From 6e594875f3084b344bd25f9fd4f3b9b85cf796a7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 21 Apr 2022 09:12:13 +0200 Subject: [PATCH 1/3] refactor: cmdkey extended coverage --- .../proc_creation_win_cmdkey_recon.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index 6bc458264..b84f0301d 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -5,9 +5,9 @@ description: Detects usage of cmdkey to look for cached credentials references: - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx -author: jmallette +author: jmallette, Florian Roth date: 2019/01/16 -modified: 2021/07/07 +modified: 2022/04/21 tags: - attack.credential_access - attack.t1003.005 @@ -17,7 +17,9 @@ logsource: detection: selection: Image|endswith: '\cmdkey.exe' - CommandLine|contains: ' /list' + CommandLine|contains: + - ' /list' + - ' -list' condition: selection fields: - CommandLine @@ -25,4 +27,4 @@ fields: - User falsepositives: - Legitimate administrative tasks -level: medium +level: high From c7dada5e211d24e3b62720f8acb46a06fa16bf3f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 21 Apr 2022 09:12:41 +0200 Subject: [PATCH 2/3] rule: invocation of key manager --- ...proc_creation_win_susp_rundll32_keymgr.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml new file mode 100644 index 000000000..92b0ef23d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml @@ -0,0 +1,24 @@ +title: Suspicious Key Manager Access +id: a4694263-59a8-4608-a3a0-6f8d3a51664c +description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) +status: experimental +references: + - https://twitter.com/NinjaParanoid/status/1516442028963659777 +author: Florian Roth +date: 2022/04/21 +tags: + - attack.credential_access + - attack.t1555.004 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains|all: + - 'keymgr' + - 'KRShowKeyMgr' + condition: selection +falsepositives: + - Unknown +level: high From 9b2c35daa106402370ea7eb582b751dc281a1477 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 21 Apr 2022 09:13:06 +0200 Subject: [PATCH 3/3] docs: false positive condition added --- .../process_creation/proc_creation_win_susp_rundll32_keymgr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml index 92b0ef23d..bf9d1b0e9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml @@ -20,5 +20,5 @@ detection: - 'KRShowKeyMgr' condition: selection falsepositives: - - Unknown + - Administrative activity level: high