From 42941ee105ab870bf9c41c0bad0a669aba04e562 Mon Sep 17 00:00:00 2001 From: yt0ng <38029682+yt0ng@users.noreply.github.com> Date: Sun, 1 Jul 2018 15:47:17 +0200 Subject: [PATCH 1/3] Detects ImageLoad by uncommon Image Process Hollowing Described by SubTee using notepad https://twitter.com/subTee/status/1012657434702123008 --- .../windows/sysmon/sysmon_susp_image_load.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_susp_image_load.yml diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/sysmon/sysmon_susp_image_load.yml new file mode 100644 index 000000000..abc87f615 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_image_load.yml @@ -0,0 +1,23 @@ +title: Possible Process Hollowing Image Loading +status: experimental +description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz +references: + - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html + - https://twitter.com/subTee/status/1012657434702123008 +author: Markus Neis +date: 2018/01/07 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\notepad.exe' + ImageLoaded: + - '*\samlib.dll' + - '*\WinSCard.dll' + condition: selection +falsepositives: + - Very likely, needs more tuning +level: high From f84c33d005fe37b5b4eb9b75e01a329b0f0a1422 Mon Sep 17 00:00:00 2001 From: yt0ng <38029682+yt0ng@users.noreply.github.com> Date: Wed, 4 Jul 2018 17:24:18 +0200 Subject: [PATCH 2/3] Known powershell scripts names for exploitation Detects the creation of known powershell scripts for exploitation --- .../sysmon_powershell_exploit_scripts.yml | 124 ++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml diff --git a/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml new file mode 100644 index 000000000..e0fbfe4ae --- /dev/null +++ b/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml @@ -0,0 +1,124 @@ +title: Malicious PowerShell Commandlet Names +status: experimental +description: Detects the creation of known powershell scripts for exploitation +references: + - https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml +author: Markus Neis +date: 2018/04/07 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFilename: + - '*\Invoke-DllInjection.ps1' + - '*\Invoke-WmiCommand.ps1' + - '*\Get-GPPPassword.ps1' + - '*\Get-Keystrokes.ps1' + - '*\Get-VaultCredential.ps1' + - '*\Invoke-CredentialInjection.ps1' + - '*\Invoke-Mimikatz.ps1' + - '*\Invoke-NinjaCopy.ps1' + - '*\Invoke-TokenManipulation.ps1' + - '*\Out-Minidump.ps1' + - '*\VolumeShadowCopyTools.ps1' + - '*\Invoke-ReflectivePEInjection.ps1' + - '*\Get-TimedScreenshot.ps1' + - '*\Invoke-UserHunter.ps1' + - '*\Find-GPOLocation.ps1' + - '*\Invoke-ACLScanner.ps1' + - '*\Invoke-DowngradeAccount.ps1' + - '*\Get-ServiceUnquoted.ps1' + - '*\Get-ServiceFilePermission.ps1' + - '*\Get-ServicePermission.ps1' + - '*\Invoke-ServiceAbuse.ps1' + - '*\Install-ServiceBinary.ps1' + - '*\Get-RegAutoLogon.ps1' + - '*\Get-VulnAutoRun.ps1' + - '*\Get-VulnSchTask.ps1' + - '*\Get-UnattendedInstallFile.ps1' + - '*\Get-WebConfig.ps1' + - '*\Get-ApplicationHost.ps1' + - '*\Get-RegAlwaysInstallElevated.ps1' + - '*\Get-Unconstrained.ps1' + - '*\Add-RegBackdoor.ps1' + - '*\Add-ScrnSaveBackdoor.ps1' + - '*\Gupt-Backdoor.ps1' + - '*\Invoke-ADSBackdoor.ps1' + - '*\Enabled-DuplicateToken.ps1' + - '*\Invoke-PsUaCme.ps1' + - '*\Remove-Update.ps1' + - '*\Check-VM.ps1' + - '*\Get-LSASecret.ps1' + - '*\Get-PassHashes.ps1' + - '*\Invoke-Mimikatz.ps1' + - '*\Show-TargetScreen.ps1' + - '*\Port-Scan.ps1' + - '*\Invoke-PoshRatHttp.ps1' + - '*\Invoke-PowerShellTCP.ps1' + - '*\Invoke-PowerShellWMI.ps1' + - '*\Add-Exfiltration.ps1' + - '*\Add-Persistence.ps1' + - '*\Do-Exfiltration.ps1' + - '*\Start-CaptureServer.ps1' + - '*\Invoke-DllInjection.ps1' + - '*\Invoke-ReflectivePEInjection.ps1' + - '*\Invoke-ShellCode.ps1' + - '*\Get-ChromeDump.ps1' + - '*\Get-ClipboardContents.ps1' + - '*\Get-FoxDump.ps1' + - '*\Get-IndexedItem.ps1' + - '*\Get-Keystrokes.ps1' + - '*\Get-Screenshot.ps1' + - '*\Invoke-Inveigh.ps1' + - '*\Invoke-NetRipper.ps1' + - '*\Invoke-NinjaCopy.ps1' + - '*\Out-Minidump.ps1' + - '*\Invoke-EgressCheck.ps1' + - '*\Invoke-PostExfil.ps1' + - '*\Invoke-PSInject.ps1' + - '*\Invoke-RunAs.ps1' + - '*\MailRaider.ps1' + - '*\New-HoneyHash.ps1' + - '*\Set-MacAttribute.ps1' + - '*\Get-VaultCredential.ps1' + - '*\Invoke-DCSync.ps1' + - '*\Invoke-Mimikatz.ps1' + - '*\Invoke-PowerDump.ps1' + - '*\Invoke-TokenManipulation.ps1' + - '*\Exploit-Jboss.ps1' + - '*\Invoke-ThunderStruck.ps1' + - '*\Invoke-VoiceTroll.ps1' + - '*\Set-Wallpaper.ps1' + - '*\Invoke-InveighRelay.ps1' + - '*\Invoke-PsExec.ps1' + - '*\Invoke-SSHCommand.ps1' + - '*\Get-SecurityPackages.ps1' + - '*\Install-SSP.ps1' + - '*\Invoke-BackdoorLNK.ps1' + - '*\PowerBreach.ps1' + - '*\Get-GPPPassword.ps1' + - '*\Get-SiteListPassword.ps1' + - '*\Get-System.ps1' + - '*\Invoke-BypassUAC.ps1' + - '*\Invoke-Tater.ps1' + - '*\Invoke-WScriptBypassUAC.ps1' + - '*\PowerUp.ps1' + - '*\PowerView.ps1' + - '*\Get-RickAstley.ps1' + - '*\Find-Fruit.ps1' + - '*\HTTP-Login.ps1' + - '*\Find-TrustedDocuments.ps1' + - '*\Invoke-Paranoia.ps1' + - '*\Invoke-WinEnum.ps1' + - '*\Invoke-ARPScan.ps1' + - '*\Invoke-PortScan.ps1' + - '*\Invoke-ReverseDNSLookup.ps1' + - '*\Invoke-SMBScanner.ps1' + - '*\Invoke-Mimikittenz.ps1' + condition: selection +falsepositives: + - Penetration Tests +level: high + From b21afc3bc8363a10d2a09b39446f4f0c1d7681d6 Mon Sep 17 00:00:00 2001 From: yt0ng <38029682+yt0ng@users.noreply.github.com> Date: Wed, 4 Jul 2018 17:29:05 +0200 Subject: [PATCH 3/3] user subTee was removed from Twitter --- rules/windows/sysmon/sysmon_susp_image_load.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_susp_image_load.yml b/rules/windows/sysmon/sysmon_susp_image_load.yml index abc87f615..d7295ab6a 100644 --- a/rules/windows/sysmon/sysmon_susp_image_load.yml +++ b/rules/windows/sysmon/sysmon_susp_image_load.yml @@ -3,7 +3,6 @@ status: experimental description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html - - https://twitter.com/subTee/status/1012657434702123008 author: Markus Neis date: 2018/01/07 logsource: