security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #4491 from @nasbench - Rule Updates & Fixes

Browse Source 
new: Lazarus APT DLL Sideloading Activity
new: File Download From IP Based URL Via CertOC.EXE
new: File Download From IP URL Via Curl.EXE
update: Remote Thread Creation By Uncommon Source Image
update: Remote Thread Creation In Uncommon Target Image
update: ADSI-Cache File Creation By Uncommon Tool
update: Files With System Process Name In Unsuspected Locations
update: PowerShell Module File Created By Non-PowerShell Process
update: PSScriptPolicyTest Creation By Uncommon Process
update: Suspicious LNK Double Extension File Created
update: PowerShell Profile Modification
update: Alternate PowerShell Hosts Pipe
update: File Download via CertOC.EXE
update: Suspicious File Download From IP Via Curl.EXE
update: Arbitrary File Download Via GfxDownloadWrapper.EXE
update: Potentially Suspicious Office Document Executed From Trusted Location

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2023-10-23 10:35:57 +02:00
committed by GitHub
parent 4dc36bf6bd
commit edf0ff5cc8
24 changed files with 384 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.yamllint
+1 -1
View File
@@ -15,7 +15,7 @@ rules:
comments-indentation: disable
document-start: {present: false}
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: {spaces: 4}
indentation: {spaces: 4, indent-sequences: whatever}
line-length: disable
new-line-at-end-of-file: enable
trailing-spaces: {}
rules-emerging-threats/2023/TA/Lazarus/README.md
+16
View File
@@ -0,0 +1,16 @@
# Lazarus APT
Last Updated: 18/10/2023
## Summary
ESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor that ESET is naming LightlessCan. Lazarus operators obtained initial access to the companys network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta the company behind Facebook, Instagram, and WhatsApp. Four different execution chains were identified, delivering three types of payloads via DLL side-loading.
You can find more information on the threat in the following articles:
- [Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company](https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/)
- [Lazarus hackers breach aerospace firm with new LightlessCan malware](https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/)
## Rules
- [Lazarus APT DLL Sideloading Activity](./image_load_apt_lazarus_side_load_activity.yml)
rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml
+35
View File
@@ -0,0 +1,35 @@
title: Lazarus APT DLL Sideloading Activity
id: 24007168-a26b-4049-90d0-ce138e13a5cf
status: experimental
description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
references:
- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2023/10/18
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
- detection.emerging_threats
logsource:
product: windows
category: image_load
detection:
selection_mscoree:
Image: 'C:\ProgramShared\PresentationHost.exe'
ImageLoaded: ':\ProgramShared\mscoree.dll'
selection_colorui:
Image: 'C:\ProgramData\Adobe\colorcpl.exe'
ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
selection_mapistub:
Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
selection_hid:
Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml
+21 -26
View File
@@ -67,37 +67,32 @@ detection:
- '\wmic.exe'
- '\wscript.exe'
filter_main_winlogon_1:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetImage:
- 'C:\Windows\System32\services.exe' # happens on Windows 7
- 'C:\Windows\System32\wininit.exe' # happens on Windows 7
- 'C:\Windows\System32\csrss.exe' # multiple OS
SourceImage|endswith: ':\Windows\System32\winlogon.exe'
TargetImage|endswith:
- ':\Windows\System32\services.exe' # happens on Windows 7
- ':\Windows\System32\wininit.exe' # happens on Windows 7
- ':\Windows\System32\csrss.exe' # multiple OS
filter_main_winlogon_2:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetParentImage: 'System'
TargetParentProcessId: 4
filter_main_provtool:
SourceImage: 'C:\Windows\System32\provtool.exe'
TargetParentProcessId: 0
filter_main_vssvc:
SourceImage: 'C:\Windows\System32\VSSVC.exe'
TargetImage: 'System'
filter_main_schtasks_conhost:
SourceImage:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
filter_main_mmc:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage: 'C:\Windows\System32\mmc.exe'
filter_optional_nvidia:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
# filter_optional_powerpnt:
# # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
# SourceImage|contains: '\Microsoft Office\'
# SourceImage|endswith: '\POWERPNT.EXE'
# TargetImage: 'C:\Windows\System32\csrss.exe'
SourceImage|endswith:
- ':\Windows\System32\schtasks.exe'
- ':\Windows\SysWOW64\schtasks.exe'
TargetImage|endswith: ':\Windows\System32\conhost.exe'
filter_main_explorer:
SourceImage|endswith: ':\Windows\explorer.exe'
TargetImage|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe'
filter_main_system:
TargetImage: 'System'
filter_optional_powerpnt:
# Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
SourceImage|contains: '\Microsoft Office\'
SourceImage|endswith: '\POWERPNT.EXE'
TargetImage|endswith: ':\Windows\System32\csrss.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml
+14 -15
View File
@@ -9,7 +9,7 @@ references:
- https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
author: Florian Roth (Nextron Systems)
date: 2022/03/16
modified: 2023/07/13
modified: 2023/10/19
tags:
- attack.defense_evasion
- attack.privilege_escalation
@@ -30,30 +30,29 @@ detection:
- '\spoolsv.exe'
- '\wordpad.exe'
- '\write.exe'
filter_optional_spoolsv:
SourceImage: 'C:\Windows\System32\csrss.exe'
TargetImage: 'C:\Windows\System32\spoolsv.exe'
filter_main_csrss:
SourceImage|endswith: ':\Windows\System32\csrss.exe'
filter_optional_aurora_1:
StartFunction: 'EtwpNotificationThread'
filter_optional_aurora_2:
SourceImage|contains: 'unknown process'
filter_optional_vmtoolsd:
SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
SourceImage|endswith: ':\Program Files\VMware\VMware Tools\vmtoolsd.exe'
StartFunction: 'GetCommandLineW'
TargetImage:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\notepad.exe'
- 'C:\Windows\System32\spoolsv.exe'
filter_optional_rundll32:
SourceImage: 'C:\Windows\System32\rundll32.exe'
TargetImage: 'C:\Windows\explorer.exe'
TargetImage|endswith:
- ':\Windows\explorer.exe'
- ':\Windows\System32\notepad.exe'
- ':\Windows\System32\spoolsv.exe'
filter_main_rundll32:
SourceImage|endswith: ':\Windows\System32\rundll32.exe'
TargetImage|endswith: ':\Windows\explorer.exe'
StartFunction:
- 'LoadLibraryW'
- 'FreeLibrary'
filter_optional_winzip:
SourceImage: 'C:\Program Files\WinZip\FAHWindow64.exe'
TargetImage: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_optional_*
SourceImage|endswith: ':\Program Files\WinZip\FAHWindow64.exe'
TargetImage|endswith: ':\Windows\explorer.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml
+2
View File
@@ -10,6 +10,7 @@ references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/09/04
modified: 2023/10/18
tags:
- attack.defense_evasion
- attack.t1070.004
@@ -22,6 +23,7 @@ detection:
filter_main_generic:
# Note: in some envs this activity might be performed by other software. Apply additional filters as necessary
Image|endswith:
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Windows\explorer.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml
+50
View File
@@ -0,0 +1,50 @@
title: ADSI-Cache File Creation By Uncommon Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec, Tim Shelton
date: 2019/03/24
modified: 2023/10/18
tags:
- attack.t1001.003
- attack.command_and_control
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
TargetFilename|endswith: '.sch'
filter_main_generic:
- Image|endswith:
- ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
- ':\Windows\CCM\CcmExec.exe'
- ':\windows\system32\dllhost.exe'
- ':\Windows\system32\dsac.exe'
- ':\Windows\system32\efsui.exe'
- ':\windows\system32\mmc.exe'
- ':\windows\system32\svchost.exe'
- ':\Windows\System32\wbem\WmiPrvSE.exe'
- ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
- Image|contains:
- ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
- ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
filter_main_office:
Image|contains|all:
- ':\Program Files\'
- '\Microsoft Office'
Image|endswith: '\OUTLOOK.EXE'
filter_optional_ldapwhoami:
Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
filter_optional_citrix:
# Example:
# TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: medium
rules/windows/file/file_event/file_event_win_creation_system_file.yml
+4 -2
View File
@@ -4,7 +4,7 @@ status: test
description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020/05/26
modified: 2023/10/08
modified: 2023/10/18
tags:
- attack.defense_evasion
- attack.t1036.005
@@ -115,7 +115,9 @@ detection:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith: ':\WINDOWS\system32\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|endswith: ':\Program Files\PowerShell\7\pwsh.exe'
TargetFilename|endswith:
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
filter_main_healtray:
TargetFilename|contains: ':\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml
+2 -1
View File
@@ -7,7 +7,7 @@ references:
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/05/09
modified: 2023/09/18
modified: 2023/10/18
tags:
- attack.persistence
logsource:
@@ -20,6 +20,7 @@ detection:
- '\PowerShell\7\Modules\'
filter_main_pwsh:
Image|endswith:
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
+2
View File
@@ -6,6 +6,7 @@ references:
- https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/06/01
modified: 2023/10/18
tags:
- attack.defense_evasion
logsource:
@@ -16,6 +17,7 @@ detection:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_generic:
Image|endswith:
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Windows\System32\dsac.exe'
- ':\Windows\System32\ServerManager.exe'
rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml
-48
View File
