From b851fe17b96f9eea3f025a1126344ae8bcbf86a5 Mon Sep 17 00:00:00 2001 From: sysradwin Date: Thu, 17 Nov 2022 13:03:32 -0500 Subject: [PATCH 1/7] Update proc_creation_win_base64_reflective_assembly_load.yml --- .../proc_creation_win_base64_reflective_assembly_load.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml index 4fb641a8c..5383a87ae 100644 --- a/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml +++ b/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml @@ -16,6 +16,7 @@ tags: - attack.t1059.001 - attack.defense_evasion - attack.t1027 + - attack.t1620 logsource: category: process_creation product: windows From cd3082c3f2a4de8d1c45f9d243ef12e6e8bd491b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 18 Nov 2022 08:29:50 +0100 Subject: [PATCH 2/7] Add proc_creation_win_susp_msbuild (#3708) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_msbuild.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_msbuild.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml b/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml new file mode 100644 index 000000000..6dc58c473 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml @@ -0,0 +1,30 @@ +title: Suspicious Msbuild Execution By Uncommon Parent Process +id: 33be4333-2c6b-44f4-ae28-102cdbde0a31 +status: experimental +description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process +references: + - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/ + - https://www.echotrail.io/insights/search/msbuild.exe +author: frack113 +date: 2022/11/17 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\MSBuild.exe' + - OriginalFileName: 'MSBuild.exe' + filter_parent: + ParentImage|endswith: + - '\devenv.exe' + - '\cmd.exe' + - '\msbuild.exe' + - '\python.exe' + - '\explorer.exe' + - '\nuget.exe' + condition: selection and not filter_parent +falsepositives: + - Unknown +level: medium From 0f496be1e594146ae5baf26ce33ee6452363cc93 Mon Sep 17 00:00:00 2001 From: nikitah4x <58976181+nikitah4x@users.noreply.github.com> Date: Fri, 18 Nov 2022 09:40:39 +0200 Subject: [PATCH 3/7] Add new rule to detect PST export when eDiscovery alert policy is disabled (M365) --- ...alert_using_new_compliancesearchaction.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml diff --git a/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml b/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml new file mode 100644 index 000000000..58e939a46 --- /dev/null +++ b/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml @@ -0,0 +1,28 @@ +title: PST Export Alert Using New-ComplianceSearchAction +id: 6897cd82-6664-11ed-9022-0242ac120002 +related: + - id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 + type: similar +status: experimental +description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud. +references: + - https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps +author: Nikita Khalimonenkov +date: 2022/11/17 +tags: + - attack.collection + - attack.t1114 +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + Payload|contains|all: + - 'New-ComplianceSearchAction' + - 'Export' + - 'pst' + condition: selection +falsepositives: + - Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored. +level: medium From 20b0a6bad8601ac474dd239ad410908326a7b1f9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 18 Nov 2022 11:15:28 +0100 Subject: [PATCH 4/7] Rule Dev --- .../m365/microsoft365_pst_export_alert.yml | 11 ++++-- ...cos_susp_execution_macos_script_editor.yml | 3 +- .../dns_query/dns_query_win_susp_ipify.yml | 3 +- ...h_ps_computer_discovery_get_adcomputer.yml | 34 +++++++++++++++++++ ...omputer.yml => posh_ps_get_adcomputer.yml} | 5 +-- ...et_adgroup.yml => posh_ps_get_adgroup.yml} | 5 +-- .../posh_ps_user_discovery_get_aduser.yml | 34 +++++++++++++++++++ .../posh_ps_win_defender_exclusions_added.yml | 1 + ..._win_computer_discovery_get_adcomputer.yml | 7 +++- ...creation_win_user_discovery_get_aduser.yml | 9 +++-- .../registry_set_disable_function_user.yml | 4 ++- 11 files changed, 102 insertions(+), 14 deletions(-) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml rename rules/windows/powershell/powershell_script/{posh_ps_susp_get_adcomputer.yml => posh_ps_get_adcomputer.yml} (75%) rename rules/windows/powershell/powershell_script/{posh_ps_susp_get_adgroup.yml => posh_ps_get_adgroup.yml} (76%) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml diff --git a/rules/cloud/m365/microsoft365_pst_export_alert.yml b/rules/cloud/m365/microsoft365_pst_export_alert.yml index 9c060c90f..03c2e2309 100644 --- a/rules/cloud/m365/microsoft365_pst_export_alert.yml +++ b/rules/cloud/m365/microsoft365_pst_export_alert.yml @@ -1,17 +1,22 @@ -title: PST Export Alert +title: PST Export Alert Using eDiscovery Alert id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 +related: + - id: 6897cd82-6664-11ed-9022-0242ac120002 + type: similar status: experimental description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content references: - - https://attack.mitre.org/techniques/T1114/ -author: 'Sorina Ionescu' + - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide +author: Sorina Ionescu date: 2022/02/08 +modified: 2022/11/17 tags: - attack.collection - attack.t1114 logsource: service: threat_management product: m365 + definition: Requires the 'eDiscovery search or exported' alert to be enabled detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 389ffb115..5b8746d2e 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -1,4 +1,4 @@ -title: Suspicious Exeution via macOS Script Editor +title: Suspicious Execution via macOS Script Editor id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 status: experimental description: Detects when the macOS Script Editor utility spawns an unusual child process. @@ -7,6 +7,7 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685 - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/ date: 2022/10/21 +modified: 2022/11/17 logsource: category: process_creation product: macos diff --git a/rules/windows/dns_query/dns_query_win_susp_ipify.yml b/rules/windows/dns_query/dns_query_win_susp_ipify.yml index 27bbf3d7c..94da7045b 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ipify.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ipify.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/neonprimetime/status/1436376497980428318 author: Brandon George (blog post), Thomas Patzke (rule) date: 2021/07/08 -modified: 2022/10/31 +modified: 2022/11/18 tags: - attack.reconnaissance - attack.t1590 @@ -33,6 +33,7 @@ detection: - 'ipv4bot.whatismyipaddress.com' - 'freegeoip.app' - 'ifconfig.me' + - 'ipwho.is' filter_browser: Image|endswith: # Add missing browsers you use and exclude the ones you don't diff --git a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml new file mode 100644 index 000000000..8520b93de --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml @@ -0,0 +1,34 @@ +title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell +id: db885529-903f-4c5d-9864-28fe199e6370 +related: + - id: 435e10e4-992a-4281-96f3-38b11106adde + type: similar +status: experimental +description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ + - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf +author: Nasreddine Bencherchali +date: 2022/11/17 +tags: + - attack.discovery + - attack.t1033 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Get-ADComputer ' + - ' -Filter \*' + ScriptBlockText|contains: + - ' | Select ' + - 'Out-File' + - 'Set-Content' + - 'Add-Content' + condition: selection +falsepositives: + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml similarity index 75% rename from rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml index 32cfd4e79..0e41957b9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -1,11 +1,12 @@ -title: Suspicious Enumerate Active Directory Computers with Get-AdComputer +title: Active Directory Computers Enumeration with Get-AdComputer id: 36bed6b2-e9a0-4fff-beeb-413a92b86138 status: experimental -description: utilize Get-AdComputer to enumerate Computers within Active Directory. +description: Detects usage of the "Get-AdComputer" to enumerate Computers within Active Directory. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: frack113 date: 2022/03/17 +modified: 2022/11/18 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml similarity index 76% rename from rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml index 1a512d560..df302f649 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml @@ -1,11 +1,12 @@ -title: Suspicious Enumerate Active Directory Groups with Get-AdComputer +title: Active Directory Group Enumeration With Get-AdGroup id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee status: experimental -description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory +description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: frack113 date: 2022/03/17 +modified: 2022/11/17 tags: - attack.discovery - attack.t1069.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml new file mode 100644 index 000000000..eccbec3af --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml @@ -0,0 +1,34 @@ +title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell +id: c2993223-6da8-4b1a-88ee-668b8bf315e9 +related: + - id: 1114e048-b69c-4f41-bc20-657245ae6e3f + type: similar +status: experimental +description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ +author: Nasreddine Bencherchali +date: 2022/11/17 +tags: + - attack.discovery + - attack.t1033 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Get-ADUser ' + - ' -Filter \*' + ScriptBlockText|contains: + - ' > ' + - ' | Select ' + - 'Out-File' + - 'Set-Content' + - 'Add-Content' + condition: selection +falsepositives: + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 07b8ab10c..e51b3c716 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -17,6 +17,7 @@ tags: logsource: category: ps_script product: windows + definition: Script block logging must be enabled detection: selection_args_exc: ScriptBlockText|contains: diff --git a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml index f884e1403..0989036a8 100644 --- a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml +++ b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml @@ -1,12 +1,17 @@ title: Computer Discovery And Export Via Get-ADComputer Cmdlet id: 435e10e4-992a-4281-96f3-38b11106adde +related: + - id: db885529-903f-4c5d-9864-28fe199e6370 + type: similar status: experimental description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ + - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf author: Nasreddine Bencherchali date: 2022/11/10 +modified: 2022/11/17 tags: - attack.discovery - attack.t1033 @@ -25,9 +30,9 @@ detection: CommandLine|contains|all: - 'Get-ADComputer ' - ' -Filter \*' - selection_output: CommandLine|contains: - ' > ' + - ' | Select ' - 'Out-File' - 'Set-Content' - 'Add-Content' diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml index f5726cdc6..8ac47c9a4 100644 --- a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -1,5 +1,8 @@ title: User Discovery And Export Via Get-ADUser Cmdlet -id: c2993223-6da8-4b1a-88ee-668b8bf315e9 +id: 1114e048-b69c-4f41-bc20-657245ae6e3f +related: + - id: c2993223-6da8-4b1a-88ee-668b8bf315e9 + type: similar status: experimental description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file references: @@ -7,7 +10,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Nasreddine Bencherchali date: 2022/09/09 -modified: 2022/11/10 +modified: 2022/11/17 tags: - attack.discovery - attack.t1033 @@ -26,9 +29,9 @@ detection: CommandLine|contains|all: - 'Get-ADUser ' - ' -Filter \*' - selection_output: CommandLine|contains: - ' > ' + - ' | Select ' - 'Out-File' - 'Set-Content' - 'Add-Content' diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index cd043992c..befc469e0 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -5,9 +5,10 @@ description: Detects registry modifications that change features of internal Win references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html author: frack113, Nasreddine Bencherchali date: 2022/03/18 -modified: 2022/06/03 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1112 @@ -30,6 +31,7 @@ detection: EventType: SetValue TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled' - '\SYSTEM\CurrentControlSet\Control\Storage\Write Protection' - '\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect' From 7804decd2db84dd1d022801e782d84eca7ecff72 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 18 Nov 2022 11:15:50 +0100 Subject: [PATCH 5/7] feat: add more clarification to the test (#3710) Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../proc_creation_win_proc_dump_dumpminitool.yml | 12 ++++++------ tests/test_rules.py | 7 ++++--- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml index 29a7e3df0..b58372b9f 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/mrd0x/status/1511489821247684615 author: Florian Roth date: 2022/04/06 +modified: 2022/11/18 tags: - attack.defense_evasion - attack.t1036 @@ -15,15 +16,14 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\DumpMinitool.exe' - selection_original_name: - OriginalName: 'DumpMinitool.exe' - selection_flags: + selection_img: + - Image|endswith: '\DumpMinitool.exe' + - OriginalFileName: 'DumpMinitool.exe' + selection_cli: CommandLine|contains|all: - ' --processId ' - ' --dumpType Full' - condition: 1 of selection* + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/tests/test_rules.py b/tests/test_rules.py index 630033e27..a76aa41bb 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -871,7 +871,8 @@ class TestRules(unittest.TestCase): def test_field_name_typo(self): # add "OriginalFilename" after Aurora switched to SourceFilename # add "ProviderName" after special case powershell classic is resolved - typos = ["ServiceFilename", "TargetFileName", "SourceFileName", "Commandline", "Targetobject"] + # typos is a list of tuples where each tuple contains ("The typo", "The correct version") + typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part(file_path=file, part_name="detection") @@ -880,8 +881,8 @@ class TestRules(unittest.TestCase): if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: for typo in typos: - if typo in field: - print(Fore.RED + "Rule {} has a common typo ({}) in selection ({}/{})".format(file, typo, search_identifier, field)) + if typo[0] in field: + print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with common typos in field names.") From 6603ca9202b29ae84a03c5a8be17ac8709d47b58 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 18 Nov 2022 11:16:13 +0100 Subject: [PATCH 6/7] fix: update rules to not use regex --- ...voke_obfuscation_var_services_security.yml | 13 ++++++++++-- ..._obfuscation_via_var_services_security.yml | 18 ++++++++++++++-- ...stem_invoke_obfuscation_stdin_services.yml | 21 +++++++++++++++---- ...system_invoke_obfuscation_var_services.yml | 13 ++++++++++-- ..._invoke_obfuscation_via_stdin_services.yml | 13 ++++++++++-- ...em_invoke_obfuscation_via_var_services.yml | 18 ++++++++++++++-- .../posh_ps_invoke_dnsexfiltration.yml | 2 +- .../posh_ps_invoke_nightmare.yml | 2 +- 8 files changed, 84 insertions(+), 16 deletions(-) diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 3df62679c..3e9ad2a3d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/12/02 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -22,7 +22,16 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " + ServiceFileName|contains|all: + - 'cmd' + - '"set' + - '-f' + ServiceFileName|contains: + - '/c' + - '/r' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index e973cca18..c14da7c1d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/10/09 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -22,7 +22,21 @@ logsource: detection: selection: EventID: 4697 - ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" + ServiceFileName|contains|all: + - '&&set' + - 'cmd' + - '/c' + - '-f' + ServiceFileName|contains: + - '{0}' + - '{1}' + - '{2}' + - '{3}' + - '{4}' + - '{5}' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml index f8d2db6ff..4cc044bd0 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -16,11 +16,24 @@ logsource: product: windows service: system detection: - selection: + selection_main: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection + # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + # Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -" + # Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )" + ImagePath|contains|all: + - 'cmd' + - 'powershell' + ImagePath|contains: + - '/c' + - '/r' + selection_other: + - ImagePath|contains: 'noexit' + - ImagePath|contains|all: + - 'input' + - '$' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml index 78f25a0dd..b2403a616 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -19,7 +19,16 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )" + # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) " + ImagePath|contains|all: + - 'cmd' + - '"set' + - '-f' + ImagePath|contains: + - '/c' + - '/r' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml index cfa7bdf7b..8a4091b6a 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -19,7 +19,16 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + # ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + # Example 1: C:\wiNdOWs\SystEm32\cMD.EXe /c "sET XnK= Invoke-Expression (New-Object Net.WebClient).DownloadString && sET PZVh=ECho ${EXECutIoNcOnTExT}.inVokecommaNd.iNvoKeSCrIPt( ([eNvirOnMEnT]::GETenVIrOnmENtVARIABLe('XNk','pRoceSS'))) ^| poweRSHelL -NoE - && C:\wiNdOWs\SystEm32\cMD.EXe /c%PzVh%" + # Example 2: C:\winDowS\SysteM32\Cmd /C "set sHM=Invoke-Expression (New-Object Net.WebClient).DownloadString && SEt gBc=ECHO $eXECutionconTeXt.inVoKECOmmanD.InVoKESCripT( ([ENVirOnment]::geTenVIrONMEnTvaRIAble('shM','PRoCEss')) ) ^| C:\WiNDoWS\SYSwoW64\WindoWSpoWerSHelL\V1.0\pOwersheLl.EXe ^^^&( $PShOME[4]+$psHOMe[30]+'X') ( $InPUt) && C:\winDowS\SysteM32\Cmd /C %gbc%" + ImagePath|contains|all: + - 'set' + - '&&' + ImagePath|contains: + - 'environment' + - 'invoke' + - 'input' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml index 06b4062f3..76e3dac8c 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/11/30 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1027 @@ -19,7 +19,21 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%" + # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%" + ImagePath|contains|all: + - '&&set' + - 'cmd' + - '/c' + - '-f' + ImagePath|contains: + - '{0}' + - '{1}' + - '{2}' + - '{3}' + - '{4}' + - '{5}' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index f1ec39f84..50a292386 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -16,7 +16,7 @@ logsource: definition: Script block logging must be enabled detection: selection_cmdlet: - - ScriptBlockText|contains: Invoke-DNSExfiltrator + - ScriptBlockText|contains: 'Invoke-DNSExfiltrator' - ScriptBlockText|contains|all: - ' -i ' - ' -d ' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml index dc88b8395..10a74f43a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml @@ -16,7 +16,7 @@ logsource: definition: Script Block Logging must be enabled detection: selection: - ScriptBlockText|contains: Invoke-Nightmare + ScriptBlockText|contains: 'Invoke-Nightmare' condition: selection falsepositives: - Unknown From 59ccb74bc61bbf6342c3359f97f02fd7d8b7feab Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 18 Nov 2022 11:26:04 +0100 Subject: [PATCH 7/7] Add proc_creation_win_susp_powercfg Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_powercfg.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_powercfg.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml new file mode 100644 index 000000000..d9229ef1c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml @@ -0,0 +1,34 @@ +title: Suspicious Powercfg Execution To Change Lock Screen Timeout +id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b +status: experimental +description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html + - https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options +author: frack113 +date: 2022/11/18 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection_power: + - Image|endswith: '\powercfg.exe' + - OriginalFileName: 'PowerCfg.exe' + selection_standby: + # powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK + - CommandLine|contains|all: + - '/setacvalueindex ' + - 'SCHEME_CURRENT' + - 'SUB_VIDEO' + - 'VIDEOCONLOCK' + # powercfg -change -standby-timeout-dc 3000 + # powercfg -change -standby-timeout-ac 3000 + - CommandLine|contains|all: + - '-change ' + - '-standby-timeout-' + condition: all of selection_* +falsepositives: + - Unknown +level: medium