From 21c4d241a1fe8caffe40a25852b0fc3e7ec9315c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 26 Jul 2021 10:59:35 +0200 Subject: [PATCH 1/2] HiveNightmare and Relay attack tools adjustments --- rules/windows/file_event/win_hivenightmare_file_exports.yml | 2 +- rules/windows/process_creation/win_tools_relay_attacks.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/win_hivenightmare_file_exports.yml b/rules/windows/file_event/win_hivenightmare_file_exports.yml index 42bb5ee01..47292ac6a 100644 --- a/rules/windows/file_event/win_hivenightmare_file_exports.yml +++ b/rules/windows/file_event/win_hivenightmare_file_exports.yml @@ -25,7 +25,7 @@ detection: - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - TargetFilename: - - 'C:\windows\temp\sam' + - 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_tools_relay_attacks.yml b/rules/windows/process_creation/win_tools_relay_attacks.yml index 89ce6ef1f..a795b9874 100644 --- a/rules/windows/process_creation/win_tools_relay_attacks.yml +++ b/rules/windows/process_creation/win_tools_relay_attacks.yml @@ -4,6 +4,7 @@ id: 5589ab4f-a767-433c-961d-c91f3f704db1 description: Detects different hacktools used for relay attacks on Windows for privilege escalation author: Florian Roth date: 2021/07/24 +modified: 2021/07/26 references: - https://attack.mitre.org/techniques/T1557/001/ - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ @@ -39,6 +40,7 @@ detection: - ' ntlmrelay' - 'cme smb ' - ' /ntlm:NTLMhash ' + - 'Invoke-PetitPotam' condition: selection_pe or selection_script falsepositives: - Legitimate files with these rare hacktool names From 5d039dd138fa22800b7c70282c24b0ba64a0b3f7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 27 Jul 2021 11:24:40 +0200 Subject: [PATCH 2/2] rule: Cobalt Strike patterns --- .../win_cobaltstrike_process_patterns.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/win_cobaltstrike_process_patterns.yml diff --git a/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml new file mode 100644 index 000000000..0923753e8 --- /dev/null +++ b/rules/windows/process_creation/win_cobaltstrike_process_patterns.yml @@ -0,0 +1,34 @@ +title: CobaltStrike Process Patterns +id: f35c5d71-b489-4e22-a115-f003df287317 +status: experimental +description: Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) +author: Florian Roth +references: + - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ +date: 2021/07/27 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: '\cmd.exe /C whoami' + ParentImage|startswith: 'C:\Temp' + selection2: + CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' + ParentCommandLine|contains: + - '/C whoami' + - 'cmd.exe /C echo' + - ' > \\.\pipe' + selection3: + CommandLine|contains: + - 'cmd.exe /c echo' + - '> \\.\pipe' + - '\whoami.exe' + ParentImage|endswith: '\dllhost.exe' + condition: 1 of them +falsepositives: + - Other programs that cause these patterns (please report) +level: high +