@@ -1,48 +0,0 @@
title: Suspicious ADSI-Cache Usage By Unknown Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec, Tim Shelton
date: 2019/03/24
modified: 2023/01/12
tags:
- attack.t1001.003
- attack.command_and_control
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
TargetFilename|endswith: '.sch'
filter_eq:
Image:
- 'C:\windows\system32\svchost.exe'
- 'C:\windows\system32\dllhost.exe'
- 'C:\windows\system32\mmc.exe'
- 'C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\CCM\CcmExec.exe'
- 'C:\Program Files\Cylance\Desktop\CylanceSvc.exe'
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
filter_begins:
Image|startswith:
- 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
- 'C:\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
filter_ends:
Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
filter_domain_controller:
Image:
- 'C:\Windows\system32\efsui.exe'
- 'C:\Windows\system32\dsac.exe'
filter_citrix:
# Example:
# TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: high
rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml
+6 -6
View File
@@ -1,4 +1,4 @@
title: Suspicious LNK Double Extension File
title: Suspicious LNK Double Extension File Created
id: 3215aa19-f060-4332-86d5-5602511f3ca8
related:
- id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
@@ -14,7 +14,7 @@ references:
- https://twitter.com/luc4m/status/1073181154126254080
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022/11/07
modified: 2023/05/12
modified: 2023/10/18
tags:
- attack.defense_evasion
- attack.t1036.007
@@ -35,20 +35,20 @@ detection:
- '.xlsx.'
filter_main_recent:
TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
filter_optional_office:
filter_optional_office_recent:
Image|endswith:
# Note: Some additional office application might need to be added
- '\excel.exe'
- '\powerpnt.exe'
- '\winword.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
filter_optional_excel:
filter_optional_office_excel:
Image|endswith: '\excel.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
filter_optional_powerpoint:
filter_optional_office_powerpoint:
Image|endswith: '\powerpnt.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
filter_optional_word:
filter_optional_office_word:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml
+5 -4
View File
@@ -5,9 +5,9 @@ description: Detects the creation or modification of a powershell profile which
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://persistence-info.github.io/Data/powershellprofile.html
author: HieuTT35, Nasreddine Bencherchali
author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
date: 2019/10/24
modified: 2022/08/24
modified: 2023/10/18
tags:
- attack.persistence
- attack.privilege_escalation
@@ -19,10 +19,11 @@ detection:
selection:
TargetFilename|endswith:
- '\Microsoft.PowerShell_profile.ps1'
- '\WindowsPowerShell\profile.ps1'
- '\PowerShell\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\Program Files\PowerShell\7-preview\profile.ps1'
- '\Program Files\PowerShell\7\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\WindowsPowerShell\profile.ps1'
condition: selection
falsepositives:
- System administrator creating Powershell profile manually
rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml
+21 -28
View File
@@ -7,7 +7,7 @@ references:
- https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019/09/12
modified: 2022/10/10
modified: 2023/10/18
tags:
- attack.execution
- attack.t1059.001
@@ -18,37 +18,30 @@ logsource:
detection:
selection:
PipeName|startswith: '\PSHost'
filter1:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\WINDOWS\System32\sdiagnhost.exe'
- '\WINDOWS\System32\wsmprovhost.exe'
- '\Windows\system32\dsac.exe'
- '\Windows\system32\wbem\wmiprvse.exe'
- '\ForefrontActiveDirectoryConnector.exe'
- 'c:\windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers
filter2:
Image: null
filter3: # Microsoft SQL Server\130\Tools\
filter_main_generic:
Image|contains:
- ':\Program Files\Citrix\'
- ':\Program Files\Microsoft\Exchange Server\'
- ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
- ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
- ':\Windows\system32\dsac.exe'
- ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers
- ':\Windows\System32\sdiagnhost.exe'
- ':\Windows\system32\ServerManager.exe'
- ':\Windows\system32\wbem\wmiprvse.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- ':\Windows\System32\wsmprovhost.exe'
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_sqlserver: # Microsoft SQL Server\130\Tools\
Image|contains|all:
- ':\Program Files'
- '\Microsoft SQL Server\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
filter4:
Image|startswith:
- 'C:\Program Files\Citrix\'
- 'C:\Program Files\Microsoft\Exchange Server\'
filter5:
Image:
- 'C:\Windows\system32\ServerManager.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
condition: selection and not 1 of filter*
fields:
- ComputerName
- User
- Image
- PipeName
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter.
