From c34cde7938f725d2f650ad0be4628358c506f6be Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:17:39 +1100 Subject: [PATCH 1/4] Create win_susp_logon_explicit_credentials.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ❯ python .\sigmac -t splunk -c .\config\splunk-windows.yml ..\rules\windows\builtin\win_susp_logon_explicit_credentials.yml (source="WinEventLog:Security" (EventCode="4648" (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\winrs.exe" OR Image="*\\wmic.exe" OR Image="*\\net.exe" OR Image="*\\net1.exe" OR Image="*\\reg.exe" OR Image="*\\winrs.exe")) NOT (Target_Server_Name="localhost")) --- .../win_susp_logon_explicit_credentials.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/builtin/win_susp_logon_explicit_credentials.yml diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml new file mode 100644 index 000000000..dc71394f1 --- /dev/null +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -0,0 +1,31 @@ +title: Suspicous Logon with Explicit Credentials +id: 941e5c45-cda7-4864-8cea-bbb7458d194a +status: experimental +description: Detects the attack technique pass the hash which is used to move laterally inside the network +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Teymur Kheirkhabarov '@HeirhabarovT', Zach '@svch0st' +date: 2020/10/05 +tags: +logsource: + product: windows + service: security + definition: +detection: + selection: + EventID: 4648 + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\winrs.exe' + - '\wmic.exe' + - '\net.exe' + - '\net1.exe' + - '\reg.exe' + - '\winrs.exe' + filter: + Target_Server_Name: 'localhost' + condition: selection and not filter +falsepositives: +level: medium From 0249d330f5e4fc4d13746fd3215073fa34b000cb Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:23:23 +1100 Subject: [PATCH 2/4] Update win_susp_logon_explicit_credentials.yml --- .../builtin/win_susp_logon_explicit_credentials.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index dc71394f1..7ae1a49d7 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -1,10 +1,10 @@ -title: Suspicous Logon with Explicit Credentials +title: Suspicous Remote Logon with Explicit Credentials id: 941e5c45-cda7-4864-8cea-bbb7458d194a status: experimental -description: Detects the attack technique pass the hash which is used to move laterally inside the network +description: Detects suspicious processes logging on with explicit credentials references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: Teymur Kheirkhabarov '@HeirhabarovT', Zach '@svch0st' +author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' date: 2020/10/05 tags: logsource: @@ -28,4 +28,5 @@ detection: Target_Server_Name: 'localhost' condition: selection and not filter falsepositives: + - Administrators that use the RunAS command or scheduled tasks level: medium From a02f4840e5248c8c48e1d729ea25069caf839d43 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Mon, 5 Oct 2020 15:31:30 +1100 Subject: [PATCH 3/4] Update win_susp_logon_explicit_credentials.yml --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index 7ae1a49d7..1c5db8579 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -23,7 +23,6 @@ detection: - '\net.exe' - '\net1.exe' - '\reg.exe' - - '\winrs.exe' filter: Target_Server_Name: 'localhost' condition: selection and not filter From e68e212d23c43bf5a7af5395cccfefb4ce470a72 Mon Sep 17 00:00:00 2001 From: svch0stz <8684257+svch0stz@users.noreply.github.com> Date: Wed, 7 Oct 2020 08:26:43 +1100 Subject: [PATCH 4/4] Update win_susp_logon_explicit_credentials.yml --- rules/windows/builtin/win_susp_logon_explicit_credentials.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml index 1c5db8579..df8fbcf8a 100644 --- a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious processes logging on with explicit credentials references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: Teymur Kheirkhabarov '@HeirhabarovT', Zach Stanford '@svch0st' +author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2020/10/05 tags: logsource: