diff --git a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml index 40829d732..96e397ca5 100644 --- a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ date: 2022/06/10 +modified: 2022/06/21 logsource: product: windows category: file_event @@ -16,6 +17,7 @@ detection: filter_gup: Image|endswith: '\Notepad++\updater\gup.exe' filter_install: + # This filter is for Sigma dataset you could remove it or change when using the rule in your own env Image|startswith: 'C:\Users\' Image|contains: '\AppData\Local\Temp\' Image|endswith: '\target.exe' @@ -23,6 +25,6 @@ detection: falsepositives: - Possible FPs during first installation of Notepad++ - Legitimate use of custom plugins to enhance notepad++ functionality by users -level: high +level: medium tags: - attack.persistence diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index bcc8cb36b..baf228bd5 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -1,12 +1,9 @@ title: PowerShell Get Clipboard id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 -related: - - id: 5486f63a-aa4c-488d-9a61-c9192853099f - type: derived description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental date: 2020/05/02 -modified: 2021/10/16 +modified: 2022/06/20 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml new file mode 100644 index 000000000..a2ed94f6d --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -0,0 +1,23 @@ +title: PowerShell Hotfix Enumeration +id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c +status: experimental +description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers +author: Nasreddine Bencherchali +references: + - https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1 +date: 2022/06/21 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Win32_QuickFixEngineering' + - 'HotFixID' + condition: selection +falsepositives: + - Legitimate administration scripts +level: medium +tags: + - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml new file mode 100644 index 000000000..19b337b9a --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -0,0 +1,27 @@ +title: Troubleshooting Pack Cmdlet Execution +id: 03409c93-a7c7-49ba-9a4c-a00badf2a153 +status: experimental +author: Nasreddine Bencherchali +date: 2022/06/21 +description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS) +references: + - https://twitter.com/nas_bench/status/1537919885031772161 + - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Invoke-TroubleshootingPack' + - 'C:\Windows\Diagnostics\System\PCW' + - '-AnswerFile' + - '-Unattended' + condition: selection +falsepositives: + - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes +level: medium +tags: + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml similarity index 100% rename from rules/windows/powershell/powershell_script/posh_ps_susp_recon.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml diff --git a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml index 3347ee137..dbad9aca2 100644 --- a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml @@ -1,30 +1,38 @@ -title: Accesschk Usage After Privilege Escalation +title: Accesschk Usage To Check Privileges id: c625d754-6a3d-4f65-9c9a-536aea960d37 status: test -description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not -author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified) references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43 + - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW + - https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat + - https://github.com/gladiatx0r/Powerless/blob/master/Powerless.bat date: 2020/10/13 -modified: 2021/11/27 +modified: 2022/06/20 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - integrity_level: - IntegrityLevel: 'Medium' - product: - Product|endswith: 'AccessChk' - description: - Description|contains: 'Reports effective permissions' - condition: integrity_level and (product or description) + selection_img: + - Product|endswith: 'AccessChk' + - Description|contains: 'Reports effective permissions' + - Image|endswith: '\accesschk.exe' + selection_cli: + CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed + - 'uwcqv ' + - 'kwsu ' + - 'qwsu ' + - 'uwdqs ' + condition: all of selection* fields: - - IntegrityLevel - - Product - - Description + - IntegrityLevel + - Product + - Description + - CommandLine falsepositives: - - System administrator Usage -level: high + - System administrator Usage +level: medium tags: - - attack.discovery - - attack.t1069.001 + - attack.discovery + - attack.t1069.001 diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml new file mode 100644 index 000000000..d59ad0e65 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -0,0 +1,33 @@ +title: Abusing Permissions Using Dsacls +id: 01c42d3c-242d-4655-85b2-34f1739632f7 +status: experimental +description: Detects usage of Dsacls to grant over permissive permissions +author: Nasreddine Bencherchali +references: + - https://ss64.com/nt/dsacls.