From c0bda80e3e0eccc1cbe3a8ea839404f69cc9b0c6 Mon Sep 17 00:00:00 2001 From: fornotes <125354166+fornotes@users.noreply.github.com> Date: Tue, 14 Feb 2023 15:06:53 +0530 Subject: [PATCH 1/7] Added file_event_win_storsvc_dll_hijack.yml --- .../file_event_win_storsvc_dll_hijack.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml diff --git a/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml new file mode 100644 index 000000000..df17c4894 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml @@ -0,0 +1,21 @@ +title: LPE via StorSvc DLL Hijack +id: 4c009dbf-a5b6-44ac-94e1-eb918d81c997 +status: experimental +description: StorSvc service tries to load a missing named SprintCSP.dll DLL when SvcRebootToFlashingMode RPC method is called. +references: + - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc +author: fornotes +date: 2023/02/14 +tags: + - attack.privilege_escalation + - attack.t1574.002 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: 'SprintCSP.dll' + condition: selection +falsepositives: + - Unknown +level: Medium \ No newline at end of file From 96d774babd0e6c8381cf3284e0a9575889653fad Mon Sep 17 00:00:00 2001 From: fornotes <125354166+fornotes@users.noreply.github.com> Date: Wed, 15 Feb 2023 11:29:57 +0000 Subject: [PATCH 2/7] removed file_event_win_storsvc_dll_hijack.yml as suggested by nasbench --- .../file_event_win_storsvc_dll_hijack.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml diff --git a/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml deleted file mode 100644 index df17c4894..000000000 --- a/rules/windows/file/file_event/file_event_win_storsvc_dll_hijack.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: LPE via StorSvc DLL Hijack -id: 4c009dbf-a5b6-44ac-94e1-eb918d81c997 -status: experimental -description: StorSvc service tries to load a missing named SprintCSP.dll DLL when SvcRebootToFlashingMode RPC method is called. -references: - - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc -author: fornotes -date: 2023/02/14 -tags: - - attack.privilege_escalation - - attack.t1574.002 -logsource: - category: file_event - product: windows -detection: - selection: - TargetFilename|endswith: 'SprintCSP.dll' - condition: selection -falsepositives: - - Unknown -level: Medium \ No newline at end of file From 8876b4ba016fb07eaedc7bf67f3666291fe0efb1 Mon Sep 17 00:00:00 2001 From: fornotes <125354166+fornotes@users.noreply.github.com> Date: Wed, 15 Feb 2023 11:37:18 +0000 Subject: [PATCH 3/7] added SprintCSP.dll for StorSvc DLL Hijack --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index ebf54c4c2..76944cc3c 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -11,6 +11,7 @@ references: - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ + - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/01 modified: 2022/12/09 @@ -30,6 +31,7 @@ detection: - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' - 'C:\Windows\System32\wow64log.dll' + TargetFileName|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter From c99d1f1876b5f4a1dc6ca8454fd436d5eaa20474 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 13:25:59 +0100 Subject: [PATCH 4/7] fix: add some missing fields --- .../file_event_win_create_non_existent_dlls.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 76944cc3c..76f00405a 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -12,9 +12,9 @@ references: - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc -author: Nasreddine Bencherchali (Nextron Systems) +author: Nasreddine Bencherchali (Nextron Systems), fornotes date: 2022/12/01 -modified: 2022/12/09 +modified: 2023/02/15 tags: - attack.defense_evasion - attack.persistence @@ -26,12 +26,12 @@ logsource: category: file_event detection: selection: - TargetFilename: + - TargetFilename: - 'C:\Windows\System32\WLBSCTRL.dll' - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' - 'C:\Windows\System32\wow64log.dll' - TargetFileName|endswith: '\SprintCSP.dll' + - TargetFileName|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter From 2fd43cbe82ead9bda9879a35ac2f9cbea856a951 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 13:27:56 +0100 Subject: [PATCH 5/7] fix: typo in field --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 76f00405a..b9bc0a90f 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -31,7 +31,7 @@ detection: - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' - 'C:\Windows\System32\wow64log.dll' - - TargetFileName|endswith: '\SprintCSP.dll' + - TargetFilename|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter From 33207aa7abef709df825ab211564fd4812bfb3d6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 13:37:05 +0100 Subject: [PATCH 6/7] fix: change link to permalink --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index b9bc0a90f..98958712e 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -11,7 +11,7 @@ references: - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ - - https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc + - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc author: Nasreddine Bencherchali (Nextron Systems), fornotes date: 2022/12/01 modified: 2023/02/15 From 39e957d7ee700ec27b3e7bcd796e57e4fc444854 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 15 Feb 2023 19:11:39 +0100 Subject: [PATCH 7/7] fix: update title --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 98958712e..8f20d72ee 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,4 +1,4 @@ -title: Creation Of Non-Existent DLLs In System Folders +title: Creation Of Non-Existent System DLL id: df6ecb8b-7822-4f4b-b412-08f524b4576c related: - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771