level: medium
rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml → rules/windows/process_creation/proc_creation_win_certoc_download.yml
+10 -4
View File
@@ -1,11 +1,15 @@
title: Suspicious File Download via CertOC.exe
title: File Download via CertOC.EXE
id: 70ad0861-d1fe-491c-a45f-fa48148a300d
related:
- id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
type: similar
status: test
description: Detects when a user downloads file by using CertOC.exe
description: Detects when a user downloads a file by using CertOC.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/05/16
modified: 2023/10/18
tags:
- attack.command_and_control
- attack.t1105
@@ -17,8 +21,10 @@ detection:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_cli:
CommandLine|contains: '-GetCACAPS'
CommandLine|contains|all:
- '-GetCACAPS'
- 'http'
condition: all of selection*
falsepositives:
- Unknown
level: high
level: medium
rules/windows/process_creation/proc_creation_win_certoc_download_direct_ip.yml
+30
View File
@@ -0,0 +1,30 @@
title: File Download From IP Based URL Via CertOC.EXE
id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
related:
- id: 70ad0861-d1fe-491c-a45f-fa48148a300d
type: similar
status: experimental
description: Detects when a user downloads a file from an IP based URL using CertOC.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/10/18
tags:
- attack.command_and_control
- attack.execution
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_cli:
CommandLine|contains: '-GetCACAPS'
condition: all of selection*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml
+3 -2
View File
@@ -13,6 +13,7 @@ references:
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://twitter.com/_JohnHammond/status/1708910264261980634
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/02/15
tags:
@@ -63,9 +64,9 @@ detection:
# - '://172.31.'
# - '://127.' # 127.0.0.0/8
# - '://169.254.' # 169.254.0.0/16
filter_seven_zip:
filter_main_seven_zip:
CommandLine|contains: '://7-' # For https://7-zip.org/
condition: all of selection_* and not 1 of filter_*
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml
+80
View File
@@ -0,0 +1,80 @@
title: File Download From IP URL Via Curl.EXE
id: 9cc85849-3b02-4cb5-b371-3a1ff54f2218
related:
- id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
type: similar
status: experimental
description: Detects file downloads directly from IP address URL using curl.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/10/18
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_http:
CommandLine|contains: 'http'
selection_flag:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
filter_main_ext:
# Note: This filter exists to avoid duplication with 5cb299fc-5fb1-4d07-b989-0644c68b6043
CommandLine|endswith:
- '.bat'
- '.bat"'
- '.dat'
- '.dat"'
- '.dll'
- '.dll"'
- '.exe'
- '.exe"'
- '.gif'
- '.gif"'
- '.hta'
- '.hta"'
- '.jpeg'
- '.jpeg"'
- '.log'
- '.log"'
- '.msi'
- '.msi"'
- '.png'
- '.png"'
- '.ps1'
- '.ps1"'
- '.psm1'
- '.psm1"'
- '.vbe'
- '.vbe"'
- '.vbs'
- '.vbs"'
- ".bat'"
- ".dat'"
- ".dll'"
- ".exe'"
- ".gif'"
- ".hta'"
- ".jpeg'"
- ".log'"
- ".msi'"
- ".png'"
- ".ps1'"
- ".psm1'"
- ".vbe'"
- ".vbs'"
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_curl_download_direct_ip.yml → rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml
+38 -24
View File
@@ -5,6 +5,7 @@ description: Detects potentially suspicious file downloads directly from IP addr
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/07/27
tags:
@@ -26,37 +27,50 @@ detection:
- '--remote-name'
- '--output'
selection_ext:
# Note: If you add more extensions please consider adding them also in 9cc85849-3b02-4cb5-b371-3a1ff54f2218
CommandLine|endswith:
- '.ps1'
- ".ps1'"
- '.ps1"'
- '.dat'
- ".dat'"
- '.dat"'
- '.msi'
- ".msi'"
- '.msi"'
- '.bat'
- ".bat'"
- '.bat"'
- '.exe'
- ".exe'"
- '.exe"'
- '.vbs'
- ".vbs'"
- '.vbs"'
- '.vbe'
- ".vbe'"
- '.vbe"'
- '.hta'
- ".hta'"
- '.hta"'
- '.dat'
- '.dat"'
- '.dll'
- ".dll'"
- '.dll"'
- '.exe'
- '.exe"'
- '.gif'
- '.gif"'
- '.hta'
- '.hta"'
- '.jpeg'
- '.jpeg"'
- '.log'
- '.log"'
- '.msi'
- '.msi"'
- '.png'
- '.png"'
- '.ps1'
- '.ps1"'
- '.psm1'
- ".psm1'"
- '.psm1"'
- '.vbe'
- '.vbe"'
- '.vbs'
- '.vbs"'
- ".bat'"
- ".dat'"
- ".dll'"
- ".exe'"
- ".gif'"
- ".hta'"
- ".jpeg'"