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\dsacls.exe' + - OriginalFileName: "DSACLS.EXE" + selection_flag: + CommandLine|contains: ' /G ' + selection_permissions: + CommandLine|contains: # Add more permissions as you see fit in yout env + - 'GR' + - 'GE' + - 'GW' + - 'GA' + - 'WP' + - 'WD' + condition: all of selection* +falsepositives: + - Legitimate administrators granting over permissive permissions to users +level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml new file mode 100644 index 000000000..34af1ac73 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -0,0 +1,28 @@ +title: Password Spraying Attempts Using Dsacls +id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c +status: experimental +description: Detects possible password spraying attempts using Dsacls +author: Nasreddine Bencherchali +references: + - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone + - https://ss64.com/nt/dsacls.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\dsacls.exe' + - OriginalFileName: "DSACLS.EXE" + selection_cli: + CommandLine|contains|all: + - '/user:' + - '/passwd:' + condition: all of selection* +falsepositives: + - Legitimate use of dsacls to bind to an LDAP session +level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml new file mode 100644 index 000000000..0f13b0414 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml @@ -0,0 +1,44 @@ +title: Enumeration for 3rd Party Creds From CLI +id: 87a476dc-0079-4583-a985-dee7a20a03de +related: + - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 + type: derived +status: experimental +description: Detects processes that query known 3rd party registry keys that holds credentials via commandline +references: + - https://isc.sans.edu/diary/More+Data+Exfiltration/25698 + - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/main/regkey.txt + - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry +author: Nasreddine Bencherchali +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: # Add more paths as they are discovered + - '\Software\SimonTatham\PuTTY\Sessions' + - '\Software\\SimonTatham\\PuTTY\SshHostKeys\' + - '\Software\Mobatek\MobaXterm\' + - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin' + - '\Software\Aerofox\FoxmailPreview' + - '\Software\Aerofox\Foxmail\V3.1' + - '\Software\IncrediMail\Identities' + - '\Software\Qualcomm\Eudora\CommandLine' + - '\Software\RimArts\B2\Settings' + - '\Software\OpenVPN-GUI\configs' + - '\Software\Martin Prikryl\WinSCP 2\Sessions' + - '\Software\FTPWare\COREFTP\Sites' + - '\Software\DownloadManager\Passwords' + - '\Software\OpenSSH\Agent\Keys' + - '\Software\TightVNC\Server' + - '\Software\ORL\WinVNC3\Password' + - '\Software\RealVNC\WinVNC4' + condition: selection +falsepositives: + - Unlikely +level: medium +tags: + - attack.credential_access + - attack.t1552.002 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml index f0cc9a06d..c07194735 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml @@ -21,7 +21,7 @@ detection: - 'REG_SZ' - '/s' hive: - - CommandLine|contains|all: + - CommandLine|contains|all: - '/f ' - 'HKLM' - CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml new file mode 100644 index 000000000..9970234f9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml @@ -0,0 +1,45 @@ +title: Abusing Findstr for Defense Evasion +id: bf6c39fc-e203-45b9-9538-05397c1b4f3f +status: test +description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +date: 2020/10/05 +modified: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_download_1: + CommandLine|contains: + - /v + - -v + selection_cli_download_2: + CommandLine|contains: + - /l + - -l + selection_cli_creds_1: + CommandLine|contains: + - /s + - -s + selection_cli_creds_2: + CommandLine|contains: + - /i + - -i + condition: selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*) +falsepositives: + - Administrative findstr usage +level: medium +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml b/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml index d4958a61d..7a1a36751 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml @@ -1,26 +1,26 @@ -title: Execute Arbitrary Commands Using MSDT.EXE +title: Execute MSDT.EXE Using Diagcab File id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 status: experimental description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 -author: GossiTheDog (rule), frack113 (sigma version) +author: GossiTheDog (rule), frack113 (sigma version) references: - - https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DogWalk-DiagCab + - https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DogWalk-DiagCab date: 2022/06/09 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_img: - - Image|endswith: '\msdt.exe' - - OriginalFileName: 'msdt.exe' - selection_cmd: - CommandLine|contains|all: - - '/cab' - - '.diagcab' - condition: all of selection_* + selection_img: + - Image|endswith: '\msdt.exe' + - OriginalFileName: 'msdt.exe' + selection_cmd: + CommandLine|contains|all: + - '/cab' + - '.diagcab' + condition: all of selection_* falsepositives: - - Unknown + - Legitimate usage of ".diagcab" files level: high tags: - - attack.defense_evasion - - attack.t1202 + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml new file mode 100644 index 000000000..f4c1f54d4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -0,0 +1,26 @@ +title: MSDT.EXE Execution With Suspicious Cab Option +id: dc4576d4-7467-424f-9eee-fd2b02855fe0 +status: experimental +description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 +author: Nasreddine Bencherchali +references: + - https://twitter.com/nas_bench/status/1537896324837781506 +date: 2022/06/21 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\msdt.exe' + - OriginalFileName: 'msdt.exe' + selection_cmd: + CommandLine|contains: + - ' /cab ' + - ' -cab ' + condition: all of selection_* +falsepositives: + - Legitimate usage of ".diagcab" files +level: medium +tags: + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml new file mode 100644 index 000000000..f194dfd34 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml @@ -0,0 +1,26 @@ +title: PowerShell Get-Clipboard Cmdlet Via CLI +id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3 +related: + - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 + type: derived +description: Detects usage of the 'Get-Clipboard' cmdlet via CLI +status: experimental +date: 2020/05/02 +modified: 2021/10/16 +author: Nasreddine Bencherchali +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/16 + - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'Get-Clipboard' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.collection + - attack.t1115 diff --git a/rules/windows/process_creation/proc_creation_win_service_execution.yml b/rules/windows/process_creation/proc_creation_win_service_execution.yml index 9b350bdda..4f6f5b42e 100644 --- a/rules/windows/process_creation/proc_creation_win_service_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_service_execution.yml @@ -15,7 +15,7 @@ detection: Image|endswith: - '\net.exe' - '\net1.exe' - CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression + CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: selection falsepositives: - Legitimate administrator or user executes a service for legitimate reasons. diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index 2cb03e7dd..1190e74c8 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -4,7 +4,7 @@ description: Detects a windows service to be stopped status: experimental author: Jakob Weinzettl, oscd.community date: 2019/10/23 -modified: 2022/05/27 +modified: 2022/06/20 tags: - attack.impact - attack.t1489 @@ -12,18 +12,23 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - OriginalFileName: + - 'sc.exe' + - 'net.exe' + - 'net1.exe' + - Image|endswith: - '\sc.exe' - '\net.exe' - '\net1.exe' + selection_cli: CommandLine|contains: 'stop' filter: CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: selection and not filter + condition: all of selection_* and not filter fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr.yml deleted file mode 100644 index 11c27603f..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Abusing Findstr for Defense Evasion -id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: test -description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism -author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -date: 2020/10/05 -modified: 2022/05/16 -logsource: - category: process_creation - product: windows -detection: - selectionFindstr: - - CommandLine|contains: findstr - - Image|endswith: 'findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' - selection_V_L: - CommandLine|contains|all: - - /V - - /L - selection_S_I: - CommandLine|contains|all: - - /S - - /I - condition: selectionFindstr and (selection_V_L or selection_S_I) -falsepositives: - - Administrative findstr usage -level: medium -tags: - - attack.defense_evasion - - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml b/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml new file mode 100644 index 000000000..13b1ad66c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml @@ -0,0 +1,28 @@ +title: WMIC Hotfix Recon +id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 +status: experimental +description: Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts +author: Nasreddine Bencherchali +references: + - https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat + - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains|all: + - ' qfe ' + - ' get ' + - 'Caption,Description,HotFixID,InstalledOn' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_service.yml new file mode 100644 index 000000000..f4eba66ed --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_service.yml @@ -0,0 +1,29 @@ +title: WMIC Service Start/Stop +id: 0b7163dc-7eee-4960-af17-c0cd517f92da +status: experimental +description: Detects usage of wmic to start or stop a service +author: Nasreddine Bencherchali +references: + - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains|all: + - ' service ' + - ' call ' + CommandLine|contains: + - 'stopservice' + - 'startservice' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml new file mode 100644 index 000000000..031e2dbe8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml @@ -0,0 +1,32 @@ +title: WMIC Unquoted Services Path Lookup +id: 68bcd73b-37ef-49cb-95fc-edc809730be6 +status: experimental +description: Detects wmic known recon method to look for unquoted serivce paths, often used by pentest and attackers enum scripts +author: Nasreddine Bencherchali +references: + - https://github.com/nccgroup/redsnarf/blob/master/redsnarf.py + - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains|all: + - ' service ' + - ' get ' + CommandLine|contains: + - name + - displayname + - pathname + - startmode + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047