 date: 2022/01/16 -modified: 2022/10/23 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1218.007 @@ -30,7 +30,13 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\' #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\', #also need non-quoted execution + - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' + - '\MsiExec.exe" -Y "C:\Windows\CCM\' + - '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution condition: selection and not 1 of filter_* falsepositives: - Legitimate script From ece1d01038e260e0d4867c17ec28890bef3dd490 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 8 Dec 2022 17:34:56 +0100 Subject: [PATCH 062/115] fix: syntax error, additional comma --- .../process_creation/proc_creation_win_msiexec_execute_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 67f0c66df..cf29b211d 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -30,7 +30,7 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\', #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' From 47b5272fcdb5bd068934bee367b630d7fb932df3 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 9 Dec 2022 06:21:02 +1100 Subject: [PATCH 063/115] Create azure_ad_azurehound_discovery.yml (#3762) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../azure/azure_ad_azurehound_discovery.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_ad_azurehound_discovery.yml diff --git a/rules/cloud/azure/azure_ad_azurehound_discovery.yml b/rules/cloud/azure/azure_ad_azurehound_discovery.yml new file mode 100644 index 000000000..41bada855 --- /dev/null +++ b/rules/cloud/azure/azure_ad_azurehound_discovery.yml @@ -0,0 +1,23 @@ +title: Discovery Using AzureHound +id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b +status: experimental +description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. +references: + - https://github.com/BloodHoundAD/AzureHound +author: Janantha Marasinghe +date: 2022/11/27 +tags: + - attack.discovery + - attack.t1087.004 + - attack.t1526 +logsource: + product: azure + service: signinlogs +detection: + selection: + userAgent|contains: 'azurehound' + ResultType: 0 + condition: selection +falsepositives: + - Unknown +level: high From ab18539fcecec8bb5110ace04a91712ed02431d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Dec 2022 05:18:26 +0000 Subject: [PATCH 064/115] chore(deps): bump certifi from 2021.5.30 to 2022.12.7 Bumps [certifi](https://github.com/certifi/python-certifi) from 2021.5.30 to 2022.12.7. - [Release notes](https://github.com/certifi/python-certifi/releases) - [Commits](https://github.com/certifi/python-certifi/compare/2021.05.30...2022.12.07) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 898 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 608 insertions(+), 290 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 2416e3258..f56216248 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68" + "sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8" }, "pipfile-spec": 6, "requires": { @@ -18,42 +18,43 @@ "default": { "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "deprecated": { "hashes": [ - "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", - "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" + "sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d", + "sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.2.12" + "version": "==1.2.13" }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "jsonschema": { "hashes": [ @@ -80,30 +81,31 @@ }, "pyrsistent": { "hashes": [ - "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", - "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", - "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", - "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", - "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", - "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", - "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", - "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", - "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", - "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", - "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", - "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", - "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", - "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", - "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", - "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", - "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", - "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", - "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", - "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", - "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" + "sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed", + "sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb", + "sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a", + "sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95", + "sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712", + "sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73", + "sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41", + "sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b", + "sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78", + "sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab", + "sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308", + "sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425", + "sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2", + "sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e", + "sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6", + "sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2", + "sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a", + "sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291", + "sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584", + "sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a", + "sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0", + "sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770" ], - "markers": "python_version >= '3.6'", - "version": "==0.18.0" + "markers": "python_version >= '3.7'", + "version": "==0.19.2" }, "python-dateutil": { "hashes": [ @@ -115,10 +117,11 @@ }, "python-utils": { "hashes": [ - "sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208", - "sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349" + "sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592", + "sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a" ], - "version": "==2.5.6" + "markers": "python_version >= '3.7'", + "version": "==3.4.5" }, "pyyaml": { "hashes": [ @@ -165,38 +168,59 @@ }, "ruamel.yaml": { "hashes": [ - "sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67", - "sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815" + "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7", + "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af" ], "index": "pypi", - "version": "==0.17.10" + "version": "==0.17.21" }, "ruamel.yaml.clib": { "hashes": [ - "sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd", - "sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0", - "sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277", - "sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104", - "sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd", - "sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78", - "sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99", - "sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527", - "sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84", - "sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7", - "sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468", - "sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b", - "sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94", - "sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233", - "sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb", - "sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5", - "sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe", - "sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751", - "sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502", - "sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed", - "sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c" + "sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e", + "sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3", + "sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5", + "sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497", + "sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f", + "sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac", + "sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697", + "sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763", + "sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282", + "sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94", + "sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1", + "sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072", + "sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9", + "sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5", + "sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231", + "sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93", + "sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b", + "sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb", + "sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f", + "sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307", + "sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8", + "sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b", + "sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b", + "sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640", + "sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7", + "sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a", + "sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71", + "sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8", + "sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7", + "sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80", + "sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e", + "sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab", + "sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0", + "sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646" ], - "markers": "python_version < '3.10' and platform_python_implementation == 'CPython'", - "version": "==0.2.6" + "markers": "python_version < '3.11' and platform_python_implementation == 'CPython'", + "version": "==0.2.7" + }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" }, "six": { "hashes": [ @@ -206,6 +230,14 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, + "termcolor": { + "hashes": [ + "sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b", + "sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd" + ], + "index": "pypi", + "version": "==2.1.1" + }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -216,69 +248,191 @@ }, "wrapt": { "hashes": [ - "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" + "sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3", + "sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b", + "sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4", + "sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2", + "sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656", + "sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3", + "sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff", + "sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310", + "sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a", + "sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57", + "sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069", + "sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383", + "sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe", + "sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87", + "sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d", + "sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b", + "sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907", + "sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f", + "sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0", + "sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28", + "sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1", + "sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853", + "sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc", + "sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3", + "sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3", + "sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164", + "sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1", + "sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c", + "sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1", + "sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7", + "sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1", + "sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320", + "sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed", + "sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1", + "sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248", + "sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c", + "sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456", + "sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77", + "sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef", + "sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1", + "sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7", + "sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86", + "sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4", + "sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d", + "sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d", + "sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8", + "sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5", + "sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471", + "sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00", + "sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68", + "sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3", + "sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d", + "sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735", + "sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d", + "sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569", + "sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7", + "sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59", + "sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5", + "sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb", + "sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b", + "sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f", + "sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462", + "sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015", + "sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af" ], - "version": "==1.12.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.14.1" } }, "develop": { "aiohttp": { "hashes": [ - "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe", - "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe", - "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5", - "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8", - "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd", - "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb", - "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c", - "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87", - "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0", - "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290", - "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5", - "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287", - "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde", - "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf", - "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8", - "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16", - "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf", - "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809", - "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213", - "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f", - "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013", - "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b", - "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9", - "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5", - "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb", - "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df", - "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4", - "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439", - "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f", - "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22", - "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f", - "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5", - "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970", - "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009", - "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc", - "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", - "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" + "sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8", + "sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142", + "sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18", + "sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34", + "sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a", + "sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033", + "sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06", + "sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4", + "sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d", + "sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b", + "sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc", + "sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091", + "sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d", + "sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85", + "sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb", + "sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937", + "sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf", + "sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1", + "sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b", + "sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d", + "sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269", + "sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da", + "sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346", + "sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494", + "sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697", + "sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4", + "sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585", + "sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c", + "sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da", + "sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad", + "sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2", + "sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6", + "sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c", + "sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849", + "sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa", + "sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b", + "sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb", + "sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7", + "sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715", + "sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76", + "sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d", + "sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276", + "sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6", + "sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37", + "sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb", + "sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d", + "sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c", + "sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446", + "sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008", + "sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342", + "sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d", + "sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7", + "sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061", + "sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba", + "sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7", + "sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290", + "sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0", + "sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d", + "sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8", + "sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f", + "sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48", + "sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502", + "sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62", + "sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9", + "sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403", + "sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77", + "sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476", + "sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e", + "sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96", + "sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5", + "sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784", + "sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091", + "sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b", + "sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97", + "sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a", + "sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2", + "sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9", + "sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d", + "sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73", + "sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017", + "sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363", + "sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c", + "sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d", + "sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618", + "sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491", + "sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b", + "sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca" ], "markers": "python_version >= '3.6'", - "version": "==3.7.4.post0" + "version": "==3.8.3" + }, + "aiosignal": { + "hashes": [ + "sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc", + "sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.1" }, "antlr4-python3-runtime": { "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" + "sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b" ], "markers": "python_version >= '3'", - "version": "==4.8" + "version": "==4.9.3" }, "async-timeout": { "hashes": [ - "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", - "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" + "sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15", + "sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c" ], - "markers": "python_full_version >= '3.5.3'", - "version": "==3.0.1" + "markers": "python_version >= '3.6'", + "version": "==4.0.2" }, "attackcti": { "hashes": [ @@ -290,34 +444,27 @@ }, "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" - }, - "chardet": { - "hashes": [ - "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", - "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==4.0.0" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "colorama": { "hashes": [ @@ -401,79 +548,197 @@ "index": "pypi", "version": "==6.2.0" }, + "frozenlist": { + "hashes": [ + "sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c", + "sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f", + "sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a", + "sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784", + "sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27", + "sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d", + "sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3", + "sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678", + "sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a", + "sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483", + "sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8", + "sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf", + "sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99", + "sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c", + "sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48", + "sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5", + "sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56", + "sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e", + "sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1", + "sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401", + "sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4", + "sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e", + "sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649", + "sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a", + "sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d", + "sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0", + "sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6", + "sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d", + "sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b", + "sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6", + "sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf", + "sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef", + "sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7", + "sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842", + "sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba", + "sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420", + "sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b", + "sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d", + "sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332", + "sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936", + "sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816", + "sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91", + "sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420", + "sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448", + "sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411", + "sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4", + "sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32", + "sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b", + "sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0", + "sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530", + "sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669", + "sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7", + "sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1", + "sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5", + "sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce", + "sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4", + "sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e", + "sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2", + "sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d", + "sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9", + "sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642", + "sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0", + "sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703", + "sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb", + "sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1", + "sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13", + "sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab", + "sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38", + "sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb", + "sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb", + "sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81", + "sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8", + "sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd", + "sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.3" + }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "more-itertools": { "hashes": [ - "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", - "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" + "sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41", + "sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab" ], - "markers": "python_version >= '3.5'", - "version": "==8.8.0" + "markers": "python_version >= '3.7'", + "version": "==9.0.0" }, "multidict": { "hashes": [ - "sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a", - "sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93", - "sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632", - "sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656", - "sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79", - "sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7", - "sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d", - "sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5", - "sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224", - "sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26", - "sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea", - "sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348", - "sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6", - "sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76", - "sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1", - "sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f", - "sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952", - "sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a", - "sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37", - "sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9", - "sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359", - "sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8", - "sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da", - "sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3", - "sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d", - "sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf", - "sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841", - "sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d", - "sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93", - "sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f", - "sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647", - "sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635", - "sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456", - "sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda", - "sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5", - "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", - "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" + "sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce", + "sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce", + "sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57", + "sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335", + "sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38", + "sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2", + "sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a", + "sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418", + "sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d", + "sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c", + "sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30", + "sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852", + "sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718", + "sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614", + "sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b", + "sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e", + "sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4", + "sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c", + "sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3", + "sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d", + "sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45", + "sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89", + "sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f", + "sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827", + "sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6", + "sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51", + "sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69", + "sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba", + "sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91", + "sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131", + "sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37", + "sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd", + "sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46", + "sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0", + "sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd", + "sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d", + "sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee", + "sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531", + "sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d", + "sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7", + "sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c", + "sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a", + "sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08", + "sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e", + "sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759", + "sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986", + "sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a", + "sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d", + "sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64", + "sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116", + "sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7", + "sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d", + "sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9", + "sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea", + "sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303", + "sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102", + "sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38", + "sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef", + "sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a", + "sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438", + "sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3", + "sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9", + "sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f", + "sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0", + "sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022", + "sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2", + "sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67", + "sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11", + "sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734", + "sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945", + "sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb", + "sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000", + "sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253", + "sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544" ], - "markers": "python_version >= '3.6'", - "version": "==5.1.0" + "markers": "python_version >= '3.7'", + "version": "==6.0.3" }, "packaging": { "hashes": [ - "sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7", - "sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14" + "sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3", + "sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3" ], - "markers": "python_version >= '3.6'", - "version": "==21.0" + "markers": "python_version >= '3.7'", + "version": "==22.0" }, "pathspec": { "hashes": [ - "sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a", - "sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1" + "sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5", + "sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0" ], - "version": "==0.9.0" + "markers": "python_version >= '3.7'", + "version": "==0.10.2" }, "pluggy": { "hashes": [ @@ -485,19 +750,11 @@ }, "py": { "hashes": [ - "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", - "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" + "sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719", + "sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.10.0" - }, - "pyparsing": { - "hashes": [ - "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", - "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.4.7" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.11.0" }, "pytest": { "hashes": [ @@ -509,10 +766,10 @@ }, "pytz": { "hashes": [ - "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", - "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" + "sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427", + "sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2" ], - "version": "==2021.1" + "version": "==2022.6" }, "pyyaml": { "hashes": [ @@ -557,49 +814,80 @@ "index": "pypi", "version": "==2.26.0" }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" + }, "simplejson": { "hashes": [ - "sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7", - "sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085", - "sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb", - "sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476", - "sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473", - "sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e", - "sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c", - "sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732", - "sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b", - "sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34", - "sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586", - "sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da", - "sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34", - "sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564", - "sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e", - "sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926", - "sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e", - "sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08", - "sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e", - "sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c", - "sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999", - "sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e", - "sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314", - "sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95", - "sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277", - "sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda", - "sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61", - "sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640", - "sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e", - "sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee", - "sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86", - "sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98", - "sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616", - "sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b", - "sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c", - "sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc", - "sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858", - "sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec" + "sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e", + "sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840", + "sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76", + "sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea", + "sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342", + "sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7", + "sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a", + "sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1", + "sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0", + "sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7", + "sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15", + "sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce", + "sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e", + "sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf", + "sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710", + "sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2", + "sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b", + "sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986", + "sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac", + "sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871", + "sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710", + "sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31", + "sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b", + "sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387", + "sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6", + "sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83", + "sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea", + "sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a", + "sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5", + "sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a", + "sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688", + "sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99", + "sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e", + "sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe", + "sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673", + "sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67", + "sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39", + "sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e", + "sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43", + "sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4", + "sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d", + "sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430", + "sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac", + "sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4", + "sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b", + "sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266", + "sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f", + "sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b", + "sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73", + "sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df", + "sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22", + "sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29", + "sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51", + "sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d", + "sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa", + "sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3", + "sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce", + "sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059", + "sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6", + "sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619", + "sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb" ], "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.17.3" + "version": "==3.18.0" }, "six": { "hashes": [ @@ -618,10 +906,11 @@ }, "stix2-patterns": { "hashes": [ - "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", - "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" + "sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08", + "sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458" ], - "version": "==1.3.2" + "markers": "python_version >= '3.6'", + "version": "==2.0.0" }, "taxii2-client": { "hashes": [ @@ -630,14 +919,6 @@ ], "version": "==2.3.0" }, - "typing-extensions": { - "hashes": [ - "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", - "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", - "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" - ], - "version": "==3.10.0.0" - }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -662,46 +943,83 @@ }, "yarl": { "hashes": [ - "sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e", - "sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434", - "sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366", - "sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3", - "sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec", - "sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959", - "sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e", - "sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c", - "sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6", - "sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a", - "sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6", - "sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424", - "sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e", - "sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f", - "sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50", - "sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2", - "sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc", - "sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4", - "sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970", - "sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10", - "sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0", - "sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406", - "sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896", - "sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643", - "sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721", - "sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478", - "sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724", - "sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e", - "sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8", - "sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96", - "sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25", - "sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76", - "sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2", - "sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2", - "sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c", - "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", - "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" + "sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87", + "sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89", + "sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a", + "sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08", + "sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996", + "sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077", + "sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901", + "sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e", + "sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee", + "sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574", + "sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165", + "sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634", + "sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229", + "sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b", + "sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f", + "sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7", + "sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf", + "sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89", + "sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0", + "sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1", + "sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe", + "sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf", + "sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76", + "sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951", + "sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863", + "sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06", + "sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562", + "sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6", + "sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c", + "sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e", + "sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1", + "sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3", + "sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3", + "sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778", + "sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8", + "sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2", + "sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b", + "sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d", + "sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f", + "sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c", + "sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581", + "sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918", + "sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c", + "sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e", + "sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220", + "sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37", + "sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739", + "sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77", + "sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6", + "sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42", + "sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946", + "sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5", + "sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d", + "sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146", + "sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a", + "sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83", + "sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef", + "sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80", + "sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588", + "sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5", + "sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2", + "sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef", + "sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826", + "sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05", + "sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516", + "sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0", + "sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4", + "sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2", + "sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0", + "sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd", + "sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8", + "sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b", + "sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1", + "sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c" ], - "markers": "python_version >= '3.6'", - "version": "==1.6.3" + "markers": "python_version >= '3.7'", + "version": "==1.8.2" } } } From 868be248ddb7ac7cc36180d5cffc16c99151af0a Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Fri, 9 Dec 2022 11:27:28 +0500 Subject: [PATCH 065/115] Fix the filter --- .../proc_creation_win_susp_userinit_child.