diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml similarity index 99% rename from rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml rename to rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml index 6d9546855..08ac32bcb 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hktl_generic_download.yml @@ -1,4 +1,4 @@ -title: Hacktool Named File Stream Created +title: HackTool Named File Stream Created id: 19b041f6-e583-40dc-b842-d6fa8011493f status: experimental description: Detects the creation of a named file stream with the imphash of a well-known hack tool diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml index a37c9d8bf..ff08d80a1 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml @@ -6,7 +6,7 @@ references: - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ author: Trent Liffick date: 2020/05/01 -modified: 2023/11/11 +modified: 2024/01/15 tags: - attack.defense_evasion - attack.t1036 @@ -24,7 +24,10 @@ detection: - 'FIND.EXE' - 'FINDSTR.EXE' selection_cli: - CommandLine|endswith: '.lnk' + CommandLine|endswith: + - '.lnk' + - '.lnk"' + - ".lnk'" condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml index a1a52c016..340b689ae 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml @@ -1,4 +1,4 @@ -title: Suspicious Hacktool Execution - Imphash +title: Hacktool Execution - Imphash id: 24e3e58a-646b-4b50-adef-02ef935b9fc8 status: test description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth (Nextron Systems) date: 2022/03/04 -modified: 2023/02/04 +modified: 2024/01/15 tags: - attack.credential_access - attack.t1588.002 @@ -20,21 +20,6 @@ detection: - bcca3c247b619dcd13c8cdff5f123932 # PetitPotam - 3a19059bd7688cb88e70005f18efc439 # PetitPotam - bf6223a49e45d99094406777eb6004ba # PetitPotam - - 0c106686a31bfe2ba931ae1cf6e9dbc6 # Mimikatz - - 0d1447d4b3259b3c2a1d4cfb7ece13c3 # Mimikatz - - 1b0369a1e06271833f78ffa70ffb4eaf # Mimikatz - - 4c1b52a19748428e51b14c278d0f58e3 # Mimikatz - - 4d927a711f77d62cebd4f322cb57ec6f # Mimikatz - - 66ee036df5fc1004d9ed5e9a94a1086a # Mimikatz - - 672b13f4a0b6f27d29065123fe882dfc # Mimikatz - - 6bbd59cea665c4afcc2814c1327ec91f # Mimikatz - - 725bb81dc24214f6ecacc0cfb36ad30d # Mimikatz - - 9528a0e91e28fbb88ad433feabca2456 # Mimikatz - - 9da6d5d77be11712527dcab86df449a3 # Mimikatz - - a6e01bc1ab89f8d91d9eab72032aae88 # Mimikatz - - b24c5eddaea4fe50c6a96a2a133521e4 # Mimikatz - - d21bbc50dcc169d7b4d0f01962793154 # Mimikatz - - fcc251cceae90d22c392215cc9a2d5d6 # Mimikatz - 23867a89c2b8fc733be6cf5ef902f2d1 # JuicyPotato - a37ff327f8d48e8a4d2f757e1b6e70bc # JuicyPotato - f9a28c458284584a93b14216308d31bd # JuicyPotatoNG @@ -104,25 +89,25 @@ detection: - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - 19584675d94829987952432e018d5056 # SysmonQuiet - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz + - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller + - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller + - 96df3a3731912449521f6f8d183279b1 # Backstab + - 7e6cf3ff4576581271ac8a313b2aab46 # Backstab + - 51791678f351c03a0eb4e2a7b05c6e17 # Backstab + - 25ce42b079282632708fc846129e98a5 # Forensia + - 021bcca20ba3381b11bdde26b4e62f20 # EDRSandBlast + - 59223b5f52d8799d38e0754855cbdf42 # EDRSandBlast + - 81e75d8f1d276c156653d3d8813e4a43 # EDRSandBlast + - 17244e8b6b8227e57fe709ccad421420 # EDRSandBlast + - 5b76da3acdedc8a5cdf23a798b5936b4 # EDRSandBlast + - cb2b65bb77d995cc1c0e5df1c860133c # EDRSandBlast + - 40445337761d80cf465136fafb1f63e6 # EDRSandBlast + - 8a790f401b29fa87bc1e56f7272b3aa6 # EDRSilencer - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam - - IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6 # Mimikatz - - IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3 # Mimikatz - - IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF # Mimikatz - - IMPHASH=4C1B52A19748428E51B14C278D0F58E3 # Mimikatz - - IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F # Mimikatz - - IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A # Mimikatz - - IMPHASH=672B13F4A0B6F27D29065123FE882DFC # Mimikatz - - IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F # Mimikatz - - IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D # Mimikatz - - IMPHASH=9528A0E91E28FBB88AD433FEABCA2456 # Mimikatz - - IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3 # Mimikatz - - IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88 # Mimikatz - - IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4 # Mimikatz - - IMPHASH=D21BBC50DCC169D7B4D0F01962793154 # Mimikatz - - IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6 # Mimikatz - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG @@ -192,6 +177,21 @@ detection: - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller + - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab + - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab + - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab + - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia + - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast + - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast + - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast + - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast + - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast + - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast + - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast + - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer condition: selection falsepositives: - Legitimate use of one of these tools diff --git a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml index b7064edd9..c004defee 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml @@ -1,4 +1,4 @@ -title: Suspicious Hacktool Execution - PE Metadata +title: Hacktool Execution - PE Metadata id: 37c1333a-a0db-48be-b64b-7393b2386e3b status: test description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files author: Florian Roth (Nextron Systems) date: 2022/04/27 -modified: 2023/02/04 +modified: 2024/01/15 tags: - attack.credential_access - attack.t1588.002