From 78dfcd6299c2192d9032dfa53fa6175895b75fdd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:41:43 +0100 Subject: [PATCH 01/16] Renamed "Ps_Recon_Rule" --- .../{posh_ps_susp_recon.yml => posh_ps_susp_recon_export.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/powershell/powershell_script/{posh_ps_susp_recon.yml => posh_ps_susp_recon_export.yml} (100%) diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml similarity index 100% rename from rules/windows/powershell/powershell_script/posh_ps_susp_recon.yml rename to rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml From 0a39827674e796cb69ff3aa92385e1eb6d0badea Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:42:14 +0100 Subject: [PATCH 02/16] Renamed + Refactor "findstr" rule --- .../proc_creation_win_lolbin_findstr.yml | 45 +++++++++++++++++++ .../proc_creation_win_susp_findstr.yml | 34 -------------- 2 files changed, 45 insertions(+), 34 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_findstr.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml new file mode 100644 index 000000000..47e0aba3f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml @@ -0,0 +1,45 @@ +title: Abusing Findstr for Defense Evasion +id: bf6c39fc-e203-45b9-9538-05397c1b4f3f +status: test +description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali' +references: + - https://lolbas-project.github.io/lolbas/Binaries/Findstr/ + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +date: 2020/10/05 +modified: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_findstr: + - CommandLine|contains: findstr + - Image|endswith: 'findstr.exe' + - OriginalFileName: 'FINDSTR.EXE' + selection_cli_download_1: + CommandLine|contains: + - /v + - -v + selection_cli_download_2: + CommandLine|contains: + - /l + - -l + selection_cli_creds_1: + CommandLine|contains: + - /s + - -s + selection_cli_creds_2: + CommandLine|contains: + - /i + - -i + condition: selectionFindstr and (all of selection_cli_download* or all of selection_cli_creds*) +falsepositives: + - Administrative findstr usage +level: medium +tags: + - attack.defense_evasion + - attack.t1218 + - attack.t1564.004 + - attack.t1552.001 + - attack.t1105 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr.yml deleted file mode 100644 index 11c27603f..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Abusing Findstr for Defense Evasion -id: bf6c39fc-e203-45b9-9538-05397c1b4f3f -status: test -description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism -author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' -references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml - - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f -date: 2020/10/05 -modified: 2022/05/16 -logsource: - category: process_creation - product: windows -detection: - selectionFindstr: - - CommandLine|contains: findstr - - Image|endswith: 'findstr.exe' - - OriginalFileName: 'FINDSTR.EXE' - selection_V_L: - CommandLine|contains|all: - - /V - - /L - selection_S_I: - CommandLine|contains|all: - - /S - - /I - condition: selectionFindstr and (selection_V_L or selection_S_I) -falsepositives: - - Administrative findstr usage -level: medium -tags: - - attack.defense_evasion - - attack.t1218 From ce8ce2a91db282b6cd69fba824bd1972d05f1415 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:43:18 +0100 Subject: [PATCH 03/16] Removed related field The rule referenced in the field doesn't exist --- .../powershell/powershell_module/posh_pm_get_clipboard.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml index bcc8cb36b..baf228bd5 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml @@ -1,12 +1,9 @@ title: PowerShell Get Clipboard id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 -related: - - id: 5486f63a-aa4c-488d-9a61-c9192853099f - type: derived description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. status: experimental date: 2020/05/02 -modified: 2021/10/16 +modified: 2022/06/20 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection From 71d895c17b71e0647a969a966db268603e9400f6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:43:42 +0100 Subject: [PATCH 04/16] Update file_event_win_notepad_plus_plus_persistence.yml Reduce level to account for FP found in testing env --- .../file_event_win_notepad_plus_plus_persistence.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml index 40829d732..96e397ca5 100644 --- a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ date: 2022/06/10 +modified: 2022/06/21 logsource: product: windows category: file_event @@ -16,6 +17,7 @@ detection: filter_gup: Image|endswith: '\Notepad++\updater\gup.exe' filter_install: + # This filter is for Sigma dataset you could remove it or change when using the rule in your own env Image|startswith: 'C:\Users\' Image|contains: '\AppData\Local\Temp\' Image|endswith: '\target.exe' @@ -23,6 +25,6 @@ detection: falsepositives: - Possible FPs during first installation of Notepad++ - Legitimate use of custom plugins to enhance notepad++ functionality by users -level: high +level: medium tags: - attack.persistence From 4eb6b3509edf04fee209f4cd0931513d14c57356 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:44:51 +0100 Subject: [PATCH 05/16] Update proc_creation_win_accesschk_usage_after_priv_escalation.yml Changed the rule as the original was flagging on every usage of "accessChk" which was not the intended behaviour as described. The modification take into consideration usage of the tool as seen in the referenced presentation and adds some more. --- ..._accesschk_usage_after_priv_escalation.yml | 49 +++++++++++-------- 1 file changed, 28 insertions(+), 21 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml index 3347ee137..59e17c16d 100644 --- a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml @@ -1,30 +1,37 @@ -title: Accesschk Usage After Privilege Escalation +title: Accesschk Usage To Check Privileges id: c625d754-6a3d-4f65-9c9a-536aea960d37 status: test -description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process successful or not -author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified) references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43 + - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW + - https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat + - https://github.com/gladiatx0r/Powerless/blob/master/Powerless.bat date: 2020/10/13 -modified: 2021/11/27 +modified: 2022/06/20 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - integrity_level: - IntegrityLevel: 'Medium' - product: - Product|endswith: 'AccessChk' - description: - Description|contains: 'Reports effective permissions' - condition: integrity_level and (product or description) + selection_img: + - Product|endswith: 'AccessChk' + - Description|contains: 'Reports effective permissions' + - Image|endswith: '\accesschk.exe' + selection_cli: # These are the most common flags used with this tool. You could add other combinations if needed + - 'uwcqv ' + - 'kwsu ' + - 'qwsu ' + - 'uwdqs ' + condition: all of selection* fields: - - IntegrityLevel - - Product - - Description + - IntegrityLevel + - Product + - Description + - CommandLine falsepositives: - - System administrator Usage -level: high + - System administrator Usage +level: medium tags: - - attack.discovery - - attack.t1069.001 + - attack.discovery + - attack.t1069.001 From d2ef62a49df2785623927ffc40fd61658b040cf8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:45:01 +0100 Subject: [PATCH 06/16] Update proc_creation_win_enumeration_for_credentials_in_registry.yml --- ...roc_creation_win_enumeration_for_credentials_in_registry.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml index f0cc9a06d..c07194735 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml @@ -21,7 +21,7 @@ detection: - 'REG_SZ' - '/s' hive: - - CommandLine|contains|all: + - CommandLine|contains|all: - '/f ' - 'HKLM' - CommandLine|contains|all: From 40ccd91a94e7c93b8f0ab363129388b97874a8a4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:45:53 +0100 Subject: [PATCH 07/16] Update proc_creation_win_msdt_diagcab.yml In my testing i found that ".diagcab" extension is not required. You can use .txt with the /cab flag and it'll spawn an msdt process. Also I added the "-" (dash) version of the flag --- .../process_creation/proc_creation_win_msdt_diagcab.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml b/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml index d4958a61d..80a1bff58 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml @@ -2,10 +2,11 @@ title: Execute Arbitrary Commands Using MSDT.EXE id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 status: experimental description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 -author: GossiTheDog (rule), frack113 (sigma version) +author: GossiTheDog (rule), frack113 (sigma version) references: - https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DogWalk-DiagCab date: 2022/06/09 +modified: 2022/06/17 logsource: category: process_creation product: windows @@ -15,8 +16,8 @@ detection: - OriginalFileName: 'msdt.exe' selection_cmd: CommandLine|contains|all: - - '/cab' - - '.diagcab' + - ' /cab ' + - ' -cab ' condition: all of selection_* falsepositives: - Unknown From f2bc1be46058b0d6a35a6d6f87a2bd0c7fa97511 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:46:06 +0100 Subject: [PATCH 08/16] Update proc_creation_win_service_execution.yml --- .../process_creation/proc_creation_win_service_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_service_execution.yml b/rules/windows/process_creation/proc_creation_win_service_execution.yml index 9b350bdda..4f6f5b42e 100644 --- a/rules/windows/process_creation/proc_creation_win_service_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_service_execution.yml @@ -15,7 +15,7 @@ detection: Image|endswith: - '\net.exe' - '\net1.exe' - CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression + CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: selection falsepositives: - Legitimate administrator or user executes a service for legitimate reasons. From 62a7d755cce9620bdcf018afb2c41c954f15deab Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:46:32 +0100 Subject: [PATCH 09/16] Update proc_creation_win_service_stop.yml Refactored the rule and added originalfilename --- .../proc_creation_win_service_stop.