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index a84f52be0..18301a4a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1055 @@ -20,7 +20,7 @@ detection: CommandLine|contains: '\netlogon\' filter2: - Image|endswith: '\explorer.exe' - - ImageFileName: 'explorer.exe' + - OriginalFileName: 'explorer.exe' condition: selection and not 1 of filter* fields: - CommandLine From fb8e0894b0d4e68114c0edb042ae072b11e2dcf0 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Fri, 9 Dec 2022 13:42:49 +0500 Subject: [PATCH 066/115] fix: condition --- .../proc_creation_win_susp_use_of_sqlps_bin.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index 91cb6862a..f1f4d118b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 -modified: 2022/02/25 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -21,14 +21,13 @@ logsource: product: windows detection: selection_1: - Image|endswith: '\sqlps.exe' + - Image|endswith: '\sqlps.exe' + - OriginalFileName: 'sqlps.exe' selection_2: ParentImage|endswith: '\sqlps.exe' - selection_3: - OriginalFileName: '\sqlps.exe' filter: ParentImage|endswith: '\sqlagent.exe' - condition: 1 of selection_* and not filter + condition: (selection_1 and not filter) or selection_2 falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium From a0e80197805563393e82bbb07d0c676c70430199 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:33:33 +0100 Subject: [PATCH 067/115] fix: issue raised by PR #3769 --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 6f797afe6..b58d0884a 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -935,7 +935,7 @@ class TestRules(unittest.TestCase): # add "OriginalFilename" after Aurora switched to SourceFilename # add "ProviderName" after special case powershell classic is resolved # typos is a list of tuples where each tuple contains ("The typo", "The correct version") - typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] + typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName"), ("ImageFileName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases From 6f6cb9648dec2e0429c10fb9b8a9b2723bf9e441 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:33:52 +0100 Subject: [PATCH 068/115] fix: fp found in testing --- .../security/win_security_susp_scheduled_task_delete.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b19494759..3b3d77ad5 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/08 tags: - attack.execution - attack.privilege_escalation @@ -27,7 +28,7 @@ detection: - 4699 # Task Deleted Event - 4701 # Task Disabled Event TaskName|contains: - # Add more important tasks> + # Add more important tasks - '\Windows\SystemRestore\SR' - '\Windows\Windows Defender\' - '\Windows\BitLocker' @@ -35,7 +36,9 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - condition: selection + filter_ac_power_download: + Task|contains: '\Windows\UpdateOrchestrator\AC Power Download' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high From 7cd15d0bc1e7c49a193b9c4cdf67769f85c7dc1b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:34:06 +0100 Subject: [PATCH 069/115] fix: update metadata --- .../proc_creation_win_false_sysinternalsuite.yml | 5 +++-- .../proc_creation_win_impacket_lateralization.yml | 4 ++-- .../process_creation/proc_creation_win_renamed_procdump.yml | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml index ba28010ce..c1feb1bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml +++ b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml @@ -1,11 +1,12 @@ -title: False Sysinternals Suite Tools +title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: experimental -description: Rename as a legitimate Sysinternals Suite tool to evade detection +description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 date: 2021/12/20 +modified: 2022/12/08 tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index fb8f65ecb..ba53f5896 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -9,7 +9,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py author: Ecco, oscd.community, Jonhnathan Ribeiro date: 2019/09/03 -modified: 2021/11/27 +modified: 2022/12/08 tags: - attack.execution - attack.t1047 @@ -46,7 +46,7 @@ detection: - 'cmd.exe' - '/Q' - '/c' - - '\\\\127.0.0.1\' + - '\\\\127.0.0.1\\' - '&1' selection_atexec: ParentCommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 9a09c3246..0e7a7715a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,4 +1,4 @@ -title: Renamed ProcDump +title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - id: 03795938-1387-481b-9f4c-3f6241e604fe @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2022/08/12 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1036.003 @@ -34,5 +34,5 @@ detection: condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries (and should be investigated) + - Administrators who rename binaries (should be investigated) level: high From 0783d6df2265657a407127c3fd62d7ce3d752c13 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 12:22:50 +0100 Subject: [PATCH 070/115] feat: update Lsass-Shtinkering rules --- ...in_werfault_susp_lsass_credential_dump.yml | 26 +++++++++++++++++++ .../proc_creation_lsass_shtinkering.yml | 6 ++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml diff --git a/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml new file mode 100644 index 000000000..d4ac076dd --- /dev/null +++ b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml @@ -0,0 +1,26 @@ +title: Potential Credential Dumping Via WER - Application +id: a18e0862-127b-43ca-be12-1a542c75c7c5 +status: experimental +description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 +author: Nasreddine Bencherchali +date: 2022/12/07 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'Application Error' + EventID: 1000 + AppName: 'lsass.exe' + ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL + condition: selection +falsepositives: + - Rare legitimate crashing of the lsass process +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index a88adb413..cc021edaa 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -1,4 +1,4 @@ -title: Potential Credential Dumping Via Windows Error Reporting +title: Potential Credential Dumping Via WER id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: experimental description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass @@ -7,6 +7,7 @@ references: - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash , Nasreddine Bencherchali' date: 2022/12/08 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -25,7 +26,10 @@ detection: - 'AUTHORI' - 'AUTORI' CommandLine|contains|all: + # Doc: WerFault.exe -u -p -ip -s # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique + # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity - ' -u -p ' - ' -ip ' - ' -s ' From 356ab98ada7cf220183c42519da6090155634c29 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Dec 2022 12:55:41 +0100 Subject: [PATCH 071/115] fix: FPs with Important Scheduled Task Deleted --- .../security/win_security_susp_scheduled_task_delete.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b19494759..78b60d3fe 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/09 tags: - attack.execution - attack.privilege_escalation @@ -35,7 +36,9 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - condition: selection + filter: + SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added + condition: selection and not filter falsepositives: - Unknown level: high From 1143ec85b4808d3215dc481ae948fff2e552bffc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 16:38:32 +0100 Subject: [PATCH 072/115] feat: enhance pssnapin rule --- ...reation_win_powershell_snapins_hafnium.yml | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index f1143d516..bc5a795f5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,13 +1,14 @@ -title: Exchange PowerShell Snap-Ins Used by HAFNIUM +title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 status: experimental -description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -author: FPT.EagleEye + - https://www.intrinsec.com/apt27-analysis/ +author: FPT.EagleEye, Nasreddine Bencherchali date: 2021/03/03 -modified: 2022/07/14 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -17,12 +18,20 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|contains: 'add-pssnapin microsoft.exchange.powershell.snapin' - condition: selection + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains: 'Add-PSSnapin' + selection_module: + CommandLine|contains: + - 'Microsoft.Exchange.Powershell.Snapin' + - 'Microsoft.Exchange.Management.PowerShell.SnapIn' + condition: all of selection_* fields: - CommandLine - ParentCommandLine From 9f346ce7d1b03aba4945caf5d281cc2ec7ea3d49 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 16:41:36 +0100 Subject: [PATCH 073/115] fix: typo in rule filename --- ...p_log_file.yml => file_event_win_mimikatz_memssp_log_file.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/file/file_event/{file_event_win_mimimaktz_memssp_log_file.yml => file_event_win_mimikatz_memssp_log_file.yml} (100%) diff --git a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml rename to rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml From cde2bdfc22c08925d6f58282bdd265e9265a5856 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 17:11:03 +0100 Subject: [PATCH 074/115] fix: fix typo in fieldname and close #2101 --- rules/windows/image_load/image_load_foggyweb_nobelium.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_foggyweb_nobelium.yml b/rules/windows/image_load/image_load_foggyweb_nobelium.yml index eaf808b22..8c0ca56f2 100644 --- a/rules/windows/image_load/image_load_foggyweb_nobelium.yml +++ b/rules/windows/image_load/image_load_foggyweb_nobelium.yml @@ -1,12 +1,12 @@ title: FoggyWeb Backdoor DLL Loading id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c status: test -description: Detects DLL image load activity as used by FoggyWeb backdoor loader +description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth date: 2021/09/27 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.resource_development - attack.t1587 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: C:\Windows\ADFS\version.dll + ImageLoaded: 'C:\Windows\ADFS\version.dll' condition: selection falsepositives: - Unlikely From 14d174e218b837d1d27b96a6f1f3f2e12161866b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 17:36:24 +0100 Subject: [PATCH 075/115] feat: update rules related to dll sideloading --- ...ile_event_win_create_non_existent_dlls.yml | 7 +++ ...oad_side_load_from_non_system_location.yml | 9 +++- ...image_load_side_load_non_existent_dlls.yml | 43 +++++++++++++++++++ .../image_load_susp_dbghelp_dbgcore_load.yml | 4 +- 4 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 rules/windows/image_load/image_load_side_load_non_existent_dlls.yml diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 9c9c65693..522c8f4fd 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,10 +1,16 @@ title: Creation Of Non-Existent DLLs In System Folders id: df6ecb8b-7822-4f4b-b412-08f524b4576c +related: + - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 + type: similar status: experimental description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ author: Nasreddine Bencherchali date: 2022/12/01 tags: @@ -22,6 +28,7 @@ detection: - 'C:\Windows\System32\WLBSCTRL.dll' - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 7df5528b4..342b35fc7 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) date: 2022/08/14 -modified: 2022/10/25 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence @@ -433,6 +433,13 @@ detection: - '\igd10iumd64.dll' - '\igd12umd64.dll' - '\igdusc64.dll' + # Other + - '\WLBSCTRL.dll' + - '\TSMSISrv.dll' + - '\TSVIPSrv.dll' + - '\wow64log.dll' + - '\WptsExtensions.dll' + - '\wbemcomn.dll' filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml new file mode 100644 index 000000000..619f4fdf7 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -0,0 +1,43 @@ +title: Sideloading Of Non-Existent DLLs From System Folders +id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 +related: + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c + type: similar +status: experimental +description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ + - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + # Add other DLLs + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' + - 'C:\Windows\System32\WptsExtensions.dll' + - 'C:\Windows\System32\wbem\wbemcomn.dll' + filter_ms_signed: + Signed: 'true' + # There could be other signatures (please add when found) + Signature: 'Microsoft Windows' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index bc7467c9c..5d2a23294 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -11,7 +11,7 @@ references: - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco date: 2019/10/27 -modified: 2022/09/15 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -50,7 +50,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: 'FALSE' + Signed: 'false' filter1: - Image|contains: 'Visual Studio' - CommandLine|contains: From 89e44d46cb66871a2bd4b9f532960c8ba6c34754 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:06:20 +0100 Subject: [PATCH 076/115] feat: update .net etw tamper rules --- .../win_security_etw_modification.yml | 20 +++++++++++++++---- ..._creation_win_etw_modification_cmdline.yml | 11 ++++++---- .../registry_set_etw_disabled.yml | 18 ++++++++++++++--- 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_etw_modification.yml index e05e6598e..e7225550f 100644 --- a/rules/windows/builtin/security/win_security_etw_modification.yml +++ b/rules/windows/builtin/security/win_security_etw_modification.