frack113
@@ -6,6 +6,7 @@ author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
|
||||
date: 2022/06/10
|
||||
modified: 2022/06/21
|
||||
logsource:
|
||||
product: windows
|
||||
category: file_event
|
||||
@@ -16,6 +17,7 @@ detection:
|
||||
filter_gup:
|
||||
Image|endswith: '\Notepad++\updater\gup.exe'
|
||||
filter_install:
|
||||
# This filter is for Sigma dataset you could remove it or change when using the rule in your own env
|
||||
Image|startswith: 'C:\Users\'
|
||||
Image|contains: '\AppData\Local\Temp\'
|
||||
Image|endswith: '\target.exe'
|
||||
@@ -23,6 +25,6 @@ detection:
|
||||
falsepositives:
|
||||
- Possible FPs during first installation of Notepad++
|
||||
- Legitimate use of custom plugins to enhance notepad++ functionality by users
|
||||
level: high
|
||||
level: medium
|
||||
tags:
|
||||
- attack.persistence
|
||||
|
||||
@@ -1,12 +1,9 @@
|
||||
title: PowerShell Get Clipboard
|
||||
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
|
||||
related:
|
||||
- id: 5486f63a-aa4c-488d-9a61-c9192853099f
|
||||
type: derived
|
||||
description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
|
||||
status: experimental
|
||||
date: 2020/05/02
|
||||
modified: 2021/10/16
|
||||
modified: 2022/06/20
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.collection
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
title: PowerShell Hotfix Enumeration
|
||||
id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c
|
||||
status: experimental
|
||||
description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1
|
||||
date: 2022/06/21
|
||||
logsource:
|
||||
product: windows
|
||||
category: ps_script
|
||||
definition: Script block logging must be enabled
|
||||
detection:
|
||||
selection:
|
||||
ScriptBlockText|contains|all:
|
||||
- 'Win32_QuickFixEngineering'
|
||||
- 'HotFixID'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate administration scripts
|
||||
level: medium
|
||||
tags:
|
||||
- attack.discovery
|
||||
@@ -0,0 +1,27 @@
|
||||
title: Troubleshooting Pack Cmdlet Execution
|
||||
id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
|
||||
status: experimental
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/06/21
|
||||
description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
|
||||
references:
|
||||
- https://twitter.com/nas_bench/status/1537919885031772161
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
|
||||
logsource:
|
||||
product: windows
|
||||
category: ps_script
|
||||
definition: Script block logging must be enabled
|
||||
detection:
|
||||
selection:
|
||||
ScriptBlockText|contains|all:
|
||||
- 'Invoke-TroubleshootingPack'
|
||||
- 'C:\Windows\Diagnostics\System\PCW'
|
||||
- '-AnswerFile'
|
||||
- '-Unattended'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1202
|
||||
+29
-21
@@ -1,30 +1,38 @@
|
||||
title: Accesschk Usage After Privilege Escalation
|
||||
title: Accesschk Usage To Check Privileges
|
||||
id: c625d754-6a3d-4f65-9c9a-536aea960d37
|
||||
status: test
|
||||
description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not
|
||||
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
|
||||
description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges
|
||||
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)
|
||||
references:
|
||||
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg
|
||||
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
|
||||
- https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
|
||||
- https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat
|
||||
- https://github.com/gladiatx0r/Powerless/blob/master/Powerless.bat
|
||||
date: 2020/10/13
|
||||
modified: 2021/11/27
|
||||
modified: 2022/06/20
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
product: windows
|
||||
category: process_creation
|
||||
detection:
|
||||
integrity_level:
|
||||
IntegrityLevel: 'Medium'
|
||||
product:
|
||||
Product|endswith: 'AccessChk'
|
||||
description:
|
||||
Description|contains: 'Reports effective permissions'
|
||||
condition: integrity_level and (product or description)
|
||||
selection_img:
|
||||
- Product|endswith: 'AccessChk'
|
||||
- Description|contains: 'Reports effective permissions'
|
||||
- Image|endswith: '\accesschk.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
|
||||
- 'uwcqv '
|
||||
- 'kwsu '
|
||||
- 'qwsu '
|
||||
- 'uwdqs '
|
||||
condition: all of selection*
|
||||
fields:
|
||||
- IntegrityLevel
|
||||
- Product
|
||||
- Description
|
||||
- IntegrityLevel
|
||||
- Product
|
||||
- Description
|
||||
- CommandLine
|
||||
falsepositives:
|
||||
- System administrator Usage
|
||||
level: high
|
||||
- System administrator Usage
|
||||
level: medium
|
||||
tags:
|
||||
- attack.discovery
|
||||
- attack.t1069.001
|
||||
- attack.discovery
|
||||
- attack.t1069.001
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
title: Abusing Permissions Using Dsacls
|
||||
id: 01c42d3c-242d-4655-85b2-34f1739632f7
|
||||
status: experimental
|
||||
description: Detects usage of Dsacls to grant over permissive permissions
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://ss64.com/nt/dsacls.html
|
||||
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
|
||||
date: 2022/06/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: '\dsacls.exe'
|
||||
- OriginalFileName: "DSACLS.EXE"
|
||||
selection_flag:
|
||||
CommandLine|contains: ' /G '
|
||||
selection_permissions:
|
||||
CommandLine|contains: # Add more permissions as you see fit in yout env
|
||||
- 'GR'
|
||||
- 'GE'
|
||||
- 'GW'
|
||||
- 'GA'
|
||||
- 'WP'
|
||||
- 'WD'
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Legitimate administrators granting over permissive permissions to users
|
||||
level: medium
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1218
|
||||
@@ -0,0 +1,28 @@
|
||||
title: Password Spraying Attempts Using Dsacls
|
||||
id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
|
||||
status: experimental
|
||||
description: Detects possible password spraying attempts using Dsacls
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
|
||||
- https://ss64.com/nt/dsacls.html
|
||||
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
|
||||
date: 2022/06/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: '\dsacls.exe'
|
||||
- OriginalFileName: "DSACLS.EXE"
|
||||
selection_cli:
|
||||
CommandLine|contains|all:
|
||||
- '/user:'
|
||||
- '/passwd:'
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Legitimate use of dsacls to bind to an LDAP session
|
||||
level: medium
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1218
|
||||
@@ -0,0 +1,44 @@
|
||||
title: Enumeration for 3rd Party Creds From CLI
|
||||
id: 87a476dc-0079-4583-a985-dee7a20a03de
|
||||
related:
|
||||
- id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
|
||||
type: derived
|
||||
status: experimental
|
||||
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
|
||||
references:
|
||||
- https://isc.sans.edu/diary/More+Data+Exfiltration/25698
|
||||
- https://github.com/synacktiv/Radmin3-Password-Cracker/blob/main/regkey.txt
|
||||
- https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
|
||||
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/06/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine|contains: # Add more paths as they are discovered
|
||||
- '\Software\SimonTatham\PuTTY\Sessions'
|
||||
- '\Software\\SimonTatham\\PuTTY\SshHostKeys\'
|
||||
- '\Software\Mobatek\MobaXterm\'
|
||||
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
|
||||
- '\Software\Aerofox\FoxmailPreview'
|
||||
- '\Software\Aerofox\Foxmail\V3.1'
|
||||
- '\Software\IncrediMail\Identities'
|
||||
- '\Software\Qualcomm\Eudora\CommandLine'
|
||||
- '\Software\RimArts\B2\Settings'
|
||||
- '\Software\OpenVPN-GUI\configs'
|
||||
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
|
||||
- '\Software\FTPWare\COREFTP\Sites'
|
||||
- '\Software\DownloadManager\Passwords'
|
||||
- '\Software\OpenSSH\Agent\Keys'
|
||||
- '\Software\TightVNC\Server'
|
||||
- '\Software\ORL\WinVNC3\Password'
|
||||
- '\Software\RealVNC\WinVNC4'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: medium
|
||||
tags:
|
||||
- attack.credential_access
|
||||
- attack.t1552.002
|
||||
+1
-1
@@ -21,7 +21,7 @@ detection:
|
||||
- 'REG_SZ'
|
||||
- '/s'
|
||||
hive:
|
||||
- CommandLine|contains|all:
|
||||
- CommandLine|contains|all:
|
||||
- '/f '
|
||||
- 'HKLM'
|
||||
- CommandLine|contains|all:
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
title: Abusing Findstr for Defense Evasion
|
||||
id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
|
||||
status: test
|
||||
description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
|
||||
author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali'
|
||||
references:
|
||||
- https://lolbas-project.github.io/lolbas/Binaries/Findstr/
|
||||
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
date: 2020/10/05
|
||||
modified: 2022/06/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_findstr:
|
||||
- CommandLine|contains: findstr
|
||||
- Image|endswith: 'findstr.exe'
|
||||
- OriginalFileName: 'FINDSTR.EXE'
|
||||
selection_cli_download_1:
|
||||
CommandLine|contains:
|
||||
- /v
|
||||
- -v
|
||||
selection_cli_download_2:
|
||||
CommandLine|contains:
|
||||
- /l
|
||||
- -l
|
||||
selection_cli_creds_1:
|
||||
CommandLine|contains:
|
||||
- /s
|
||||
- -s
|
||||
selection_cli_creds_2:
|
||||
CommandLine|contains:
|
||||
- /i
|
||||
- -i
|
||||
condition: selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*)
|
||||
falsepositives:
|
||||
- Administrative findstr usage
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
- attack.t1564.004
|
||||
- attack.t1552.001
|
||||
- attack.t1105
|
||||
@@ -1,26 +1,26 @@
|
||||
title: Execute Arbitrary Commands Using MSDT.EXE
|
||||
title: Execute MSDT.EXE Using Diagcab File
|
||||
id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
|
||||
status: experimental
|
||||
description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
|
||||
author: GossiTheDog (rule), frack113 (sigma version)
|
||||
author: GossiTheDog (rule), frack113 (sigma version)
|
||||
references:
|
||||
- https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DogWalk-DiagCab
|
||||
- https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DogWalk-DiagCab
|
||||
date: 2022/06/09
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: '\msdt.exe'
|
||||
- OriginalFileName: 'msdt.exe'
|
||||
selection_cmd:
|
||||
CommandLine|contains|all:
|
||||
- '/cab'
|
||||
- '.diagcab'
|
||||
condition: all of selection_*
|
||||
selection_img:
|
||||
- Image|endswith: '\msdt.exe'
|
||||
- OriginalFileName: 'msdt.exe'
|
||||
selection_cmd:
|
||||
CommandLine|contains|all:
|
||||
- '/cab'
|
||||
- '.diagcab'
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
- Legitimate usage of ".diagcab" files
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1202
|
||||
- attack.defense_evasion
|
||||
- attack.t1202
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
title: MSDT.EXE Execution With Suspicious Cab Option
|
||||
id: dc4576d4-7467-424f-9eee-fd2b02855fe0
|
||||
status: experimental
|
||||
description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://twitter.com/nas_bench/status/1537896324837781506
|
||||
date: 2022/06/21
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: '\msdt.exe'
|
||||
- OriginalFileName: 'msdt.exe'
|
||||
selection_cmd:
|
||||
CommandLine|contains:
|
||||
- ' /cab '
|
||||
- ' -cab '
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Legitimate usage of ".diagcab" files
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1202
|
||||
@@ -0,0 +1,26 @@
|
||||
title: PowerShell Get-Clipboard Cmdlet Via CLI
|
||||
id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3
|
||||
related:
|
||||
- id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
|
||||
type: derived
|
||||
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
|
||||
status: experimental
|
||||
date: 2020/05/02
|
||||
modified: 2021/10/16
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
|
||||
- https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine|contains: 'Get-Clipboard'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.collection
|
||||
- attack.t1115
|
||||
@@ -15,7 +15,7 @@ detection:
|
||||
Image|endswith:
|
||||
- '\net.exe'
|
||||
- '\net1.exe'
|
||||
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
|
||||
CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate administrator or user executes a service for legitimate reasons.
|
||||
|
||||
@@ -4,7 +4,7 @@ description: Detects a windows service to be stopped
|
||||
status: experimental
|
||||
author: Jakob Weinzettl, oscd.community
|
||||
date: 2019/10/23
|
||||
modified: 2022/05/27
|
||||
modified: 2022/06/20
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1489
|
||||
@@ -12,18 +12,23 @@ logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith:
|
||||
selection_img:
|
||||
- OriginalFileName:
|
||||
- 'sc.exe'
|
||||
- 'net.exe'
|
||||
- 'net1.exe'
|
||||
- Image|endswith:
|
||||
- '\sc.exe'
|
||||
- '\net.exe'
|
||||
- '\net1.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains: 'stop'
|
||||
filter:
|
||||
CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop
|
||||
User|contains: # covers many language settings
|
||||
- 'AUTHORI'
|
||||
- 'AUTORI'
|
||||
condition: selection and not filter
|
||||
condition: all of selection_* and not filter
|
||||
fields:
|
||||
- ComputerName
|
||||
- User
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
title: Abusing Findstr for Defense Evasion
|
||||
id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
|
||||
status: test
|
||||
description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
|
||||
author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
|
||||
references:
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml
|
||||
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
||||
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
|
||||
date: 2020/10/05
|
||||
modified: 2022/05/16
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selectionFindstr:
|
||||
- CommandLine|contains: findstr
|
||||
- Image|endswith: 'findstr.exe'
|
||||
- OriginalFileName: 'FINDSTR.EXE'
|
||||
selection_V_L:
|
||||
CommandLine|contains|all:
|
||||
- /V
|
||||
- /L
|
||||
selection_S_I:
|
||||
CommandLine|contains|all:
|
||||
- /S
|
||||
- /I
|
||||
condition: selectionFindstr and (selection_V_L or selection_S_I)
|
||||
falsepositives:
|
||||
- Administrative findstr usage
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
@@ -0,0 +1,28 @@
|
||||
title: WMIC Hotfix Recon
|
||||
id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
|
||||
status: experimental
|
||||
description: Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat
|
||||
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
|
||||
date: 2022/06/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- OriginalFileName: 'wmic.exe'
|
||||
- Image|endswith: '\WMIC.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains|all:
|
||||
- ' qfe '
|
||||
- ' get '
|
||||
- 'Caption,Description,HotFixID,InstalledOn'
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1047
|
||||
@@ -0,0 +1,29 @@
|
||||
title: WMIC Service Start/Stop
|
||||
id: 0b7163dc-7eee-4960-af17-c0cd517f92da
|
||||
status: experimental
|
||||
description: Detects usage of wmic to start or stop a service
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
|
||||
date: 2022/06/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- OriginalFileName: 'wmic.exe'
|
||||
- Image|endswith: '\WMIC.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains|all:
|
||||
- ' service '
|
||||
- ' call '
|
||||
CommandLine|contains:
|
||||
- 'stopservice'
|
||||
- 'startservice'
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1047
|
||||
@@ -0,0 +1,32 @@
|
||||
title: WMIC Unquoted Services Path Lookup
|
||||
id: 68bcd73b-37ef-49cb-95fc-edc809730be6
|
||||
status: experimental
|
||||
description: Detects wmic known recon method to look for unquoted serivce paths, often used by pentest and attackers enum scripts
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/nccgroup/redsnarf/blob/master/redsnarf.py
|
||||
- https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
|
||||
date: 2022/06/20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- OriginalFileName: 'wmic.exe'
|
||||
- Image|endswith: '\WMIC.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains|all:
|
||||
- ' service '
|
||||
- ' get '
|
||||
CommandLine|contains:
|
||||
- name
|
||||
- displayname
|
||||
- pathname
|
||||
- startmode
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1047
|
||||
Reference in New Issue
Block a user