- ".log'"
- ".msi'"
- ".png'"
- ".ps1'"
- ".psm1'"
- ".vbe'"
- ".vbs'"
condition: all of selection_*
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_desktopimgdownldr_remote_file_download.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: Remote File Download via Desktopimgdownldr Utility
title: Remote File Download Via Desktopimgdownldr Utility
id: 214641c2-c579-4ecb-8427-0cf19df6842e
status: test
description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml → rules/windows/process_creation/proc_creation_win_gfxdownloadwrapper_arbitrary_file_download.yml
+10 -12
View File
@@ -1,12 +1,12 @@
title: GfxDownloadWrapper.exe Downloads File from Suspicious URL
title: Arbitrary File Download Via GfxDownloadWrapper.EXE
id: eee00933-a761-4cd0-be70-c42fe91731e7
status: test
description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL
description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
references:
- https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
author: Victor Sergeev, oscd.community
date: 2020/10/09
modified: 2022/01/06
modified: 2023/10/18
tags:
- attack.command_and_control
- attack.t1105
@@ -14,16 +14,14 @@ logsource:
category: process_creation
product: windows
detection:
image_path:
selection:
Image|endswith: '\GfxDownloadWrapper.exe'
filter:
CommandLine|contains: 'gameplayapi.intel.com'
ParentImage|endswith:
- '\GfxDownloadWrapper.exe'
- '\igfxEM.exe'
condition: image_path and not filter
fields:
- CommandLine
CommandLine|contains:
- 'http://'
- 'https://'
filter_main_known_urls:
CommandLine|contains: 'https://gameplayapi.intel.com/'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml
+1 -2
View File
@@ -9,6 +9,7 @@ references:
- https://twitter.com/_JohnHammond/status/1588155401752788994
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/06/21
modified: 2023/10/18
tags:
- attack.defense_evasion
- attack.t1202
@@ -35,8 +36,6 @@ detection:
# Note: these are the default locations. Admins/Users could add additional ones that you need to cover
- '\AppData\Roaming\Microsoft\Templates'
- '\AppData\Roaming\Microsoft\Word\Startup\'
- '\Microsoft Office (x86)\root\Templates\'
- '\Microsoft Office (x86)\Templates\'
- '\Microsoft Office\root\Templates\'
- '\Microsoft Office\Templates\'
filter_main_dotx:
rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml → rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml
View File
tests/test_rules.py
+32 -25
View File
@@ -1743,32 +1743,39 @@ class TestRules(unittest.TestCase):
faulty_config = False
# This test check of the "thor.yml" config file has a missing "WinEventLog:" prefix in Windows log sources
path_to_thor_config = "../tests/thor.yml"
path_to_thor_config = os.path.join(
os.path.dirname(os.path.realpath(__file__)), path_to_thor_config
)
thor_logsources = self.get_rule_yaml(path_to_thor_config)[0]["logsources"]
path_to_thor_config = "tests/thor.yml"
try:
path_to_thor_config = os.path.join(
os.path.dirname(os.path.realpath(__file__)), path_to_thor_config
)
thor_logsources = self.get_rule_yaml(path_to_thor_config)[0]["logsources"]
for key, value in thor_logsources.items():
try:
if value["product"] == "windows":
sources_list = value["sources"]
for i in sources_list:
if not i.startswith("WinEventLog:"):
faulty_config = True
print(
Fore.RED
+ "/tests/thor.yml config file has a broken source. Windows Eventlog sources must start with the keyword 'WinEventLog:'"
)
except:
pass
self.assertEqual(
faulty_config,
False,
Fore.RED
+ "thor.yml configuration file located in 'tests/thor.yml' has a borken log source definition",
)
for key, value in thor_logsources.items():
try:
if value["product"] == "windows":
sources_list = value["sources"]
for i in sources_list:
if not i.startswith("WinEventLog:"):
faulty_config = True
print(
Fore.RED
+ "/tests/thor.yml config file has a broken source. Windows Eventlog sources must start with the keyword 'WinEventLog:'"
)
except:
pass
self.assertEqual(
faulty_config,
False,
Fore.RED
+ "thor.yml configuration file located in 'tests/thor.yml' has a borken log source definition",
)
except:
self.assertEqual(
faulty_config,
False,
Fore.RED
+ "thor.yml configuration file was not found. Please make sure to run the script from the root of the sigma folder",
)
def test_re_invalid_escapes(self):
faulty_rules = []