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification +title: ETW Logging Disabled In .NET Processes - Registry id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc +related: + - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,22 +15,31 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/10/05 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows service: security detection: - selection: + selection_etw_enabled: EventID: 4657 ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' ObjectValueName: 'ETWEnabled' NewValue: 0 - condition: selection + selection_complus: + EventID: 4657 + ObjectName|endswith: '\Environment\' + ObjectValueName: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' + NewValue: 0 + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 1d03d645c..cc7917676 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,7 +1,7 @@ -title: COMPlus_ETWEnabled Command Line Arguments +title: ETW Logging Disabled In .NET Processes - CommandLine id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,9 +12,10 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1562 @@ -23,7 +24,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'COMPlus_ETWEnabled=0' + CommandLine|contains: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml index 93b500a35..4e888c2de 100644 --- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification - Registry +title: ETW Logging Disabled In .NET Processes - Sysmon Registry id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 +related: + - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,20 +15,29 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/11/26 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows category: registry_set detection: - selection: + selection_etw_enabled: EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' + selection_complus: + EventType: SetValue + TargetObject|endswith: + - '\COMPlus_ETWEnabled' + - '\COMPlus_ETWFlags' + Details: 0 condition: selection falsepositives: - Unknown From 7c7057d9d39c95987b69fb32230da87a5f5c0797 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:06:58 +0100 Subject: [PATCH 077/115] fix: rename .net etw tamper rules --- ...y_etw_modification.yml => win_security_dot_net_etw_tamper.yml} | 0 ...y_set_etw_disabled.yml => registry_set_dot_net_etw_tamper.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/security/{win_security_etw_modification.yml => win_security_dot_net_etw_tamper.yml} (100%) rename rules/windows/registry/registry_set/{registry_set_etw_disabled.yml => registry_set_dot_net_etw_tamper.yml} (100%) diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml similarity index 100% rename from rules/windows/builtin/security/win_security_etw_modification.yml rename to rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml similarity index 100% rename from rules/windows/registry/registry_set/registry_set_etw_disabled.yml rename to rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml From fa1cbb314ab972561be714c98139420bdf4f39e9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:09:24 +0100 Subject: [PATCH 078/115] feat: more updates to etw tamper rules --- ...gistry_set_disable_autologger_sessions.yml | 5 ++-- .../registry_set_rpcrt4_etw_tamper.yml | 27 +++++++++++++++++++ .../registry_set_services_etw_tamper.yml | 24 +++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml create mode 100644 rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 38c4c79fa..0254cdb81 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -5,9 +5,10 @@ description: Detects tampering of autologger trace sessions which is a technique references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali date: 2022/08/01 -modified: 2022/09/18 +modified: 2022/12/09 tags: - attack.defense_evasion logsource: @@ -22,7 +23,7 @@ detection: - '\EventLog-' - '\Defender' TargetObject|endswith: - - '\Enabled' + - '\Enable' - '\Start' Details: DWORD (0x00000000) filter_legitimate: diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml new file mode 100644 index 000000000..c157026fb --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -0,0 +1,27 @@ +title: ETW Logging Disabled For rpcrt4.dll +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection_etw_enabled: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' + Details: + # This is disabled by default for some reason + - 'DWORD (0x00000000)' # Off + - 'DWORD (0x00000002)' # Off with exceptions + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml new file mode 100644 index 000000000..e45aa08c3 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -0,0 +1,24 @@ +title: ETW Logging Disabled For SCM +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection_etw_enabled: + EventType: SetValue + TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' + Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. + condition: selection +falsepositives: + - Unknown +level: low From a8472bf4df92c7b55fde896636d7fa230eeb7d00 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:13:59 +0100 Subject: [PATCH 079/115] fix: add missing selection --- .../registry/registry_set/registry_set_dot_net_etw_tamper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 4e888c2de..3a670b85e 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -38,7 +38,7 @@ detection: - '\COMPlus_ETWEnabled' - '\COMPlus_ETWFlags' Details: 0 - condition: selection + condition: 1 of selection_* falsepositives: - Unknown level: high From fb988ab25e6436ed15656819086fecadb9379043 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:15:35 +0100 Subject: [PATCH 080/115] fix: typos and errors --- .../registry/registry_set/registry_set_rpcrt4_etw_tamper.yml | 4 ++-- .../registry_set/registry_set_services_etw_tamper.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index c157026fb..3377d03c1 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -1,5 +1,5 @@ title: ETW Logging Disabled For rpcrt4.dll -id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +id: 90f342e1-1aaa-4e43-b092-39fda57ed11e status: experimental description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: @@ -14,7 +14,7 @@ logsource: product: windows category: registry_set detection: - selection_etw_enabled: + selection: EventType: SetValue TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' Details: diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index e45aa08c3..073cddb27 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -14,7 +14,7 @@ logsource: product: windows category: registry_set detection: - selection_etw_enabled: + selection: EventType: SetValue TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. From bacd8078c557929d350739f6547b6fca6d94bd6c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:18:09 +0100 Subject: [PATCH 081/115] feat: update detection section --- .../proc_creation_win_susp_use_of_sqlps_bin.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index f1f4d118b..6c8c49a0e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -20,14 +20,14 @@ logsource: category: process_creation product: windows detection: - selection_1: + selection_parent: + ParentImage|endswith: '\sqlps.exe' + selection_image: - Image|endswith: '\sqlps.exe' - OriginalFileName: 'sqlps.exe' - selection_2: - ParentImage|endswith: '\sqlps.exe' - filter: + filter_image: ParentImage|endswith: '\sqlagent.exe' - condition: (selection_1 and not filter) or selection_2 + condition: selection_parent or (selection_image and not filter_image) falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium From 26cd02cff4edf3247a6756fb1d30f8825bc8a427 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:24:44 +0100 Subject: [PATCH 082/115] fix: add modified date --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 522c8f4fd..23c65c682 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -13,6 +13,7 @@ references: - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ author: Nasreddine Bencherchali date: 2022/12/01 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence From 76fca5aa4b76e9b6cfa1a8eee1535c9b354d643a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:37:53 +0100 Subject: [PATCH 083/115] fix: update title to reflect logic --- .../proc_creation_win_etw_modification_cmdline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index cc7917676..906bffd2f 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,4 +1,4 @@ -title: ETW Logging Disabled In .NET Processes - CommandLine +title: ETW Logging Tamper In .NET Processes id: 41421f44-58f9-455d-838a-c398859841d4 status: test description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. From 1a9d7960e7141badae731238eb67651a13bc5318 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:44:44 +0100 Subject: [PATCH 084/115] fix: add dword version --- .../registry/registry_set/registry_set_dot_net_etw_tamper.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 3a670b85e..f32870645 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -37,7 +37,9 @@ detection: TargetObject|endswith: - '\COMPlus_ETWEnabled' - '\COMPlus_ETWFlags' - Details: 0 + Details: + - 0 # For REG_SZ type + - 'DWORD (0x00000000)' condition: 1 of selection_* falsepositives: - Unknown From 96628974425b567c57c219ada11882f264c15409 Mon Sep 17 00:00:00 2001 From: Veramine Date: Fri, 9 Dec 2022 12:13:58 -0800 Subject: [PATCH 085/115] Update proc_creation_win_susp_conhost_option.yml (#3763) --- .../proc_creation_win_susp_conhost_option.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml index 31816d30e..970f2a353 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml @@ -1,12 +1,13 @@ -title: Suspicious Conhost Legacy Option +title: Suspicious High IntegrityLevel Conhost Legacy Option id: 3037d961-21e9-4732-b27a-637bcc7bf539 status: experimental -description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application +description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. references: - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ + - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 -date: 2022/04/04 +date: 2022/12/09 tags: - attack.defense_evasion - attack.t1202 @@ -15,11 +16,12 @@ logsource: category: process_creation detection: selection: + IntegrityLevel: 'High' CommandLine|contains|all: - 'conhost.exe' - '0xffffffff' - '-ForceV1' condition: selection falsepositives: - - Unknown + - Very Likely, including launching cmd.exe via Run As Administrator level: informational From 646d8614718cbeadfca7a300a527c6aa7a705203 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:57:28 +0100 Subject: [PATCH 086/115] Redcannary --- .../proc_creation_create_link_osk_cmd.yml | 27 +++++++++++++++++++ .../proc_creation_wmic_tamper_defender.yml | 25 +++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml create mode 100644 rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml new file mode 100644 index 000000000..fe8f3e2d9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -0,0 +1,27 @@ +title: Create Symbolic Link From osk.exe to cmd.exe +id: e9b61244-893f-427c-b287-3e708f321c6b +status: experimental +description: Detects creation of a link from accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.exe' + selection_cli: + CommandLine|contains|all: + - 'mklink' + - '\System32\osk.exe' + - '\System32\cmd.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml new file mode 100644 index 000000000..2b2e08744 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml @@ -0,0 +1,25 @@ +title: WMIC Tamper Windows Defender +id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a +status: experimental +description: Detects tampering Windows Defender with wmic +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender' + condition: all of selection_* +falsepositives: + - Unknown +level: high From fec7756b8b7ee8d4a18ad2660bd217fb7c42936f Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:00:05 -0500 Subject: [PATCH 087/115] Create proc_creation_win_lolbin_setres.yml --- .../proc_creation_win_lolbin_setres.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_setres.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml new file mode 100644 index 000000000..c76c85b81 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -0,0 +1,31 @@ +title: Use of Setres.exe +id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 +status: experimental +description: Detects the use of Setres.exe to set the screen resolution and then to potentially launch a file named "choice" from the local path +references: + - https://lolbas-project.github.io/lolbas/Binaries/Setres/ + - https://twitter.com/0gtweet/status/1583356502340870144 + - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.defense_evasion + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection_ldif: + - Image|endswith: '\setres.exe' + - OriginalFileName: 'setres.exe' + selection_cmd: + CommandLine|contains|all: + - '-w' + - '-h' + condition: all of selection_* +falsepositives: + - Legitimate usage of Setres +level: medium From ff14120ee52a08f018c0ae1370e596e56f978fbb Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:17:53 -0500 Subject: [PATCH 088/115] Update proc_creation_win_lolbin_setres.yml corrected duplicate tags --- .../windows/process_creation/proc_creation_win_lolbin_setres.