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index 2cb03e7dd..1190e74c8 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -4,7 +4,7 @@ description: Detects a windows service to be stopped status: experimental author: Jakob Weinzettl, oscd.community date: 2019/10/23 -modified: 2022/05/27 +modified: 2022/06/20 tags: - attack.impact - attack.t1489 @@ -12,18 +12,23 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - OriginalFileName: + - 'sc.exe' + - 'net.exe' + - 'net1.exe' + - Image|endswith: - '\sc.exe' - '\net.exe' - '\net1.exe' + selection_cli: CommandLine|contains: 'stop' filter: CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: selection and not filter + condition: all of selection_* and not filter fields: - ComputerName - User From e3bfb18f64b21651503783b53bd68543cebba9ae Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 11:47:18 +0100 Subject: [PATCH 10/16] New Rules --- .../powershell_script/posh_ps_hotfix_enum.yml | 23 ++++++++++ ..._creation_win_dsacls_abuse_permissions.yml | 33 ++++++++++++++ ...roc_creation_win_dsacls_password_spray.yml | 28 ++++++++++++ ...on_win_enumeration_for_credentials_cli.yml | 44 +++++++++++++++++++ ..._creation_win_powershell_get_clipboard.yml | 26 +++++++++++ .../proc_creation_win_wmic_hotfix_enum.yml | 28 ++++++++++++ .../proc_creation_win_wmic_service.yml | 29 ++++++++++++ ...ation_win_wmic_unquoted_service_search.yml | 28 ++++++++++++ 8 files changed, 239 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml create mode 100644 rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml create mode 100644 rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml create mode 100644 rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wmic_service.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml new file mode 100644 index 000000000..13bde86f0 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -0,0 +1,23 @@ +title: PowerShell Hotfix Enumeration +id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 +status: experimental +description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers +author: Nasreddine Bencherchali +references: + - https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1 +date: 2022/06/21 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Win32_QuickFixEngineering' + - 'HotFixID' + condition: selection +falsepositives: + - Legitimate administration scripts +level: medium +tags: + - attack.discovery diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml new file mode 100644 index 000000000..d59ad0e65 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml @@ -0,0 +1,33 @@ +title: Abusing Permissions Using Dsacls +id: 01c42d3c-242d-4655-85b2-34f1739632f7 +status: experimental +description: Detects usage of Dsacls to grant over permissive permissions +author: Nasreddine Bencherchali +references: + - https://ss64.com/nt/dsacls.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\dsacls.exe' + - OriginalFileName: "DSACLS.EXE" + selection_flag: + CommandLine|contains: ' /G ' + selection_permissions: + CommandLine|contains: # Add more permissions as you see fit in yout env + - 'GR' + - 'GE' + - 'GW' + - 'GA' + - 'WP' + - 'WD' + condition: all of selection* +falsepositives: + - Legitimate administrators granting over permissive permissions to users +level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml new file mode 100644 index 000000000..34af1ac73 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml @@ -0,0 +1,28 @@ +title: Password Spraying Attempts Using Dsacls +id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c +status: experimental +description: Detects possible password spraying attempts using Dsacls +author: Nasreddine Bencherchali +references: + - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone + - https://ss64.com/nt/dsacls.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\dsacls.exe' + - OriginalFileName: "DSACLS.EXE" + selection_cli: + CommandLine|contains|all: + - '/user:' + - '/passwd:' + condition: all of selection* +falsepositives: + - Legitimate use of dsacls to bind to an LDAP session +level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml new file mode 100644 index 000000000..0f13b0414 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml @@ -0,0 +1,44 @@ +title: Enumeration for 3rd Party Creds From CLI +id: 87a476dc-0079-4583-a985-dee7a20a03de +related: + - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 + type: derived +status: experimental +description: Detects processes that query known 3rd party registry keys that holds credentials via commandline +references: + - https://isc.sans.edu/diary/More+Data+Exfiltration/25698 + - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/main/regkey.txt + - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry +author: Nasreddine Bencherchali +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: # Add more paths as they are discovered + - '\Software\SimonTatham\PuTTY\Sessions' + - '\Software\\SimonTatham\\PuTTY\SshHostKeys\' + - '\Software\Mobatek\MobaXterm\' + - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin' + - '\Software\Aerofox\FoxmailPreview' + - '\Software\Aerofox\Foxmail\V3.1' + - '\Software\IncrediMail\Identities' + - '\Software\Qualcomm\Eudora\CommandLine' + - '\Software\RimArts\B2\Settings' + - '\Software\OpenVPN-GUI\configs' + - '\Software\Martin Prikryl\WinSCP 2\Sessions' + - '\Software\FTPWare\COREFTP\Sites' + - '\Software\DownloadManager\Passwords' + - '\Software\OpenSSH\Agent\Keys' + - '\Software\TightVNC\Server' + - '\Software\ORL\WinVNC3\Password' + - '\Software\RealVNC\WinVNC4' + condition: selection +falsepositives: + - Unlikely +level: medium +tags: + - attack.credential_access + - attack.t1552.002 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml new file mode 100644 index 000000000..f194dfd34 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml @@ -0,0 +1,26 @@ +title: PowerShell Get-Clipboard Cmdlet Via CLI +id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3 +related: + - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78 + type: derived +description: Detects usage of the 'Get-Clipboard' cmdlet via CLI +status: experimental +date: 2020/05/02 +modified: 2021/10/16 +author: Nasreddine Bencherchali +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/16 + - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'Get-Clipboard' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.collection + - attack.t1115 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml b/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml new file mode 100644 index 000000000..13b1ad66c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml @@ -0,0 +1,28 @@ +title: WMIC Hotfix Recon +id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 +status: experimental +description: Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts +author: Nasreddine Bencherchali +references: + - https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat + - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains|all: + - ' qfe ' + - ' get ' + - 'Caption,Description,HotFixID,InstalledOn' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_service.yml new file mode 100644 index 000000000..f4eba66ed --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_service.yml @@ -0,0 +1,29 @@ +title: WMIC Service Start/Stop +id: 0b7163dc-7eee-4960-af17-c0cd517f92da +status: experimental +description: Detects usage of wmic to start or stop a service +author: Nasreddine Bencherchali +references: + - https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains|all: + - ' service ' + - ' call ' + CommandLine|contains: + - 'stopservice' + - 'startservice' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml new file mode 100644 index 000000000..06d68570e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml @@ -0,0 +1,28 @@ +title: WMIC Unquoted Services Path Lookup +id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 +status: experimental +description: Detects wmic known recon method to look for unquoted serivce paths, often used by pentest and attackers enum scripts +author: Nasreddine Bencherchali +references: + - https://github.com/nccgroup/redsnarf/blob/master/redsnarf.py + - https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1 +date: 2022/06/20 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains|all: + - ' service ' + - ' get ' + - ' name,displayname,pathname,startmode' + condition: all of selection* +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047 From b2ce10ea2abac74f484d9359df92cbf28f3c70b1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 15:36:21 +0100 Subject: [PATCH 11/16] Update proc_creation_win_lolbin_findstr.yml --- .../process_creation/proc_creation_win_lolbin_findstr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml index 47e0aba3f..050c8db1a 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml @@ -33,7 +33,7 @@ detection: CommandLine|contains: - /i - -i - condition: selectionFindstr and (all of selection_cli_download* or all of selection_cli_creds*) + condition: selectionFindstr and (all of selection_cli_download* or all of selection_cli_creds*) falsepositives: - Administrative findstr usage level: medium From 27e73278e745cf78ab5186df186d8b9463b8e448 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 15:37:39 +0100 Subject: [PATCH 12/16] Update proc_creation_win_lolbin_findstr.yml --- .../process_creation/proc_creation_win_lolbin_findstr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml index 050c8db1a..9970234f9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml @@ -33,7 +33,7 @@ detection: CommandLine|contains: - /i - -i - condition: selectionFindstr and (all of selection_cli_download* or all of selection_cli_creds*) + condition: selection_findstr and (all of selection_cli_download* or all of selection_cli_creds*) falsepositives: - Administrative findstr usage level: medium From f12f6e3646744ca686649d533321f1170f7449b6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 15:46:00 +0100 Subject: [PATCH 13/16] Update ID's --- .../powershell/powershell_script/posh_ps_hotfix_enum.yml | 2 +- .../proc_creation_win_wmic_unquoted_service_search.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml index 13bde86f0..a2ed94f6d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -1,5 +1,5 @@ title: PowerShell Hotfix Enumeration -id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 +id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c status: experimental description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers author: Nasreddine Bencherchali diff --git a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml index 06d68570e..f80c90aa7 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml @@ -1,5 +1,5 @@ title: WMIC Unquoted Services Path Lookup -id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45 +id: 68bcd73b-37ef-49cb-95fc-edc809730be6 status: experimental description: Detects wmic known recon method to look for unquoted serivce paths, often used by pentest and attackers enum scripts author: Nasreddine Bencherchali From 0c2f1bfce58367a6eab44317e140437730cffc4e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 17:22:39 +0100 Subject: [PATCH 14/16] Fix review comments --- ...tion_win_accesschk_usage_after_priv_escalation.yml | 11 ++++++----- ...proc_creation_win_wmic_unquoted_service_search.yml | 6 +++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml index 59e17c16d..dbad9aca2 100644 --- a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml @@ -18,11 +18,12 @@ detection: - Product|endswith: 'AccessChk' - Description|contains: 'Reports effective permissions' - Image|endswith: '\accesschk.exe' - selection_cli: # These are the most common flags used with this tool. You could add other combinations if needed - - 'uwcqv ' - - 'kwsu ' - - 'qwsu ' - - 'uwdqs ' + selection_cli: + CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed + - 'uwcqv ' + - 'kwsu ' + - 'qwsu ' + - 'uwdqs ' condition: all of selection* fields: - IntegrityLevel diff --git a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml index f80c90aa7..031e2dbe8 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml @@ -18,7 +18,11 @@ detection: CommandLine|contains|all: - ' service ' - ' get ' - - ' name,displayname,pathname,startmode' + CommandLine|contains: + - name + - displayname + - pathname + - startmode condition: all of selection* falsepositives: - Unknown From e25ad42b5bf4da1c98a6faaa785b8728534f3e40 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 19:03:47 +0100 Subject: [PATCH 15/16] Reverted Rule + New Rule --- .../proc_creation_win_msdt_diagcab.yml | 31 +++++++++---------- ...roc_creation_win_msdt_susp_cab_options.yml | 26 ++++++++++++++++ 2 files changed, 41 insertions(+), 16 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml diff --git a/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml b/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml index 80a1bff58..7a1a36751 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml @@ -1,27 +1,26 @@ -title: Execute Arbitrary Commands Using MSDT.EXE +title: Execute MSDT.EXE Using Diagcab File id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3 status: experimental description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 author: GossiTheDog (rule), frack113 (sigma version) references: - - https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DogWalk-DiagCab + - https://github.com/GossiTheDog/ThreatHunting/blob/master/AdvancedHuntingQueries/DogWalk-DiagCab date: 2022/06/09 -modified: 2022/06/17 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_img: - - Image|endswith: '\msdt.exe' - - OriginalFileName: 'msdt.exe' - selection_cmd: - CommandLine|contains|all: - - ' /cab ' - - ' -cab ' - condition: all of selection_* + selection_img: + - Image|endswith: '\msdt.exe' + - OriginalFileName: 'msdt.exe' + selection_cmd: + CommandLine|contains|all: + - '/cab' + - '.diagcab' + condition: all of selection_* falsepositives: - - Unknown + - Legitimate usage of ".diagcab" files level: high tags: - - attack.defense_evasion - - attack.t1202 + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml new file mode 100644 index 000000000..d4627e1f7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -0,0 +1,26 @@ +title: MSDT.EXE Execution With Suspicious Cab Option +id: dc4576d4-7467-424f-9eee-fd2b02855fe0 +status: experimental +description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embeded answer files leveraging CVE-2022-30190 +author: Nasreddine Bencherchali +references: + - https://twitter.com/nas_bench/status/1537896324837781506 +date: 2022/06/21 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\msdt.exe' + - OriginalFileName: 'msdt.exe' + selection_cmd: + CommandLine|contains: + - ' /cab ' + - ' -cab ' + condition: all of selection_* +falsepositives: + - Legitimate usage of ".diagcab" files +level: medium +tags: + - attack.defense_evasion + - attack.t1202 From efbfc7fe67bab78a3c3a968b635f5f3533e34a16 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 21 Jun 2022 19:13:53 +0100 Subject: [PATCH 16/16] New Rule (https://twitter.com/nas_bench/status/1537919885031772161) --- .../posh_ps_susp_follina_execution.yml | 27 +++++++++++++++++++ ...roc_creation_win_msdt_susp_cab_options.yml | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml new file mode 100644 index 000000000..19b337b9a --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml @@ -0,0 +1,27 @@ +title: Troubleshooting Pack Cmdlet Execution +id: 03409c93-a7c7-49ba-9a4c-a00badf2a153 +status: experimental +author: Nasreddine Bencherchali +date: 2022/06/21 +description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS) +references: + - https://twitter.com/nas_bench/status/1537919885031772161 + - https://lolbas-project.github.io/lolbas/Binaries/Msdt/ +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Invoke-TroubleshootingPack' + - 'C:\Windows\Diagnostics\System\PCW' + - '-AnswerFile' + - '-Unattended' + condition: selection +falsepositives: + - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes +level: medium +tags: + - attack.defense_evasion + - attack.t1202 diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml index d4627e1f7..f4c1f54d4 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml @@ -1,7 +1,7 @@ title: MSDT.EXE Execution With Suspicious Cab Option id: dc4576d4-7467-424f-9eee-fd2b02855fe0 status: experimental -description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embeded answer files leveraging CVE-2022-30190 +description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 author: Nasreddine Bencherchali references: - https://twitter.com/nas_bench/status/1537896324837781506