From 90a1a750be6773a6c0503f5829e11b7d55bea5ea Mon Sep 17 00:00:00 2001 From: tuan Date: Mon, 14 Mar 2022 17:51:24 +0700 Subject: [PATCH 01/11] update sed rules --- .../proc_creation_lnx_sed_command.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_sed_command.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml new file mode 100644 index 000000000..ebebaea5e --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml @@ -0,0 +1,23 @@ +title: Edit Linux Text +status: stable +description: Detects suspicious commands for edit text using sed +author: TuanLe (GTSC) +date: 2022/03/14 +references: + - https://www.geeksforgeeks.org/sed-command-in-linux-unix-with-examples/ +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - 'sed' + CommandLine|contains: + - '-i' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.privilege_escalation + From a9a61cc67af387ba198eb517c3eda031562f2f12 Mon Sep 17 00:00:00 2001 From: tuan Date: Mon, 14 Mar 2022 20:07:39 +0700 Subject: [PATCH 02/11] Update rule use sed --- rules/linux/process_creation/proc_creation_lnx_sed_command.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml index ebebaea5e..b95a8df67 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml @@ -1,4 +1,5 @@ title: Edit Linux Text +id: ea3fgcdf3-db86-9f48-hgb3-659a29d4db89 status: stable description: Detects suspicious commands for edit text using sed author: TuanLe (GTSC) @@ -10,7 +11,7 @@ logsource: category: process_creation detection: selection: - Image|endswith: + Image|contains: - 'sed' CommandLine|contains: - '-i' From 846016815269b47bd20c571fb4da0dcf4e10b8fd Mon Sep 17 00:00:00 2001 From: tuan Date: Mon, 14 Mar 2022 22:13:14 +0700 Subject: [PATCH 03/11] Update rule use sed --- .../process_creation/proc_creation_lnx_sed_command.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml index b95a8df67..6d2fbb43d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml @@ -1,6 +1,6 @@ -title: Edit Linux Text +title: Edit Linux Texts id: ea3fgcdf3-db86-9f48-hgb3-659a29d4db89 -status: stable +status: test description: Detects suspicious commands for edit text using sed author: TuanLe (GTSC) date: 2022/03/14 @@ -12,7 +12,7 @@ logsource: detection: selection: Image|contains: - - 'sed' + - '/sed' CommandLine|contains: - '-i' condition: selection @@ -20,5 +20,4 @@ falsepositives: - Legitimate administration activities level: medium tags: - - attack.privilege_escalation - + - attack.privilege_escalation \ No newline at end of file From f83b8b00f2e3d0ab3dec75d63d9003086fdc390f Mon Sep 17 00:00:00 2001 From: tuan Date: Tue, 15 Mar 2022 17:36:10 +0700 Subject: [PATCH 04/11] rule detect add user to root group --- .../proc_creation_lnx_usermod_command.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_usermod_command.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml new file mode 100644 index 000000000..f5c77ad97 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml @@ -0,0 +1,24 @@ +title: Add User To Root Group +id: qg3fcgdf3-rd54-9f48-4gh3-659a29b3db89 +status: test +description: Detects add user to root group in linux using usermod +author: TuanLe (GTSC) +date: 2022/03/14 +references: + - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ +logsource: + product: linux + category: process_creation +detection: + selection: + Image|contains: + - 'usermod' + CommandLine|contains: + - '-aG root' + - '-aG sudoers' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.privilege_escalation From 3b6100ccd9ec98cab3906852090cc304ec155d3c Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Wed, 21 Dec 2022 17:57:22 +0530 Subject: [PATCH 05/11] Create Possible Manipulation Of Tokens on a Windows computers remotely Detected via impersonate (#3803) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_impersonate_tool.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_impersonate_tool.yml diff --git a/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml new file mode 100644 index 000000000..417f3166e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml @@ -0,0 +1,38 @@ +title: Impersonate Execution +id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 +status: experimental +description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +references: + - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ + - https://github.com/sensepost/impersonate +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/21 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1134.001 + - attack.t1134.003 +logsource: + product: windows + category: process_creation +detection: + selection_commandline_exe: + CommandLine|contains: 'impersonate.exe' + selection_commandline_opt: + CommandLine|contains: + - ' list ' + - ' exec ' + - ' adduser ' + selection_hash_plain: + Hashes|contains: + - 'MD5=9520714AB576B0ED01D1513691377D01' + - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' + - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62' + selection_hash_ext: + - MD5: '9520714AB576B0ED01D1513691377D01' + - SHA256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' + - IMPHASH: '0A358FFC1697B7A07D0E817AC740DF62' + condition: all of selection_commandline_* or 1 of selection_hash_* +falsepositives: + - Unknown +level: medium From c97463e77475f16a814e075f637d066c3807312a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 17:59:46 +0100 Subject: [PATCH 06/11] fix: update linux rules --- .../proc_creation_lnx_sed_command.yml | 23 --------- ... proc_creation_lnx_usermod_susp_group.yml} | 49 ++++++++++--------- 2 files changed, 25 insertions(+), 47 deletions(-) delete mode 100644 rules/linux/process_creation/proc_creation_lnx_sed_command.yml rename rules/linux/process_creation/{proc_creation_lnx_usermod_command.yml => proc_creation_lnx_usermod_susp_group.yml} (51%) diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml deleted file mode 100644 index 6d2fbb43d..000000000 --- a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Edit Linux Texts -id: ea3fgcdf3-db86-9f48-hgb3-659a29d4db89 -status: test -description: Detects suspicious commands for edit text using sed -author: TuanLe (GTSC) -date: 2022/03/14 -references: - - https://www.geeksforgeeks.org/sed-command-in-linux-unix-with-examples/ -logsource: - product: linux - category: process_creation -detection: - selection: - Image|contains: - - '/sed' - CommandLine|contains: - - '-i' - condition: selection -falsepositives: - - Legitimate administration activities -level: medium -tags: - - attack.privilege_escalation \ No newline at end of file diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml similarity index 51% rename from rules/linux/process_creation/proc_creation_lnx_usermod_command.yml rename to rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml index f5c77ad97..15e18c816 100644 --- a/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -1,24 +1,25 @@ -title: Add User To Root Group -id: qg3fcgdf3-rd54-9f48-4gh3-659a29b3db89 -status: test -description: Detects add user to root group in linux using usermod -author: TuanLe (GTSC) -date: 2022/03/14 -references: - - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ -logsource: - product: linux - category: process_creation -detection: - selection: - Image|contains: - - 'usermod' - CommandLine|contains: - - '-aG root' - - '-aG sudoers' - condition: selection -falsepositives: - - Legitimate administration activities -level: medium -tags: - - attack.privilege_escalation +title: User Added To Root/Sudoers Group Using Usermod +id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 +status: test +description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups +references: + - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ + - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ +author: TuanLe (GTSC) +date: 2022/12/21 +tags: + - attack.privilege_escalation + - attack.persistence +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/usermod' + CommandLine|contains: + - '-aG root' + - '-aG sudoers' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium From 0fa4f8a4545bd6af996283518ef862428ada38fe Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Wed, 21 Dec 2022 18:16:20 +0100 Subject: [PATCH 07/11] Create lnx_privileged_user_creation.yml Adding new use case for tracking of Creation of privileged user in linux --- .../builtin/lnx_privileged_user_creation.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/linux/builtin/lnx_privileged_user_creation.yml diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml new file mode 100644 index 000000000..c2ac6436c --- /dev/null +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -0,0 +1,33 @@ +title: Creation of Privileged User +id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e +status: experimental +description: Detects when privileged user is added to the environment. +#The example of the events that could be observed when matching these would be as follow +#Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash +#Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash +#Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash +#Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash +references: + - https://digital.nhs.uk/cyber-alerts/2018/cc-2825 + - https://linux.die.net/man/8/useradd + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid +author: Pawel Mazur +date: 2022/12/21 +tags: + - attack.t1136.001 + - attack.t1098 + - attack.persistence +logsource: + product: linux +detection: + selection_new_user|contains: + - 'new user' + selection_uids_gids|contains: + - 'GID=0' # root group + - 'UID=0' # root UID + - 'GID=10' # wheel group + - 'GID=27' # sudo group + condition: all of selection* +falsepositives: + - Administrative work +level: high From d51ff694a4b37a409bf4127a8187c25940cf0ae1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 19:23:23 +0100 Subject: [PATCH 08/11] fix: rule status --- .../process_creation/proc_creation_lnx_usermod_susp_group.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml index 15e18c816..fe2386dde 100644 --- a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -1,6 +1,6 @@ title: User Added To Root/Sudoers Group Using Usermod id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 -status: test +status: experimental description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups references: - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ From 14f006382abd8ce17e5dd79caa75376a323a2839 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Wed, 21 Dec 2022 19:31:24 +0100 Subject: [PATCH 09/11] Update rules/linux/builtin/lnx_privileged_user_creation.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- rules/linux/builtin/lnx_privileged_user_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index c2ac6436c..aba3b27ed 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -20,7 +20,7 @@ tags: logsource: product: linux detection: - selection_new_user|contains: + selection_new_user: - 'new user' selection_uids_gids|contains: - 'GID=0' # root group From a0c07b2fba8c5f8d4b8584b66e6956c81f6bc75c Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Wed, 21 Dec 2022 19:31:34 +0100 Subject: [PATCH 10/11] Update rules/linux/builtin/lnx_privileged_user_creation.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- rules/linux/builtin/lnx_privileged_user_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index aba3b27ed..4dd97c73b 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -22,7 +22,7 @@ logsource: detection: selection_new_user: - 'new user' - selection_uids_gids|contains: + selection_uids_gids: - 'GID=0' # root group - 'UID=0' # root UID - 'GID=10' # wheel group From 4c7db898470eeb838b640d8acfdb16cbcff8d647 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 20:40:29 +0100 Subject: [PATCH 11/11] fix: improve overall structure --- .../builtin/lnx_privileged_user_creation.yml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index 4dd97c73b..ceb66f538 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -1,25 +1,26 @@ -title: Creation of Privileged User +title: Privileged User Has Been Created id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e status: experimental -description: Detects when privileged user is added to the environment. -#The example of the events that could be observed when matching these would be as follow -#Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash -#Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash -#Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash -#Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash +description: Detects the addition of a new user to a privileged group such as "root" or "sudo" references: - https://digital.nhs.uk/cyber-alerts/2018/cc-2825 - https://linux.die.net/man/8/useradd - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid + - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid author: Pawel Mazur date: 2022/12/21 tags: + - attack.persistence - attack.t1136.001 - attack.t1098 - - attack.persistence logsource: product: linux + definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work' detection: + # Example of the events that could be observed when matching these would be as follow + # Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash + # Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash + # Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash + # Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash selection_new_user: - 'new user' selection_uids_gids: @@ -27,7 +28,7 @@ detection: - 'UID=0' # root UID - 'GID=10' # wheel group - 'GID=27' # sudo group - condition: all of selection* + condition: all of selection_* falsepositives: - - Administrative work + - Administrative activity level: high