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index c76c85b81..69b09f3c9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -12,7 +12,6 @@ date: 2022/12/11 tags: - attack.defense_evasion - attack.t1218 - - attack.defense_evasion - attack.t1202 logsource: category: process_creation From 89d2d00a5b2ca20a217c1b29dd6bae625cdb6cfb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Dec 2022 16:46:32 +0100 Subject: [PATCH 089/115] Redcannary --- .../registry_set_legalnotice_susp_message.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml new file mode 100644 index 000000000..e1c330d6f --- /dev/null +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -0,0 +1,28 @@ +title: Set Display Ransom Message +id: 8b9606c9-28be-4a38-b146-0e313cc232c1 +status: experimental +description: Detect modification of LegalNoticeCaption or LegalNoticeText to set a ransom message +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md +author: frack113 +date: 2022/12/11 +tags: + - attack.impact + - attack.t1491.001 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText' + Details|contains: + - 'encrypted' + - 'Unlock-Password' + - 'paying' + condition: selection +falsepositives: + - Unknown +level: high From af0b1e61b4e76630e65f6edcebaeda06a4b80968 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:53:38 -0500 Subject: [PATCH 090/115] Create web_apache_solr_lfi_exploit.yml --- rules/web/web_apache_solr_lfi_exploit.yml | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_apache_solr_lfi_exploit.yml diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_apache_solr_lfi_exploit.yml new file mode 100644 index 000000000..2827ac4a8 --- /dev/null +++ b/rules/web/web_apache_solr_lfi_exploit.yml @@ -0,0 +1,30 @@ +title: Potential Apache Solr Local File Read Exploit +id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 +status: experimental +description: | + All Apache Solr versions <= 8.8.1 are impacted by an arbitrary file read and server-side request forgery (SSRF) vulnerability. + Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. + After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. +references: + - https://twitter.com/Al1ex4/status/1382981479727128580 + - https://twitter.com/sec715/status/1373472323538362371 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection_request: + c-uri|contains|all: + - '/solr/' + - '/debug/dump?' + - 'param=ContentStream' + sc-status: '200' + condition: selection_request +falsepositives: + - Unknown +level: medium From 3a1fe165703526cfd6abc5259a7e993c0ba149ff Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 11:25:12 -0500 Subject: [PATCH 091/115] Update proc_creation_win_lolbin_setres.yml selection correction and detection logic correction --- .../proc_creation_win_lolbin_setres.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index 69b09f3c9..c004f58a8 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -17,14 +17,11 @@ logsource: category: process_creation product: windows detection: - selection_ldif: - - Image|endswith: '\setres.exe' - - OriginalFileName: 'setres.exe' - selection_cmd: - CommandLine|contains|all: - - '-w' - - '-h' - condition: all of selection_* + selection: + ParentImage|endswith: '\setres.exe' + Image|endswith: + - '\choice' + condition: all of selection* falsepositives: - Legitimate usage of Setres level: medium From 063aac1b4d6f075b85ca6a4a71c3d08f83868003 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 11:57:22 -0500 Subject: [PATCH 092/115] Update proc_creation_win_lolbin_setres.yml --- .../process_creation/proc_creation_win_lolbin_setres.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index c004f58a8..32ff6c23c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -19,8 +19,7 @@ logsource: detection: selection: ParentImage|endswith: '\setres.exe' - Image|endswith: - - '\choice' + Image|endswith: '\choice' condition: all of selection* falsepositives: - Legitimate usage of Setres From d797bf0eb112b6895fe8c13c89dd5a88907d96c2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 12 Dec 2022 13:23:59 +0100 Subject: [PATCH 093/115] Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_create_link_osk_cmd.yml | 9 +++++---- .../proc_creation_wmic_tamper_defender.yml | 2 +- .../registry_set_legalnotice_susp_message.yml | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml index fe8f3e2d9..cef5457d6 100644 --- a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -1,9 +1,10 @@ -title: Create Symbolic Link From osk.exe to cmd.exe +title: Potential Privilege Escalation Using Symlink Between Osk and Cmd id: e9b61244-893f-427c-b287-3e708f321c6b status: experimental -description: Detects creation of a link from accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in. +description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md + - https://ss64.com/nt/mklink.html author: frack113 date: 2022/12/11 tags: @@ -19,8 +20,8 @@ detection: selection_cli: CommandLine|contains|all: - 'mklink' - - '\System32\osk.exe' - - '\System32\cmd.exe' + - '\osk.exe' + - '\cmd.exe' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml index 2b2e08744..84ed9bd12 100644 --- a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml +++ b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml @@ -1,7 +1,7 @@ title: WMIC Tamper Windows Defender id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a status: experimental -description: Detects tampering Windows Defender with wmic +description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml index e1c330d6f..4780d88a6 100644 --- a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -1,7 +1,7 @@ -title: Set Display Ransom Message +title: Potential Ransomware Activity Using LegalNotice Message id: 8b9606c9-28be-4a38-b146-0e313cc232c1 status: experimental -description: Detect modification of LegalNoticeCaption or LegalNoticeText to set a ransom message +description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md author: frack113 From 5a46cd3efd4fedadb1f6d7517199847a98859c97 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:54:46 +0530 Subject: [PATCH 094/115] Create Abuse Nslookup with DNS Records (#3773) Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...osh_pc_abuse_nslookup_with_dns_records.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml new file mode 100644 index 000000000..e1e309369 --- /dev/null +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -0,0 +1,30 @@ +title: Nslookup PowerShell Download Cradle +id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 +related: + - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 + type: similar +status: experimental +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +references: + - https://twitter.com/Alh4zr3d/status/1566489367232651264 +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/10 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_classic_start + definition: fields have to be extract from event +detection: + selection: + HostApplication|contains|all: + - 'powershell' + - 'nslookup' + HostApplication|contains: + - '-q=txt' + - '-querytype=txt' + condition: selection +falsepositives: + - Unknown +level: high From da2d06fa37d2a8f00a26950efce7e80f21953d3b Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:28:57 -0800 Subject: [PATCH 095/115] Added suspicious rcedit rule. --- .../proc_creation_susp_rcedit_execution.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml new file mode 100644 index 000000000..772917603 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -0,0 +1,37 @@ +title: Suspicious Use of rcedit utility +id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 +status: experimental +description: Detects the suspicious child use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +references: + - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe + - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 + - https://github.com/electron/rcedit +author: Micah Babinski +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1036.003 + - attack.t1036 + - attack.t1027.005 + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\rcedit-x64.exe' + - '\rcedit-x86.exe' + CommandLine|contains: '--set-resource-string' + selection2: + CommandLine|contains: + - 'OriginalFileName' + - 'CompanyName' + - 'FileDescription' + - 'ProductName' + - 'ProductVersion' + - 'LegalCopyright' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high From e8a980161c7ff4cdb52f29b1853370914a5c565b Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:32:26 -0800 Subject: [PATCH 096/115] Fixed rule description and title. --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 772917603..d4da0bf3d 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,7 +1,7 @@ -title: Suspicious Use of rcedit utility +title: Suspicious Use of Rcedit Utility to Alter Executable Metadata id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental -description: Detects the suspicious child use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +description: Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 From 52997da9b25d4ad1221d7625327fc509ab30555c Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:33:47 -0800 Subject: [PATCH 097/115] Modified level (reduce severity) --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index d4da0bf3d..4b320ebac 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -34,4 +34,4 @@ detection: condition: selection1 and selection2 falsepositives: - Unknown -level: high +level: medium From 622fb687b7c062b00810a4ca31fe0b97faca96fe Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 21:58:17 +0100 Subject: [PATCH 098/115] fix: update logic and other information --- .../proc_creation_susp_rcedit_execution.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 4b320ebac..1ad1b4900 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,7 +1,7 @@ -title: Suspicious Use of Rcedit Utility to Alter Executable Metadata +title: Potential Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental -description: Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 @@ -18,12 +18,16 @@ logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: + selection_img: + - Image|endswith: - '\rcedit-x64.exe' - '\rcedit-x86.exe' - CommandLine|contains: '--set-resource-string' - selection2: + - Description: 'Edit resources of exe' + - Product: 'rcedit' + selection_flags: + CommandLine|contains: + - '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + selection_attributes: CommandLine|contains: - 'OriginalFileName' - 'CompanyName' @@ -31,7 +35,7 @@ detection: - 'ProductName' - 'ProductVersion' - 'LegalCopyright' - condition: selection1 and selection2 + condition: all of selection_* falsepositives: - - Unknown + - Legitimate use of the tool by administrators or users to update metadata of a binary level: medium From 14a2bf3b596bbf0980346b31eb3fd10aeb23ed5c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 22:16:38 +0100 Subject: [PATCH 099/115] fix: error in selection --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 1ad1b4900..c9ca2c50d 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -25,8 +25,7 @@ detection: - Description: 'Edit resources of exe' - Product: 'rcedit' selection_flags: - CommandLine|contains: - - '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" selection_attributes: CommandLine|contains: - 'OriginalFileName' From a7662a7350cbe6db9f574858442d5e852ddeb74e Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:07:05 -0500 Subject: [PATCH 100/115] Update rules/windows/process_creation/proc_creation_win_lolbin_setres.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_win_lolbin_setres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index 32ff6c23c..da47af9ae 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -1,7 +1,7 @@ title: Use of Setres.exe id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 status: experimental -description: Detects the use of Setres.exe to set the screen resolution and then to potentially launch a file named "choice" from the local path +description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path references: - https://lolbas-project.github.io/lolbas/Binaries/Setres/ - https://twitter.com/0gtweet/status/1583356502340870144 From 120bff21f878f634e64c855f13a55ea1e125432b Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:09:26 -0500 Subject: [PATCH 101/115] Update proc_creation_win_lolbin_setres.yml --- .../process_creation/proc_creation_win_lolbin_setres.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index da47af9ae..924eea112 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -18,8 +18,8 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\setres.exe' - Image|endswith: '\choice' + ParentImage|endswith: '\setres.exe' + Image|endswith: '\choice' condition: all of selection* falsepositives: - Legitimate usage of Setres From b9b88b13822293922989b3c1be2d7b598c63a212 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:16:03 -0500 Subject: [PATCH 102/115] Update web_apache_solr_lfi_exploit.yml --- rules/web/web_apache_solr_lfi_exploit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_apache_solr_lfi_exploit.yml index 2827ac4a8..31240079f 100644 --- a/rules/web/web_apache_solr_lfi_exploit.yml +++ b/rules/web/web_apache_solr_lfi_exploit.yml @@ -15,6 +15,7 @@ date: 2022/12/11 tags: - attack.initial_access - attack.t1190 + - cve.2021-27905 logsource: category: webserver detection: From c91c775f587bc7c7edb90d104e95d7032fe60e08 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:16:52 -0500 Subject: [PATCH 103/115] Rename web_apache_solr_lfi_exploit.yml to web_cve_2021-27905_apache_solr_lfi_exploit.yml --- ...exploit.yml => web_cve_2021-27905_apache_solr_lfi_exploit.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_apache_solr_lfi_exploit.yml => web_cve_2021-27905_apache_solr_lfi_exploit.yml} (100%) diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml similarity index 100% rename from rules/web/web_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml From 11351b78dd5b277556ac741078829306e6fc9f40 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:17:11 -0500 Subject: [PATCH 104/115] Rename web_cve_2021-27905_apache_solr_lfi_exploit.yml to web_cve_2021_27905_apache_solr_lfi_exploit.yml --- ...exploit.yml => web_cve_2021_27905_apache_solr_lfi_exploit.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve_2021-27905_apache_solr_lfi_exploit.yml => web_cve_2021_27905_apache_solr_lfi_exploit.yml} (100%) diff --git a/rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml similarity index 100% rename from rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml From 14ccb7b00ecf481d3877addc64d683f1752698df Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 23:26:19 +0100 Subject: [PATCH 105/115] fix: broken tag --- rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml index 31240079f..006c8f823 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml @@ -15,7 +15,7 @@ date: 2022/12/11 tags: - attack.initial_access - attack.t1190 - - cve.2021-27905 + - cve.2021.27905 logsource: category: webserver detection: From 796db1479fb73ddf66228935da3035ef55e39c21 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:31:32 -0500 Subject: [PATCH 106/115] Update web_cve_2021_27905_apache_solr_lfi_exploit.yml --- .../web_cve_2021_27905_apache_solr_lfi_exploit.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml index 006c8f823..c7fb08329 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml @@ -10,6 +10,7 @@ references: - https://twitter.com/sec715/status/1373472323538362371 - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 + - https://github.com/murataydemir/CVE-2021-27905 author: '@gott_cyber' date: 2022/12/11 tags: @@ -19,13 +20,19 @@ tags: logsource: category: webserver detection: - selection_request: + selection_request1: c-uri|contains|all: - '/solr/' - '/debug/dump?' - 'param=ContentStream' sc-status: '200' - condition: selection_request + selection_request2: + cs-method: 'GET' + c-uri|contains|all: + - '/solr/' + - '?command=fetchindex&masterUrl=' + sc-status: '200' + condition: selection_request1 or selection_request2 falsepositives: - Unknown level: medium From aca5dccd7fdda232309cb4698cebecb8280f71b3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:01:46 +0100 Subject: [PATCH 107/115] fix: change title --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index c9ca2c50d..776cd622a 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,4 +1,4 @@ -title: Potential Metadata Tamper Using Rcedit +title: Potential PE Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. From 8011ef23a314d9f0650a1e44aa08a2498c9206bb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:15:49 +0100 Subject: [PATCH 108/115] fix: enhance logic, description and title --- ...l => web_cve_2021_27905_apache_solr_exploit.yml} | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) rename rules/web/{web_cve_2021_27905_apache_solr_lfi_exploit.yml => web_cve_2021_27905_apache_solr_exploit.yml} (78%) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml similarity index 78% rename from rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021_27905_apache_solr_exploit.yml index c7fb08329..8652e3408 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,8 +1,8 @@ -title: Potential Apache Solr Local File Read Exploit +title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 status: experimental description: | - All Apache Solr versions <= 8.8.1 are impacted by an arbitrary file read and server-side request forgery (SSRF) vulnerability. + Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. references: @@ -29,10 +29,11 @@ detection: selection_request2: cs-method: 'GET' c-uri|contains|all: - - '/solr/' - - '?command=fetchindex&masterUrl=' + - '/solr/' + - 'command=fetchindex' + - 'masterUrl=' sc-status: '200' - condition: selection_request1 or selection_request2 + condition: 1 of selection_* falsepositives: - - Unknown + - Vulnerability Scanners level: medium From 078fcaab28380eeb36b46599c82c94b7a2bf5ce8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:17:04 +0100 Subject: [PATCH 109/115] fix: update description --- rules/web/web_cve_2021_27905_apache_solr_exploit.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml index 8652e3408..697558820 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,10 +1,7 @@ title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 status: experimental -description: | - Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. - Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. - After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. +description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. references: - https://twitter.com/Al1ex4/status/1382981479727128580 - https://twitter.com/sec715/status/1373472323538362371 From 3b88cab510f91c0032c98f7086cc104d583b7253 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 13 Dec 2022 10:26:21 +0100 Subject: [PATCH 110/115] Add image_load_side_load_classicexplorer32 --- ...image_load_side_load_classicexplorer32.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/image_load/image_load_side_load_classicexplorer32.yml diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml new file mode 100644 index 000000000..ee43824ed --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -0,0 +1,27 @@ +title: ClassicExplorer32 DLL Sideloading +id: caa02837-f659-466f-bca6-48bde2826ab4 +status: experimental +description: Detects DLL sideloading of DLLs classic Windows Explorer features +references: + - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets + - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ +author: frack113 +date: 2022/12/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection_classicexplorer: + ImageLoaded|endswith: '\ClassicExplorer32.dll' + filter_classicexplorer: + ImageLoaded|startswith: ' C:\Program Files\Classic Shell\' + condition: selection_classicexplorer and not filter_classicexplorer +falsepositives: + - Unknown +level: medium From fd76082c142b8671f13d1dafdf694c41ee1439dc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 13 Dec 2022 18:26:42 +0100 Subject: [PATCH 111/115] Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../image_load/image_load_side_load_classicexplorer32.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml index ee43824ed..04b3c3755 100644 --- a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -1,7 +1,7 @@ -title: ClassicExplorer32 DLL Sideloading +title: Potential DLL Sideloading Via ClassicExplorer32.dll id: caa02837-f659-466f-bca6-48bde2826ab4 status: experimental -description: Detects DLL sideloading of DLLs classic Windows Explorer features +description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software references: - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ @@ -20,7 +20,7 @@ detection: selection_classicexplorer: ImageLoaded|endswith: '\ClassicExplorer32.dll' filter_classicexplorer: - ImageLoaded|startswith: ' C:\Program Files\Classic Shell\' + ImageLoaded|startswith: 'C:\Program Files\Classic Shell\' condition: selection_classicexplorer and not filter_classicexplorer falsepositives: - Unknown From 232d7f840ac2d58a0806785e72694f914e756fda Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:05:58 +0100 Subject: [PATCH 112/115] fix: FPs noticed with Aurora --- .../image_load/image_load_susp_vss_dll_load.yml | 2 ++ ..._set_asep_reg_keys_modification_wow6432node.yml | 14 ++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_vss_dll_load.yml b/rules/windows/image_load/image_load_susp_vss_dll_load.yml index 94cbfed76..6f05a265b 100644 --- a/rules/windows/image_load/image_load_susp_vss_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_vss_dll_load.yml @@ -6,6 +6,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2022/10/31 +modified: 2022/12/14 tags: - attack.defense_evasion - attack.impact @@ -23,6 +24,7 @@ detection: - 'C:\Windows\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - 'C:\ProgramData\Package Cache\' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 4a79e6514..72e95dc08 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -12,7 +12,7 @@ references: - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 -modified: 2022/11/01 +modified: 2022/12/14 tags: - attack.persistence - attack.t1547.001 @@ -65,8 +65,7 @@ detection: - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}' Details|startswith: - - '"C:\ProgramData\Package Cache\{7037b699-7382-448c-89a7-4765961d2537}\windowsdesktop-runtime-' - - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-' + - '"C:\ProgramData\Package Cache\' Details|endswith: '.exe" /burn.runonce' filter_office: Image|startswith: @@ -78,12 +77,15 @@ detection: filter_vcredist: Image|endswith: '\VC_redist.x64.exe' Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' - filter_winsdk: + filter_upgrades: Image|startswith: - 'C:\ProgramData\Package Cache' - 'C:\Windows\Temp\' - Image|endswith: '\winsdksetup.exe' - Details|endswith: '\winsdksetup.exe" /burn.runonce' + Image|contains: + - '\winsdksetup.exe' + - '\windowsdesktop-runtime-' # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe + - '\AspNetCoreSharedFrameworkBundle-' # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce + Details|endswith: ' /burn.runonce' condition: all of wow_current_version_* and not 1 of filter_* fields: - SecurityID From 7365e12478da009186a232468e5784e9d6632cf2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:08:10 +0100 Subject: [PATCH 113/115] docs: explanation for filter --- rules/windows/image_load/image_load_susp_vss_dll_load.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/windows/image_load/image_load_susp_vss_dll_load.yml b/rules/windows/image_load/image_load_susp_vss_dll_load.yml index 6f05a265b..c3914694b 100644 --- a/rules/windows/image_load/image_load_susp_vss_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_vss_dll_load.yml @@ -24,6 +24,12 @@ detection: - 'C:\Windows\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' + # The following filter is required because of many FPs cause by : + # C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe + # C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe + # etc. - 'C:\ProgramData\Package Cache\' condition: selection and not 1 of filter_* falsepositives: From 643a06766e74ef3e7c0313520285e36dbd869c26 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:21:54 +0100 Subject: [PATCH 114/115] fix: FP with NVIDIA driver installation --- .../create_remote_thread_win_susp_remote_thread_source.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml index be58155f7..fd56e9755 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml @@ -10,7 +10,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2022/08/26 +modified: 2022/12/14 tags: - attack.privilege_escalation - attack.defense_evasion @@ -95,6 +95,9 @@ detection: - 'C:\Windows\System32\schtasks.exe' - 'C:\Windows\SysWOW64\schtasks.exe' TargetImage: 'C:\Windows\System32\conhost.exe' + filter_nvidia: + SourceImage: 'C:\Windows\explorer.exe' + TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' condition: selection and not 1 of filter* fields: - ComputerName From c98e9ec3cc9c62c35609d935719825786d4c708e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:23:28 +0100 Subject: [PATCH 115/115] fix: list with one element issue --- .../registry_set_asep_reg_keys_modification_wow6432node.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 72e95dc08..b575c0acf 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -64,8 +64,7 @@ detection: TargetObject|endswith: - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}' - Details|startswith: - - '"C:\ProgramData\Package Cache\' + Details|startswith: '"C:\ProgramData\Package Cache\' Details|endswith: '.exe" /burn.runonce' filter_office: Image|startswith: