security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth
2022-08-17 09:14:47 +02:00
parent f7ddb5ed7a 9e730d0a62
commit eeeae44db5
165 changed files with 2496 additions and 749 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/known-FPs.csv
+6
View File
@@ -29,3 +29,9 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att
7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$
1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC
734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
1 RuleId RuleName MatchString
29 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 Hidden Local User Creation HomeGroupUser\$
30 1f2b5353-573f-4880-8e33-7d04dcf97744 Sysmon Configuration Modification Computer: evtx-PC
31 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 Remote PowerShell Session Host Process (WinRM) WIN-FPV0DSIC9O6
32 a96970af-f126-420d-90e1-d37bf25e50e1 Use Short Name Path in Image Ninite\.exe
33 349d891d-fef0-4fe4-bc53-eee623a15969 Use Short Name Path in Command Line Ninite\.exe
34 a96970af-f126-420d-90e1-d37bf25e50e1 Use Short Name Path in Image target\.exe
35 349d891d-fef0-4fe4-bc53-eee623a15969 Use Short Name Path in Command Line target\.exe
36 a96970af-f126-420d-90e1-d37bf25e50e1 Use Short Name Path in Image unzip\.exe
37 349d891d-fef0-4fe4-bc53-eee623a15969 Use Short Name Path in Command Line TeamViewer_\.exe
.github/workflows/sigma-test.yml
+2
View File
@@ -20,6 +20,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
submodules: true
- name: Set up Python 3.8
uses: actions/setup-python@v1
with:
.gitmodules
+3
View File
@@ -0,0 +1,3 @@
[submodule "tests/cti"]
path = tests/cti
url = https://github.com/mitre/cti.git
rules/cloud/azure/azure_guest_invite_failure.yml
+23
View File
@@ -0,0 +1,23 @@
title: Guest User Invited By Non Approved Inviters
id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9
status: experimental
description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/10
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Invite external user
Status: failure
condition: selection
falsepositives:
- A non malicious user is unaware of the proper process
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1078
level: medium
rules/cloud/azure/azure_pim_activation_approve_deny.yml
+21
View File
@@ -0,0 +1,21 @@
title: PIM Approvals And Deny Elevation
id: 039a7469-0296-4450-84c0-f6966b16dc6d
status: experimental
description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/09
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Request Approved/Denied
condition: selection
falsepositives:
- Actual admin using PIM.
tags:
- attack.privilege_escalation
- attack.t1078
level: high
rules/cloud/azure/azure_pim_alerts_disabled.yml
+21
View File
@@ -0,0 +1,21 @@
title: PIM Alert Setting Changes To Disabled
id: aeaef14c-e5bf-4690-a9c8-835caad458bd
status: experimental
description: Detects when PIM alerts are set to disabled.
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/09
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Disable PIM Alert
condition: selection
falsepositives:
- Administrator disabling PIM alerts as an active choice.
tags:
- attack.defense_evasion
- attack.t1484
level: high
rules/cloud/azure/azure_pim_change_settings.yml
+22
View File
@@ -0,0 +1,22 @@
title: Changes To PIM Settings
id: db6c06c4-bf3b-421c-aa88-15672b88c743
status: experimental
description: Detects when changes are made to PIM roles
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/09
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update role setting in PIM
condition: selection
falsepositives:
- Legit administrative PIM setting configuration changes
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1078
level: high
rules/cloud/azure/azure_priviledged_role_assignment_add.yml
+23
View File
@@ -0,0 +1,23 @@
title: User Added To Privilege Role
id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
status: experimental
description: Detects when a user is added to a privileged role.
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/06
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add eligible member (permanent)
- Add eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of adding members from a role
tags:
- attack.persistence
- attack.t1098
level: high
rules/cloud/azure/azure_privileged_account_creation.yml
+26
View File
@@ -0,0 +1,26 @@
title: Privileged Account Creation
id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
status: experimental
description: Detects when a new admin is created.
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
date: 2022/08/11
modified: 2022/08/16
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message|contains|all:
- Add user
- Add member to role
Status: Success
condition: selection
falsepositives:
- A legitmate new admin account being created
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1078
level: medium
rules/cloud/azure/azure_tap_added.yml
+23
View File
@@ -0,0 +1,23 @@
title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: experimental
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/10
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Admin registered security info
Status: Admin registered temporary access pass method for user
condition: selection
falsepositives:
- Administrator adding a legitmate temporary access pass
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1078
level: high
rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml
+27
View File
@@ -0,0 +1,27 @@
title: BPFDoor Abnormal Process ID or Lock File Accessed
id: 808146b2-9332-4d78-9416-d7e47012d83d
status: experimental
description: detects BPFDoor .lock and .pid files access in temporary file storage facility
author: Rafal Piasecki
date: 2022/08/10
references:
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /var/run/haldrund.pid
- /var/run/xinetd.lock
- /var/run/kdevrund.pid
condition: selection
tags:
- attack.execution
- attack.t1106
- attack.t1059
falsepositives:
- Unlikely
level: high
rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml
+28
View File
@@ -0,0 +1,28 @@
title: Bpfdoor TCP Ports Redirect
id: 70b4156e-50fc-4523-aa50-c9dddf1993fc
status: experimental
description: All TCP traffic on particular port from attacker is routed to diffrent port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
author: Rafal Piasecki
date: 2022/08/10
references:
- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
- https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
logsource:
product: linux
service: auditd
detection:
cmd:
type: 'EXECVE'
a0|endswith: 'iptables'
a1: '-t'
a2: 'nat'
keywords:
- '--to-ports 42'
- '--to-ports 43'
condition: cmd and keywords
level: medium
tags:
- attack.defense_evasion
- attack.t1562.004
falsepositives:
- Legitimate ports redirect
rules/proxy/proxy_baby_shark.yml
+3 -2
View File
@@ -4,17 +4,18 @@ status: experimental
description: Detects Baby Shark C2 Framework communication patterns
author: Florian Roth
date: 2021/06/09
modified: 2022/08/15
references:
- https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
logsource:
category: proxy
detection:
selection:
c-uri|contains: 'momyshark?key='
c-uri|contains: 'momyshark\?key='
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.command_and_control
- attack.t1071.001
- attack.t1071.001
rules/proxy/proxy_chafer_malware.yml
+2 -2
View File
@@ -6,12 +6,12 @@ author: Florian Roth
references:
- https://securelist.com/chafer-used-remexi-malware/89538/
date: 2019/01/31
modified: 2021/11/27
modified: 2022/08/15
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/asp.asp?ui='
c-uri|contains: '/asp.asp\?ui='
condition: selection
fields:
- ClientIP
rules/proxy/proxy_cobalt_onedrive.yml
+2 -2
View File
@@ -6,13 +6,13 @@ author: Markus Neis
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
date: 2019/11/12
modified: 2022/01/07
modified: 2022/08/15
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|endswith: '?manifest=wac'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter:
c-uri|startswith: 'http'
rules/proxy/proxy_ios_implant.yml
+2 -2
View File
@@ -7,12 +7,12 @@ references:
- https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
- https://twitter.com/craiu/status/1167358457344925696
date: 2019/08/30
modified: 2021/11/27
modified: 2022/08/15
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/list/suc?name='
c-uri|contains: '/list/suc\?name='
condition: selection
fields:
- ClientIP
rules/proxy/proxy_susp_flash_download_loc.yml
+4 -4
View File
@@ -6,15 +6,15 @@ author: Florian Roth
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
date: 2017/10/25
modified: 2022/01/07
modified: 2022/08/08
logsource:
category: proxy
detection:
selection:
- c-uri-query|contains: '/flash_install.php'
- c-uri-query|endswith: '/install_flash_player.exe'
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
c-uri-stem|contains: '.adobe.com/'
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
rules/proxy/proxy_turla_comrat.yml
+2 -2
View File
@@ -6,12 +6,12 @@ author: Florian Roth
references:
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
date: 2020/05/26
modified: 2021/11/27
modified: 2022/08/15
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/index/index.php?h='
c-uri|contains: '/index/index.php\?h='
condition: selection
falsepositives:
- Unknown
rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+2 -1
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth, Tim Shelton
date: 2019/03/07
modified: 2022/05/09
modified: 2022/08/16
logsource:
category: proxy
detection:
@@ -16,6 +16,7 @@ detection:
- '.net'
- '.org'
- '.scdn.co' # spotify streaming
- '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
condition: selection and not falsepositives
fields:
- ClientIP
rules/proxy/proxy_ua_susp.yml
+7 -2
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects suspicious malformed user agent strings in proxy logs
author: Florian Roth
date: 2017/07/08
modified: 2022/07/07
modified: 2022/08/08
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
logsource:
@@ -33,12 +33,17 @@ detection:
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
falsepositives:
c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
fields:
- ClientIP
- c-uri
- c-useragent
- cs-host
falsepositives:
- Unknown
level: high
rules/proxy/proxy_ursnif_malware_download_url.yml
+3 -3
View File
@@ -4,14 +4,14 @@ status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
modified: 2021/08/09
modified: 2022/08/15
logsource:
category: proxy
detection:
selection:
c-uri|contains|all:
- '/'
- '.php?l='
- '.php\?l='
c-uri|endswith: '.cab'
sc-status: 200
condition: selection
@@ -22,4 +22,4 @@ fields:
- c-ua
falsepositives:
- Unknown
level: high
level: high
rules/web/web_cve_2021_43798_grafana.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Grafana Path Traversal Exploitation CVE-2021-43798
id: 7b72b328-5708-414f-9a2a-6a6867c26e16
status: experimental
description: Detects a successful Grafana path traversal exploitation
description: Detects a successful Grafana path traversal exploitation
author: Florian Roth
references:
- https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
rules/web/web_cve_2022_31656_auth_bypass.yml
+22
View File
@@ -0,0 +1,22 @@
title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
status: experimental
description: |
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
author: Nasreddine Bencherchali
date: 2022/08/12
references:
- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
logsource:
category: webserver
detection:
selection:
c-uri|contains: '/SAAS/t/_/;/'
condition: selection
falsepositives:
- Vulnerability scanners
level: high
tags:
- attack.initial_access
- attack.t1190
rules/web/web_cve_2022_31659_vmware_rce.yml
+22
View File
@@ -0,0 +1,22 @@
title: CVE-2022-31659 VMware Workspace ONE Access RCE
id: efdb2003-a922-48aa-8f37-8b80021a9706
status: experimental
description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
author: Nasreddine Bencherchali
date: 2022/08/12
references:
- https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to spot the difference between benign and malicious requests to this URL
condition: selection
falsepositives:
- Vulnerability scanners
- Legitimate access to the URI
level: medium
tags:
- attack.initial_access
- attack.t1190
rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml
+28
View File
@@ -0,0 +1,28 @@
title: Ntdsutil Abuse
id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
status: experimental
description: Detects potential abuse of ntdsutil to dump ntds.dit database
author: Nasreddine Bencherchali
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
date: 2022/08/14
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'ESENT'
EventID:
- 216
- 325
- 326
- 327
Data|contains: 'ntds.dit'
condition: selection
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
tags:
- attack.execution
rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml
+34
View File
@@ -0,0 +1,34 @@
title: Dump Ntds.dit To Suspicious Location
id: 94dc4390-6b7c-4784-8ffc-335334404650
status: experimental
description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
author: Nasreddine Bencherchali
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
date: 2022/08/14
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection_root:
Provider_Name: 'ESENT'
EventID: 325 # New Database Created
Data|contains: 'ntds.dit'
selection_paths:
Data|contains:
# Add more locations that you don't use in your env or that are just suspicious
- '\Users\Public\'
- '\Perflogs\'
- '\Temp\'
- '\Appdata\'
- '\Desktop\'
- '\Downloads\'
- 'C:\ntds.dit'
condition: all of selection_*
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
tags:
- attack.execution
rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml
+4
View File
@@ -5,8 +5,10 @@ description: Detects a suspicious download using the BITS client from a FQDN tha
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
- https://twitter.com/malmoeb/status/1535142803075960832
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth
date: 2022/06/28
modified: 2022/08/09
logsource:
product: windows
service: bits-client
@@ -26,6 +28,8 @@ detection:
- '.ghostbin.co/'
- 'ufile.io'
- 'storage.googleapis.com'
- 'anonfiles.com'
- 'send.exploit.in'
condition: selection
falsepositives:
- Unknown
rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml
+22
View File
@@ -0,0 +1,22 @@
title: Loading Diagcab Package From Remote Path
id: 50cb47b8-2c33-4b23-a2e9-4600657d9746
status: experimental
description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
author: Nasreddine Bencherchali
date: 2022/08/14
references:
- https://twitter.com/nas_bench/status/1539679555908141061
- https://twitter.com/j00sean/status/1537750439701225472
tags:
- attack.execution
logsource:
product: windows
service: diagnosis-scripted
detection:
selection:
EventID: 101
PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package
condition: selection
falsepositives:
- Legitimate package hosted on a known and authorized remote location
level: high
rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml
+7 -7
View File
@@ -4,7 +4,7 @@ description: Backdooring domain object to grant the rights associated with DCSyn
Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
status: experimental
date: 2019/04/03
modified: 2022/05/10
modified: 2022/08/10
author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton
references:
- https://twitter.com/menasec1/status/1111556090137903104
@@ -20,13 +20,13 @@ detection:
EventID: 5136
AttributeLDAPDisplayName: 'ntSecurityDescriptor'
AttributeValue|contains:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter1:
ObjectType:
- 'dnsNode'
- 'dnsZoneScope'
ObjectClass:
- 'dnsNode'
- 'dnsZoneScope'
condition: selection and not 1 of filter*
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
rules/windows/builtin/security/win_atsvc_task.yml
+2 -2
View File
@@ -6,7 +6,7 @@ author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
date: 2019/04/03
modified: 2021/11/27
modified: 2022/08/11
logsource:
product: windows
service: security
@@ -14,7 +14,7 @@ logsource:
detection:
selection:
EventID: 5145
ShareName: \\\*\IPC$
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: atsvc
Accesses|contains: 'WriteData'
condition: selection
rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml
+2 -2
View File
@@ -8,14 +8,14 @@ references:
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
date: 2018/11/28
modified: 2021/11/27
modified: 2022/08/11
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName: \\\*\IPC$
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: spoolss
condition: selection
falsepositives:
rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml
+1 -1
View File
@@ -18,7 +18,7 @@ logsource:
detection:
selection:
EventID: '5145'
ShareName: '\\\*\IPC$'
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: 'spoolss'
AccessMask: '0x3'
ObjectType: 'File'
rules/windows/builtin/security/win_global_catalog_enumeration.yml
+2 -2
View File
@@ -4,7 +4,7 @@ status: experimental
author: Chakib Gzenayi (@Chak092), Hosni Mribah
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
date: 2020/05/11
modified: 2021/06/01
modified: 2022/08/15
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
tags:
@@ -17,7 +17,7 @@ logsource:
detection:
selection:
EventID: 5156
DestinationPort:
DestPort:
- 3268
- 3269
timeframe: 1h
rules/windows/builtin/security/win_gpo_scheduledtasks.yml
+1 -1
View File
@@ -15,7 +15,7 @@ logsource:
detection:
selection:
EventID: 5145
ShareName: \\\*\SYSVOL
ShareName: '\\\\\*\\SYSVOL' # looking for the string \\*\SYSVOL
RelativeTargetName|endswith: 'ScheduledTasks.xml'
Accesses|contains:
- 'WriteData'
rules/windows/builtin/security/win_impacket_psexec.yml
+2 -2
View File
@@ -6,7 +6,7 @@ author: Bhabesh Raj
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
date: 2020/12/14
modified: 2022/01/07
modified: 2022/08/11
logsource:
product: windows
service: security
@@ -14,7 +14,7 @@ logsource:
detection:
selection1:
EventID: 5145
ShareName: \\\*\IPC$
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|contains:
- 'RemCom_stdint'
- 'RemCom_stdoutt'
rules/windows/builtin/security/win_impacket_secretdump.yml
+2 -2
View File
@@ -4,7 +4,7 @@ description: Detect AD credential dumping using impacket secretdump HKTL
status: experimental
author: Samir Bousseaden, wagga
date: 2019/04/03
modified: 2021/06/27
modified: 2022/08/11
references:
- https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
tags:
@@ -19,7 +19,7 @@ logsource:
detection:
selection:
EventID: 5145
ShareName: \\\*\ADMIN$
ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$
RelativeTargetName|contains|all:
- 'SYSTEM32\'
- '.tmp'
rules/windows/builtin/security/win_lm_namedpipe.yml
+1 -1
View File
@@ -14,7 +14,7 @@ logsource:
detection:
selection1:
EventID: 5145
ShareName: \\\*\IPC$
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
false_positives:
RelativeTargetName:
- 'atsvc'
rules/windows/builtin/security/win_petitpotam_network_share.yml
+2 -1
View File
@@ -4,6 +4,7 @@ description: Detect PetitPotam coerced authentication activity.
status: experimental
author: Mauricio Velazco, Michael Haag
date: 2021/09/02
modified: 2022/08/11
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
@@ -17,7 +18,7 @@ logsource:
detection:
selection:
EventID: 5145
ShareName|startswith: '\\'
ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
ShareName|endswith: '\IPC$'
RelativeTargetName: lsarpc
SubjectUserName: ANONYMOUS LOGON
rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml
+3 -3
View File
@@ -6,16 +6,16 @@ author: Ilyas Ochkov, oscd.community
references:
- https://github.com/GhostPack/Rubeus
date: 2019/10/24
modified: 2021/11/27
modified: 2022/08/15
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestinationPort: 88
DestPort: 88
filter:
Image|endswith:
Application|endswith:
- '\lsass.exe'
- '\opera.exe'
- '\chrome.exe'
rules/windows/builtin/security/win_susp_psexec.yml
+2 -2
View File
@@ -6,7 +6,7 @@ author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
date: 2019/04/03
modified: 2021/12/08
modified: 2022/08/11
logsource:
product: windows
service: security
@@ -14,7 +14,7 @@ logsource:
detection:
selection1:
EventID: 5145
ShareName: \\\*\IPC$
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|endswith:
- '-stdin'
- '-stdout'
rules/windows/builtin/security/win_svcctl_remote_service.yml
+2 -2
View File
@@ -6,7 +6,7 @@ author: Samir Bousseaden
references:
- https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
date: 2019/04/03
modified: 2021/11/27
modified: 2022/08/11
logsource:
product: windows
service: security
@@ -14,7 +14,7 @@ logsource:
detection:
selection:
EventID: 5145
ShareName: \\\*\IPC$
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: svcctl
Accesses|contains: 'WriteData'
condition: selection
rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml
+34
View File
@@ -0,0 +1,34 @@
title: Suspicious Application Installed
id: 83c161b6-ca67-4f33-8ad0-644a0737cf07
status: experimental
description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache
author: Nasreddine Bencherchali
date: 2022/08/14
references:
- https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
tags:
- attack.execution
logsource:
product: windows
service: shell-core
detection:
selection_name:
EventID: 28115
Name|contains:
# Please add more
- 'Zenmap'
- 'AnyDesk'
- 'wireshark'
- 'openvpn'
selection_packageid:
EventID: 28115
AppID|contains:
# Please add more
- 'zenmap.exe'
- 'prokzult ad' # AnyDesk
- 'wireshark'
- 'openvpn'
condition: 1 of selection_*
falsepositives:
- Packages or applications being legitimately used by users or administrators
level: medium
rules/windows/builtin/system/win_anydesk_service_installation.yml
+22
View File
@@ -0,0 +1,22 @@
title: Anydesk Remote Access Software Service Installation
id: 530a6faa-ff3d-4022-b315-50828e77eef5
status: experimental
description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
author: Nasreddine Bencherchali
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
date: 2022/08/11
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName: 'AnyDesk Service'
condition: selection
falsepositives:
- Legitimate usage of the anydesk tool
level: medium
tags:
- attack.persistence
rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter
author: Markus Neis
date: 2018/08/26
modified: 2022/02/09
modified: 2022/08/13
tags:
- attack.credential_access
# Defender Attack Surface Reduction
@@ -36,7 +36,7 @@ detection:
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_begins:
ProcessName|startswith:
- 'C:\Windows\System32\\DriverStore\'
- 'C:\Windows\System32\DriverStore\'
- 'C:\WINDOWS\Installer\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml
+17 -16
View File
@@ -6,24 +6,25 @@ references:
- https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
author: Florian Roth
date: 2022/03/16
modified: 2022/07/07
modified: 2022/08/12
logsource:
product: windows
category: create_remote_thread
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\mspaint.exe'
- '\calc.exe'
- '\notepad.exe'
- '\sethc.exe'
- '\write.exe'
- '\wordpad.exe'
condition: selection
selection:
TargetImage|endswith:
- '\mspaint.exe'
- '\calc.exe'
- '\notepad.exe'
- '\sethc.exe'
- '\write.exe'
- '\wordpad.exe'
- '\explorer.exe'
condition: selection
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055.003
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1055.003
rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml
+2 -2
View File
@@ -1,12 +1,12 @@
title: Accessing WinAPI in PowerShell. Code Injection
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
status: test
description: Detecting Code injection with PowerShell in another process
description: Detects the creation of a remote thread from a Powershell process to another process
author: Nikita Nazarov, oscd.community
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
date: 2020/10/06
modified: 2022/07/28
modified: 2022/08/12
logsource:
product: windows
category: create_remote_thread
rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml
+2 -4
View File
@@ -7,7 +7,7 @@ notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 2019/10/27
modified: 2022/07/31
modified: 2022/08/12
author: Perez Diego (@darkquassar), oscd.community
references:
- Personal research, statistical analysis
@@ -49,8 +49,6 @@ detection:
- '\outlook.exe'
- '\ping.exe'
- '\powerpnt.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\provtool.exe'
- '\python.exe'
- '\regsvr32.exe'
@@ -99,6 +97,6 @@ fields:
- User
- SourceImage
- TargetImage
level: high
falsepositives:
- Unknown
level: high
rules/windows/file_change/file_change_win_2022_timestomping.yml
+29
View File
@@ -0,0 +1,29 @@
title: File Creation Date Changed to Another Year
id: 558eebe5-f2ba-4104-b339-36f7902bcc1a
status: experimental
description: |
Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
references:
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
author: frack113, Florian Roth
date: 2022/08/12
logsource:
category: file_change
product: windows
detection:
selection1:
PreviousCreationUtcTime|startswith: 2022
filter1:
CreationUtcTime|startswith: 2022
selection2:
PreviousCreationUtcTime|startswith: 202
filter2:
CreationUtcTime|startswith: 202
condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 )
falsepositives:
- Changes made to or by the local NTP service
level: high
tags:
- attack.t1070.006
- attack.defense_evasion
rules/windows/file_event/file_event_bloodhound_collection.yml
+40
View File
@@ -0,0 +1,40 @@
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
description: Detects default file names outputted by the BloodHound collection tool SharpHound
status: experimental
author: C.J. May
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
date: 2022/08/09
modified: 2022/08/09
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection1:
TargetFilename|endswith:
- '_BloodHound.zip'
- '_computers.json'
- '_containers.json'
- '_domains.json'
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
selection2:
TargetFilename|contains|all:
- 'BloodHound'
- '.zip'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml
+23
View File
@@ -0,0 +1,23 @@
title: Persistence Via ErrorHandler.Cmd
id: 15904280-565c-4b73-9303-3291f964e7f9
status: experimental
description: |
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
author: Nasreddine Bencherchali
references:
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://github.com/last-byte/PersistenceSniper
date: 2022/08/09
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.persistence
rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml
+27
View File
@@ -0,0 +1,27 @@
title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: experimental
description: |
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded
references:
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022/08/12
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- 'iphlpapi.dll'
- '\AppData\Local\Microsoft'
condition: selection
falsepositives:
- Unknown
level: high
tags:
- attack.persistence
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1574.002
rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml
+3 -3
View File
@@ -6,12 +6,11 @@ references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
tags:
- attack.registry_run_keys_/_startup_folder
- attack.persistence
- attack.t1547.001
date: 2021/10/24
modified: 2022/07/14
modified: 2022/08/10
author: Christopher Peacock '@securepeacock', SCYTHE
level: high
logsource:
product: windows
category: file_event
@@ -26,3 +25,4 @@ detection:
falsepositives:
- Unknown
- Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware.
level: high
rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml
+4 -2
View File
@@ -2,13 +2,13 @@ title: Suspicious ADSI-Cache Usage By Unknown Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.
author: xknow @xknow_infosec
author: xknow @xknow_infosec, Tim Shelton
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
date: 2019/03/24
modified: 2022/04/21
modified: 2022/08/16
logsource:
product: windows
category: file_event
@@ -27,6 +27,8 @@ detection:
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
filter_begins:
Image|startswith: 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
filter_ends:
Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
filter_domain_controller:
Image:
- 'C:\Windows\system32\efsui.exe'
rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml
+29
View File
@@ -0,0 +1,29 @@
title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
description: Detects when a file with a suspicious extension is created in the startup folder
status: experimental
author: Nasreddine Bencherchali
references:
- https://github.com/last-byte/PersistenceSniper
tags:
- attack.persistence
- attack.t1547.001
date: 2022/08/10
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith:
# Add or remove suspicious extensions according to your env needs
- '.vbs'
- '.vbe'
- '.bat'
- '.ps1'
- '.hta'
- '.dll'
condition: selection
falsepositives:
- Rare legitimate usage of some of the extensions mentioned in the rule
level: high
rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml
+2 -1
View File
@@ -6,6 +6,7 @@ author: Florian Roth
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
date: 2021/12/07
modified: 2022/08/13
logsource:
product: windows
category: file_event
@@ -13,7 +14,7 @@ detection:
selection:
TargetFilename:
- 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
- 'C:\Windows\System32\config\systemprofile\AppData\\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
- 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
condition: selection
falsepositives:
- Administrative activity
rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml
+1 -1
View File
@@ -3,7 +3,7 @@ id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: experimental
description: Detects a Windows executable that writes files to suspicious folders
references:
- No references
- Internal Research
author: Florian Roth
date: 2021/11/20
modified: 2022/07/14
rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml
+40
View File
@@ -0,0 +1,40 @@
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: experimental
description: Detects windows executables that writes files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali
date: 2022/08/12
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\rundll32.exe'
#- '\svchost.exe' # Might generate some FP
- '\dllhost.exe'
- '\smss.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\lsass.exe'
- '\csrss.exe'
- '\winlogon.exe'
- '\wininit.exe'
TargetFilename|endswith:
- '.bat'
- '.vbe'
- '.txt'
- '.vbs'
- '.exe'
- '.ps1'
- '.hta'
- '.iso'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/file_event/file_event_win_writing_local_admin_share.yml
+2 -1
View File
@@ -8,13 +8,14 @@ author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
date: 2022/01/01
modified: 2022/08/13
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- '\\127.0.0'
- '\\\\127.0.0'
- '\ADMIN$\'
condition: selection
falsepositives:
rules/windows/file_rename/file_rename_win_ransomware.yml
+1
View File
@@ -4,6 +4,7 @@ status: experimental
description: Detects possible ransomware adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky" etc.
references:
- https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
- https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
author: frack113
date: 2022/07/16
tags:
rules/windows/image_load/image_load_msdt_sdiageng.yml
+11 -12
View File
@@ -4,21 +4,20 @@ status: experimental
description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary
author: Greg (rule)
references:
- https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
- https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
date: 2022/06/17
logsource:
category: image_load
product: windows
category: image_load
product: windows
detection:
selection_img:
Image|endswith: '\msdt.exe'
selection_load:
ImageLoaded|endswith: '\sdiageng.dll'
condition: all of selection*
selection:
Image|endswith: '\msdt.exe'
ImageLoaded|endswith: '\sdiageng.dll'
condition: selection
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1202
- cve.2022.30190
- attack.defense_evasion
- attack.t1202
- cve.2022.30190
rules/windows/image_load/image_load_pingback_backdoor.yml
+2 -2
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
author: Bhabesh Raj
date: 2021/05/05
modified: 2021/09/09
modified: 2022/08/14
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
@@ -16,7 +16,7 @@ logsource:
category: image_load
detection:
selection:
Image|endswith: 'msdtc.exe'
Image|endswith: '\msdtc.exe'
ImageLoaded: 'C:\Windows\oci.dll'
condition: selection
falsepositives:
rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml
+31
View File
@@ -0,0 +1,31 @@
title: Rundll32 Loading Renamed Comsvcs DLL
id: 8cde342c-ba48-4b74-b615-172c330f2e93
status: experimental
description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
author: Nasreddine Bencherchali
date: 2022/08/14
references:
- https://twitter.com/sbousseaden/status/1555200155351228419
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\rundll32.exe'
Hashes|contains:
# Add more hashes for other windows verions
- IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64
- IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607
- IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809
- IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64
- IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86
filter:
ImageLoaded|endswith: '\comsvcs.dll'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+370
View File
@@ -0,0 +1,370 @@
title: System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: experimental
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
author: Nasreddine Bencherchali, Wietze Beukema (project and research)
date: 2022/08/14
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\shfolder.dll'
- '\activeds.dll'
- '\adsldpc.dll'
- '\aepic.dll'
- '\apphelp.dll'
- '\applicationframe.dll'
- '\appxalluserstore.dll'
- '\appxdeploymentclient.dll'
- '\archiveint.dll'
- '\atl.dll'
- '\audioses.dll'
- '\auditpolcore.dll'
- '\authfwcfg.dll'
- '\authz.dll'
- '\avrt.dll'
- '\bcd.dll'
- '\bcp47langs.dll'
- '\bcp47mrm.dll'
- '\bcrypt.dll'
- '\cabinet.dll'
- '\cabview.dll'
- '\certenroll.dll'
- '\cldapi.dll'
- '\clipc.dll'
- '\clusapi.dll'
- '\cmpbk32.dll'
- '\coloradapterclient.dll'
- '\colorui.dll'
- '\comdlg32.dll'
- '\connect.dll'
- '\coremessaging.dll'
- '\credui.dll'
- '\cryptbase.dll'
- '\cryptdll.dll'
- '\cryptui.dll'
- '\cryptxml.dll'
- '\cscapi.dll'
- '\cscobj.dll'
- '\cscui.dll'
- '\d2d1.dll'
- '\d3d10.dll'
- '\d3d10_1.dll'
- '\d3d10_1core.dll'
- '\d3d10core.dll'
- '\d3d10warp.dll'
- '\d3d11.dll'
- '\d3d12.dll'
- '\d3d9.dll'
- '\dataexchange.dll'
- '\davclnt.dll'
- '\dcomp.dll'
- '\defragproxy.dll'
- '\desktopshellext.dll'
- '\deviceassociation.dll'
- '\devicecredential.dll'
- '\devicepairing.dll'
- '\devobj.dll'
- '\devrtl.dll'
- '\dhcpcmonitor.dll'
- '\dhcpcsvc.dll'
- '\dhcpcsvc6.dll'
- '\directmanipulation.dll'
- '\dismapi.dll'
- '\dismcore.dll'
- '\dmcfgutils.dll'
- '\dmcmnutils.dll'
- '\dmenrollengine.dll'
- '\dmenterprisediagnostics.dll'
- '\dmiso8601utils.dll'
- '\dmoleaututils.dll'
- '\dmprocessxmlfiltered.dll'
- '\dmpushproxy.dll'
- '\dmxmlhelputils.dll'
- '\dnsapi.dll'
- '\dot3api.dll'
- '\dot3cfg.dll'
- '\drprov.dll'
- '\dsclient.dll'
- '\dsparse.dll'
- '\dsreg.dll'
- '\dsrole.dll'
- '\dui70.dll'
- '\duser.dll'
- '\dusmapi.dll'
- '\dwmapi.dll'
- '\dwrite.dll'
- '\dxgi.dll'
- '\dxva2.dll'
- '\eappcfg.dll'
- '\eappprxy.dll'
- '\edputil.dll'
- '\efsadu.dll'
- '\efsutil.dll'
- '\esent.dll'
- '\execmodelproxy.dll'
- '\explorerframe.dll'
- '\fastprox.dll'
- '\faultrep.dll'
- '\fddevquery.dll'
- '\feclient.dll'
- '\fhcfg.dll'
- '\firewallapi.dll'
- '\flightsettings.dll'
- '\fltlib.dll'
- '\fveapi.dll'
- '\fwbase.dll'
- '\fwcfg.dll'
- '\fwpolicyiomgr.dll'
- '\fwpuclnt.dll'
- '\getuname.dll'
- '\hid.dll'
- '\hnetmon.dll'
- '\httpapi.dll'
- '\idstore.dll'
- '\ieadvpack.dll'
- '\iedkcs32.dll'
- '\iertutil.dll'
- '\ifmon.dll'
- '\iphlpapi.dll'
- '\iri.dll'
- '\iscsidsc.dll'
- '\iscsium.dll'
- '\isv.exe_rsaenh.dll'
- '\joinutil.dll'
- '\ksuser.dll'
- '\ktmw32.dll'
- '\licensemanagerapi.dll'
- '\licensingdiagspp.dll'
- '\linkinfo.dll'
- '\loadperf.dll'
- '\logoncli.dll'
- '\logoncontroller.dll'
- '\lpksetupproxyserv.dll'
- '\magnification.dll'
- '\mapistub.dll'
- '\mfcore.dll'
- '\mfplat.dll'
- '\mi.dll'
- '\midimap.dll'
- '\miutils.dll'
- '\mlang.dll'
- '\mmdevapi.dll'
- '\mobilenetworking.dll'
- '\mpr.dll'
- '\mprapi.dll'
- '\mrmcorer.dll'
- '\msacm32.dll'
- '\mscms.dll'
- '\mscoree.dll'
- '\msctf.dll'
- '\msctfmonitor.dll'
- '\msdrm.dll'
- '\msftedit.dll'
- '\msi.dll'
- '\msutb.dll'
- '\mswb7.dll'
- '\mswsock.dll'
- '\msxml3.dll'
- '\mtxclu.dll'
- '\napinsp.dll'
- '\ncrypt.dll'
- '\ndfapi.dll'
- '\netid.dll'
- '\netiohlp.dll'
- '\netplwiz.dll'
- '\netprofm.dll'
- '\netsetupapi.dll'
- '\netshell.dll'
- '\netutils.dll'
- '\networkexplorer.dll'
- '\newdev.dll'
- '\ninput.dll'
- '\nlaapi.dll'
- '\nlansp_c.dll'
- '\npmproxy.dll'
- '\nshhttp.dll'
- '\nshipsec.dll'
- '\nshwfp.dll'
- '\ntdsapi.dll'
- '\ntlanman.dll'
- '\ntlmshared.dll'
- '\ntmarta.dll'
- '\ntshrui.dll'
- '\oleacc.dll'
- '\omadmapi.dll'
- '\onex.dll'
- '\osbaseln.dll'
- '\osuninst.dll'
- '\p2p.dll'
- '\p2pnetsh.dll'
- '\p9np.dll'
- '\pcaui.dll'
- '\pdh.dll'
- '\peerdistsh.dll'
- '\pla.dll'
- '\pnrpnsp.dll'
- '\policymanager.dll'
- '\polstore.dll'
- '\printui.dll'
- '\propsys.dll'
- '\prvdmofcomp.dll'
- '\puiapi.dll'
- '\radcui.dll'
- '\rasapi32.dll'
- '\rasgcw.dll'
- '\rasman.dll'
- '\rasmontr.dll'
- '\reagent.dll'
- '\regapi.dll'
- '\resutils.dll'
- '\rmclient.dll'
- '\rpcnsh.dll'
- '\rsaenh.dll'
- '\rtutils.dll'
- '\rtworkq.dll'
- '\samcli.dll'
- '\samlib.dll'
- '\sapi_onecore.dll'
- '\sas.dll'
- '\scansetting.dll'
- '\scecli.dll'
- '\schedcli.dll'
- '\secur32.dll'
- '\shell32.dll'
- '\slc.dll'
- '\snmpapi.dll'
- '\spp.dll'
- '\sppc.dll'
- '\srclient.dll'
- '\srpapi.dll'
- '\srvcli.dll'
- '\ssp.exe_rsaenh.dll'
- '\ssp_isv.exe_rsaenh.dll'
- '\sspicli.dll'
- '\ssshim.dll'
- '\staterepository.core.dll'
- '\structuredquery.dll'
- '\sxshared.dll'
- '\tapi32.dll'
- '\tbs.dll'
- '\tdh.dll'
- '\tquery.dll'
- '\tsworkspace.dll'
- '\ttdrecord.dll'
- '\twext.dll'
- '\twinapi.dll'
- '\twinui.appcore.dll'
- '\uianimation.dll'
- '\uiautomationcore.dll'
- '\uireng.dll'
- '\uiribbon.dll'
- '\updatepolicy.dll'
- '\userenv.dll'
- '\utildll.dll'
- '\uxinit.dll'
- '\uxtheme.dll'
- '\vaultcli.dll'
- '\virtdisk.dll'
- '\vssapi.dll'
- '\vsstrace.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\wcmapi.dll'
- '\wcnnetsh.dll'
- '\wdi.dll'
- '\wdscore.dll'
- '\webservices.dll'
- '\wecapi.dll'
- '\wer.dll'
- '\wevtapi.dll'
- '\whhelper.dll'
- '\wimgapi.dll'
- '\winbrand.dll'
- '\windows.storage.dll'
- '\windows.storage.search.dll'
- '\windowscodecs.dll'
- '\windowscodecsext.dll'
- '\windowsudk.shellcommon.dll'
- '\winhttp.dll'
- '\wininet.dll'
- '\winipsec.dll'
- '\winmde.dll'
- '\winmm.dll'
- '\winnsi.dll'
- '\winrnr.dll'
- '\winsqlite3.dll'
- '\winsta.dll'
- '\wkscli.dll'
- '\wlanapi.dll'
- '\wlancfg.dll'
- '\wldp.dll'
- '\wlidprov.dll'
- '\wmiclnt.dll'
- '\wmidcom.dll'
- '\wmiutils.dll'
- '\wmsgapi.dll'
- '\wofutil.dll'
- '\wpdshext.dll'
- '\wshbth.dll'
- '\wshelper.dll'
- '\wtsapi32.dll'
- '\wwapi.dll'
- '\xmllite.dll'
- '\xolehlp.dll'
- '\xwizards.dll'
- '\xwtpw32.dll'
- '\aclui.dll'
- '\bderepair.dll'
- '\bootmenuux.dll'
- '\dcntel.dll'
- '\dwmcore.dll'
- '\dynamoapi.dll'
- '\fhsvcctl.dll'
- '\fxsst.dll'
- '\inproclogger.dll'
- '\iumbase.dll'
- '\kdstub.dll'
- '\maintenanceui.dll'
- '\mdmdiagnostics.dll'
- '\mintdh.dll'
- '\msdtctm.dll'
- '\nettrace.dll'
- '\osksupport.dll'
- '\reseteng.dll'
- '\resetengine.dll'
- '\spectrumsyncclient.dll'
- '\srcore.dll'
- '\systemsettingsthresholdadminflowui.dll'
- '\timesync.dll'
- '\upshared.dll'
- '\wmpdui.dll'
- '\wwancfg.dll'
- '\dpx.dll'
filter_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\SoftwareDistribution\'
filter_systemp:
ImageLoaded|startswith: 'C:\Windows\SystemTemp\'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: medium
rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml
+5 -3
View File
@@ -8,7 +8,7 @@ references:
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
date: 2019/10/27
modified: 2022/02/21
modified: 2022/08/09
logsource:
category: image_load
product: windows
@@ -52,10 +52,12 @@ detection:
- '-k UnistackSvcGroup -s WpnUserService'
filter2: # Not available in Sysmon, but in Aurora
CommandLine:
- 'C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding'
- 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv'
- 'C:\Windows\System32\svchost.exe -k WerSvcGroup'
condition: (signedprocess or unsignedprocess) and not filter1 and not filter2
filter3:
CommandLine|startswith: 'C:\WINDOWS\winsxs\'
CommandLine|endswith: '\TiWorker.exe -Embedding'
condition: (signedprocess or unsignedprocess) and not 1 of filter*
fields:
- ComputerName
- User
rules/windows/image_load/image_load_susp_dll_load_system_process.yml
+4 -2
View File
@@ -6,7 +6,7 @@ author: Nasreddine Bencherchali
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
date: 2022/07/17
modified: 2022/08/02
modified: 2022/08/10
logsource:
product: windows
category: image_load
@@ -20,7 +20,9 @@ detection:
- '\Downloads\'
- '\AppData\Local\Temp\'
- 'C:\PerfLogs\'
condition: selection
filter:
ImageLoaded|contains: '\Program Files'
condition: selection and not filter
falsepositives:
- Unknown
level: high
rules/windows/image_load/image_load_susp_system_drawing_load.yml
+7 -5
View File
@@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.
status: experimental
date: 2020/05/02
modified: 2021/12/05
modified: 2022/08/13
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.collection
@@ -27,10 +27,12 @@ detection:
- 'C:\Windows\Microsoft.NET\'
- 'C:\Windows\ImmersiveControlPanel\'
filter2:
Image:
- 'C:\Users\\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe'
- 'C:\Users\\*\GitHubDesktop\Update.exe'
- 'C:\Windows\System32\NhNotifSys.exe'
Image: 'C:\Windows\System32\NhNotifSys.exe'
filter3:
Image|startswith: 'C:\Users\'
Image|endswith:
- '\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe'
- '\GitHubDesktop\Update.exe'
condition: selection and not 1 of filter*
falsepositives:
- Unknown
rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
+13 -10
View File
@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
status: experimental
date: 2020/10/20
modified: 2022/04/29
modified: 2022/08/13
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.credential_access
@@ -24,19 +24,22 @@ detection:
- OriginalFileName:
- 'credui.dll'
- 'wincredui.dll'
filter:
- Image|startswith:
filter_start:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\explorer.exe'
- 'C:\Program Files\'
- 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe'
- 'C:\Program Files (x86)\'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
- 'C:\Users\\*\AppData\Roaming\Spotify\Spotify.exe'
- Image|endswith: '\opera_autoupdate.exe'
- Image|contains: '\Local\Microsoft\OneDrive\'
condition: selection and not filter
filter_end:
Image|endswith: '\opera_autoupdate.exe'
filter_full:
Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
filter_user:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe'
filter_path:
Image|contains: '\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_*
falsepositives:
- Other legitimate processes loading those DLLs in your environment.
level: medium
rules/windows/network_connection/net_connection_win_binary_susp_com.yml
+29 -26
View File
@@ -4,35 +4,38 @@ status: test
description: Detects an executable in the Windows folder accessing suspicious domains
author: Florian Roth
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
date: 2018/08/30
modified: 2022/07/22
modified: 2022/08/09
logsource:
category: network_connection
product: windows
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'dl.dropboxusercontent.com'
- '.pastebin.com'
- '.githubusercontent.com' # includes both gists and github repositories
- 'cdn.discordapp.com/attachments/'
- 'mediafire.com'
- 'mega.nz'
- 'ddns.net'
- '.paste.ee'
- '.hastebin.com/raw/'
- '.ghostbin.co/'
- 'ufile.io'
Image|startswith:
- 'C:\Windows\'
- 'C:\Users\Public\'
condition: selection
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'dl.dropboxusercontent.com'
- '.pastebin.com'
- '.githubusercontent.com' # includes both gists and github repositories
- 'cdn.discordapp.com/attachments/'
- 'mediafire.com'
- 'mega.nz'
- 'ddns.net'
- '.paste.ee'
- '.hastebin.com/raw/'
- '.ghostbin.co/'
- 'ufile.io'
- 'anonfiles.com'
- 'send.exploit.in'
Image|startswith:
- 'C:\Windows\'
- 'C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.lateral_movement
- attack.t1105
- attack.lateral_movement
- attack.t1105
rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
+8 -2
View File
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
date: 2019/09/12
modified: 2022/07/29
modified: 2022/08/16
logsource:
category: network_connection
product: windows
@@ -26,7 +26,13 @@ detection:
- 'SERVICE R'
- 'SEAU'
- SourceIp|startswith: '0:0:'
condition: selection and not filter
- Image:
- 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
filter_localhost:
SourceIp: '::1'
DestinationIp: '::1'
condition: selection and not 1 of filter*
falsepositives:
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
- Network Service user name of a not-covered localization
rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml
+1 -1
View File
@@ -14,7 +14,7 @@ logsource:
detection:
selection:
- Image|contains:
# - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows
# - '\ProgramData\' # too many false positives, e.g. with Webex for Windows
- '\Users\All Users\'
- '\Users\Default\'
- '\Users\Public\'
rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml
+2 -2
View File
@@ -6,7 +6,7 @@ references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
status: experimental
author: frack113
date: 2022/01/01
date: 2022/08/13
logsource:
product: windows
category: ps_script
@@ -18,7 +18,7 @@ detection:
- '-psprovider '
- 'filesystem'
- '-root '
- '\\'
- '\\\\'
- '$'
condition: selection
falsepositives:
rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml
+3 -2
View File
@@ -6,7 +6,7 @@ references:
status: experimental
author: Christian Burkard, Tim Shelton
date: 2021/07/28
modified: 2022/06/20
modified: 2022/08/09
logsource:
category: process_access
product: windows
@@ -18,7 +18,8 @@ detection:
SourceImage: 'C:\Windows\Explorer.EXE'
falsepositive2:
TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\*\MicrosoftEdgeUpdate.exe'
SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
SourceImage|endswith: '\MicrosoftEdgeUpdate.exe'
falsepositive3:
TargetImage|endswith: 'vcredist_x64.exe'
SourceImage|endswith: 'vcredist_x64.exe'
rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml
+3 -2
View File
@@ -3,6 +3,7 @@ id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
description: Detects LSASS process access by LaZagne for credential dumping.
status: stable
date: 2020/09/09
modified: 2022/08/13
author: Bhabesh Raj, Jonhnathan Ribeiro
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
@@ -17,8 +18,8 @@ detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- 'C:\\Windows\\SYSTEM32\\ntdll.dll+'
- '|C:\\Windows\\System32\\KERNELBASE.dll+'
- 'C:\Windows\SYSTEM32\ntdll.dll+'
- '|C:\Windows\System32\KERNELBASE.dll+'
- '_ctypes.pyd+'
- 'python27.dll+'
GrantedAccess: '0x1FFFFF'
rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
+5 -8
View File
@@ -7,7 +7,7 @@ status: experimental
description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)
author: Florian Roth
date: 2022/03/13
modified: 2022/07/21
modified: 2022/08/13
references:
- https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
@@ -32,12 +32,14 @@ detection:
- 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe'
- 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
- 'C:\WINDOWS\system32\taskhostw.exe'
- 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- 'C:\Program Files\Windows Defender\MsMpEng.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\lsass.exe'
- 'C:\WINDOWS\System32\perfmon.exe'
- 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
- 'C:\Windows\sysWOW64\wbem\wmiprvse.exe'
- 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
# Windows Defender
filter2:
SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
@@ -61,12 +63,6 @@ detection:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
SourceImage|contains: 'Antivirus'
filter7:
SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe'
filter8:
SourceImage: 'C:\Windows\sysWOW64\wbem\wmiprvse.exe'
filter_mcafee:
SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe'
filter_nextron:
# SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' # Can be a manual THOR installation
SourceImage|endswith:
@@ -95,6 +91,7 @@ detection:
- '\DropboxUpdate.exe'
- '\MBAMInstallerService.exe'
- '\WebEx\WebexHost.exe '
- '\Programs\Microsoft VS Code\Code.exe'
condition: selection and not 1 of filter*
fields:
- User
rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml
+4 -3
View File
@@ -9,6 +9,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: Florian Roth
date: 2022/05/20
modified: 2022/08/13
logsource:
category: process_creation
product: windows
@@ -20,9 +21,9 @@ detection:
- Company: AnyDesk Software GmbH
filter:
Image|contains:
- '\\AppData\\'
- 'Program Files (x86)\\AnyDesk'
- 'Program Files\\AnyDesk'
- '\AppData\'
- 'Program Files (x86)\AnyDesk'
- 'Program Files\AnyDesk'
condition: selection and not filter
falsepositives:
- Legitimate use of AnyDesk from a non-standard folder
rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml
+2 -2
View File
@@ -6,7 +6,7 @@ author: Florian Roth
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
date: 2019/02/21
modified: 2022/06/28
modified: 2022/08/13
logsource:
category: process_creation
product: windows
@@ -19,7 +19,7 @@ detection:
- '/C'
- '/Q'
- '/H'
- '\\'
- '\\\\'
selection2:
Image|endswith: '\adexplorer.exe'
CommandLine|contains|all:
rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml
+1 -1
View File
@@ -22,7 +22,7 @@ logsource:
detection:
selection:
CommandLine:
- 'net use \\%DomainController%\C$ "P@ssw0rd" *'
- 'net use \\\\%DomainController%\C$ "P@ssw0rd" *'
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml
+6 -2
View File
@@ -6,6 +6,7 @@ references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
tags:
- attack.defense_evasion
- attack.persistence
@@ -13,6 +14,7 @@ tags:
- attack.s0190
- attack.t1036.003
date: 2022/06/28
modified: 2022/08/09
author: Florian Roth
logsource:
category: process_creation
@@ -20,12 +22,12 @@ logsource:
detection:
selection:
Image|endswith: '\bitsadmin.exe'
CommandLine|contains:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_domain:
CommandLine|contains:
CommandLine|contains:
- 'raw.githubusercontent.com'
- 'gist.githubusercontent.com'
- 'pastebin.com'
@@ -38,6 +40,8 @@ detection:
- '.ghostbin.co/'
- 'ufile.io'
- 'storage.googleapis.com'
- 'anonfiles.com'
- 'send.exploit.in'
condition: all of selection*
fields:
- CommandLine
rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml
+23 -23
View File
@@ -4,34 +4,34 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
description: Detects use of Cobalt Strike module commands accidentally entered in the CMD shell
author: _pete_0, TheDFIRReport
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
date: 2022/05/06
modified: 2022/05/06
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection:
CommandLine|startswith:
- 'cmd.exe'
- 'c:\windows\system32\cmd.exe'
CommandLine|contains:
- Invoke-UserHunter
- Invoke-ShareFinder
- Invoke-Kerberoast
- Invoke-SMBAutoBrute
- Invoke-Nightmare
- zerologon
- av_query
Image|endswith: '\cmd.exe'
condition: selection
selection:
Image|endswith: '\cmd.exe'
CommandLine|startswith:
- 'cmd.exe'
- 'c:\windows\system32\cmd.exe'
CommandLine|contains:
- Invoke-UserHunter
- Invoke-ShareFinder
- Invoke-Kerberoast
- Invoke-SMBAutoBrute
- Invoke-Nightmare
- zerologon
- av_query
condition: selection
fields:
- CommandLine
- CommandLine
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.execution
- attack.t1059.003
- attack.execution
- attack.t1059.003
rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml
+2 -1
View File
@@ -3,6 +3,7 @@ id: 689308fc-cfba-4f72-9897-796c1dc61487
status: test
author: frack113
date: 2021/10/12
modified: 2022/08/13
description: Conti ransomware command line ioc
references:
- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
@@ -21,7 +22,7 @@ detection:
- '-net '
- '-size ' #size 10 in references
- '-nomutex '
- '-p \\'
- '-p \\\\'
- '$'
condition: selection
falsepositives:
rules/windows/process_creation/proc_creation_win_control_panel_item.yml
+10 -10
View File
@@ -7,28 +7,28 @@ references:
- https://attack.mitre.org/techniques/T1196/
- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
date: 2020/06/22
modified: 2022/05/10
modified: 2022/08/11
logsource:
product: windows
category: process_creation
detection:
selection1:
selection_reg:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'add'
- 'CurrentVersion\Control Panel\CPLs'
selection_cpl:
CommandLine|endswith: '.cpl'
filter:
filter_cpl_sys:
CommandLine|contains:
- '\System32\'
- '%System%'
fp1_igfx:
filter_cpl_igfx:
CommandLine|contains|all:
- 'regsvr32 '
- ' /s '
- 'igfxCPL.cpl'
selection2:
Image|endswith: '\reg.exe'
CommandLine|contains: 'add'
selection3:
CommandLine|contains: 'CurrentVersion\Control Panel\CPLs'
condition: (selection1 and not filter and not fp1_igfx) or (selection2 and selection3)
condition: selection_reg or (selection_cpl and not 1 of filter_cpl_*)
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_disable_service.yml
+37
View File
@@ -0,0 +1,37 @@
title: Sc Or Set-Service Cmdlet Execution to Disable Services
id: 85c312b7-f44d-4a51-a024-d671c40b49fc
status: experimental
description: Detects when attackers use "sc.exe" or the powershell "Set-Service" cmdlet to change the startup type of a service to "disabled"
author: Nasreddine Bencherchali
references:
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
date: 2022/08/01
logsource:
category: process_creation
product: windows
detection:
selection_sc_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_cli:
CommandLine|contains|all:
- ' config '
- 'start'
CommandLine|contains:
- 'disabled'
- 'demand'
selection_pwsh:
CommandLine|contains|all:
- 'Set-Service'
- '-StartupType'
CommandLine|contains:
- 'Disabled'
- 'Manual'
condition: all of selection_sc_* or selection_pwsh
falsepositives:
- Administrators settings a service to disable via script or cli for testing purposes
level: medium
tags:
- attack.execution
- attack.defense_evasion
- attack.t1562.001
rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml
+4 -1
View File
@@ -6,6 +6,7 @@ references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
author: Bhabesh Raj
date: 2022/08/01
modified: 2022/08/09
tags:
- attack.defense_evasion
- attack.t1574.002
@@ -13,12 +14,14 @@ logsource:
product: windows
category: process_creation
detection:
selection:
selection:
Image|endswith: '\MpCmdRun.exe'
legit_path:
Image|startswith: # MpCmdRun resides in two locations
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\winsxs\x86_security-malware-windows-defender_' # found on Win7 i386
- 'C:\Program Files\Microsoft Security Client\MpCmdRun.exe' # found on Win7 i386
condition: selection and not legit_path
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml
+1 -1
View File
@@ -19,7 +19,7 @@ detection:
selection:
CommandLine|contains: # Add more paths as they are discovered
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\\SimonTatham\\PuTTY\SshHostKeys\'
- '\Software\\SimonTatham\PuTTY\SshHostKeys\'
- '\Software\Mobatek\MobaXterm\'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
- '\Software\Aerofox\FoxmailPreview'
rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml
+22 -20
View File
@@ -4,29 +4,31 @@ status: test
description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
author: Florian Roth, oscd.community, Jonhnathan Ribeiro
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
date: 2019/09/06
modified: 2021/11/27
modified: 2022/08/06
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
selection2:
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'magnify.exe'
- 'narrator.exe'
- 'displayswitch.exe'
- 'atbroker.exe'
condition: all of selection*
selection1:
CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
selection2:
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'magnify.exe'
- 'narrator.exe'
- 'displayswitch.exe'
- 'atbroker.exe'
- 'HelpPane.exe'
condition: all of selection*
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.008
- attack.persistence
- attack.privilege_escalation
- attack.t1546.008
rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml
+2 -1
View File
@@ -9,6 +9,7 @@ tags:
- attack.t1105
author: frack113
date: 2021/11/26
modified: 2022/08/13
logsource:
category: process_creation
product: windows
@@ -16,7 +17,7 @@ detection:
selection:
CommandLine|contains|all:
- diantz.exe
- ' \\'
- ' \\\\'
- '.cab'
condition: selection
falsepositives:
rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml
+2 -2
View File
@@ -9,7 +9,7 @@ tags:
- attack.t1105
author: frack113
date: 2021/11/26
modified: 2022/07/08
modified: 2022/08/13
logsource:
category: process_creation
product: windows
@@ -24,7 +24,7 @@ detection:
CommandLine|contains:
- /C
- /Y
- ' \\'
- ' \\\\'
condition: all of selection_*
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml
+2 -1
View File
@@ -6,6 +6,7 @@ author: Florian Roth
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
date: 2022/02/25
modified: 2022/08/13
logsource:
category: process_creation
product: windows
@@ -15,7 +16,7 @@ detection:
selection2:
- CommandLine|contains:
- 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
- ' 1> \\127.0.0.1\ADMIN$\__16'
- ' 1> \\\\127.0.0.1\ADMIN$\__16'
- CommandLine|contains|all:
- 'powershell -c '
- '\comsvcs.dll MiniDump '
rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml
+3 -1
View File
@@ -3,16 +3,18 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
description: Detects a command that accesses password storing registry hives via volume shadow backups
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
modified: 2021/12/02
modified: 2022/08/13
status: experimental
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
logsource:
category: process_creation
product: windows
detection:
selection_1:
#copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1
CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
selection_2:
CommandLine|contains:
rules/windows/process_creation/proc_creation_win_mshta_http.yml
+25
View File
@@ -0,0 +1,25 @@
title: Mshta Remotely Hosted HTA File Execution
id: b98d0db6-511d-45de-ad02-e82a98729620
status: experimental
description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
author: Nasreddine Bencherchali
references:
- https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
date: 2022/08/08
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'MSHTA.EXE'
selection_cli:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.execution
- attack.t1218.005
rules/windows/process_creation/proc_creation_win_net_enum.yml
+2 -2
View File
@@ -7,7 +7,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Endgame, JHasenbusch (ported for oscd.community)
date: 2018/10/30
modified: 2019/11/11
modified: 2022/08/13
tags:
- attack.discovery
- attack.t1018
@@ -21,7 +21,7 @@ detection:
- '\net1.exe'
CommandLine|contains: 'view'
filter:
CommandLine|contains: \\\
CommandLine|contains: \\\\
condition: selection and not filter
fields:
- ComputerName
rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml
+27
View File
@@ -0,0 +1,27 @@
title: Netsh Firewall Rule Deletion
id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2
status: experimental
description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
author: frack113
references:
- https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
date: 2022/08/14
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\netsh.exe'
CommandLine|contains|all:
- 'firewall'
- 'delete'
filter_dropbox:
ParentImage|endswith: '\Dropbox.exe'
CommandLine|contains: 'name=Dropbox'
condition: selection and not filter_dropbox
falsepositives:
- Legitimate administration
level: medium
tags:
- attack.defense_evasion
- attack.t1562.004
rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml → rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml
+20 -8
View File
@@ -1,24 +1,36 @@
title: Use NTFS Short Name in Command Line
id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
title: Use Short Name Path in Command Line
id: 349d891d-fef0-4fe4-bc53-eee623a15969
related:
- id: a96970af-f126-420d-90e1-d37bf25e50e1
type: similar
status: experimental
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
author: frack113, Nasreddine Bencherchali
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
date: 2022/08/05
- https://twitter.com/frack113/status/1555830623633375232
date: 2022/08/07
modified: 2022/08/12
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1.'
- '~2.'
condition: selection
CommandLine|contains:
- '~1\'
- '~2\'
filter:
- ParentImage:
- C:\Windows\System32\Dism.exe
- C:\Windows\System32\cleanmgr.exe
- ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
tags:
- attack.defense_evasion
- attack.t1564.004
- attack.t1564.004
rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml
+36
View File
@@ -0,0 +1,36 @@
title: Use Short Name Path in Image
id: a96970af-f126-420d-90e1-d37bf25e50e1
related:
- id: 349d891d-fef0-4fe4-bc53-eee623a15969
type: similar
status: experimental
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection
author: frack113, Nasreddine Bencherchali
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
- https://twitter.com/frack113/status/1555830623633375232
date: 2022/08/07
modified: 2022/08/12
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1\'
- '~2\'
filter:
- ParentImage:
- C:\Windows\System32\Dism.exe
- C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long)
- ParentImage|endswith:
- '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
- '\thor\thor64.exe'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: high
tags:
- attack.defense_evasion
- attack.t1564.004
rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml
+49
View File
@@ -0,0 +1,49 @@
title: Use NTFS Short Name in Command Line
id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
related:
- id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
type: similar
status: experimental
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
author: frack113, Nasreddine Bencherchali
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
- https://twitter.com/jonasLyk/status/1555914501802921984
date: 2022/08/05
modified: 2022/08/12
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1.exe'
- '~1.bat'
- '~1.msi'
- '~1.vbe'
- '~1.vbs'
- '~1.dll'
- '~1.ps1'
- '~1.js'
- '~1.hta'
- '~2.exe'
- '~2.bat'
- '~2.msi'
- '~2.vbe'
- '~2.vbs'
- '~2.dll'
- '~2.ps1'
- '~2.js'
- '~2.hta'
filter:
ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
tags:
- attack.defense_evasion
- attack.t1564.004
rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml
+49
View File
@@ -0,0 +1,49 @@
title: Use NTFS Short Name in Image
id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
related:
- id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
type: similar
status: experimental
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
author: frack113, Nasreddine Bencherchali
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
- https://twitter.com/jonasLyk/status/1555914501802921984
date: 2022/08/06
modified: 2022/08/12
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1.exe'
- '~1.bat'
- '~1.msi'
- '~1.vbe'
- '~1.vbs'
- '~1.dll'
- '~1.ps1'
- '~1.js'
- '~1.hta'
- '~2.exe'
- '~2.bat'
- '~2.msi'
- '~2.vbe'
- '~2.vbs'
- '~2.dll'
- '~2.ps1'
- '~2.js'
- '~2.hta'
filter:
ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
tags:
- attack.defense_evasion
- attack.t1564.004
rules/windows/process_creation/proc_creation_win_procdump.yml
+4 -7
View File
@@ -1,11 +1,12 @@
title: Procdump Usage
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
description: Detects uses of the SysInternals Procdump utility
description: Detects usage of the SysInternals Procdump utility
status: experimental
references:
- Internal Research
author: Florian Roth
date: 2021/08/16
modified: 2022/08/11
tags:
- attack.defense_evasion
- attack.t1036
@@ -14,15 +15,11 @@ logsource:
category: process_creation
product: windows
detection:
selection1:
selection:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
selection2:
CommandLine|contains|all:
- ' -ma '
- '.exe'
condition: selection1 or selection2
condition: selection
falsepositives:
- Legitimate use of procdump by a developer or administrator
level: medium
rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml
+27
View File
@@ -0,0 +1,27 @@
title: Delete SafeBoot Keys Via Reg Utility
id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
status: experimental
description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
references:
- https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
author: Nasreddine Bencherchali, Tim Shelton
date: 2022/08/08
modified: 2022/08/12
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'reg.exe'
- OriginalFileName: 'reg.exe'
selection_delete:
CommandLine|contains|all:
- ' delete '
- '\SYSTEM\CurrentControlSet\Control\SafeBoot'
condition: all of selection*
falsepositives:
- Unlikely
level: high
tags:
- attack.defense_evasion
- attack.t1562.001
rules/windows/process_creation/proc_creation_win_reg_delete_services.yml
+1
View File
@@ -16,6 +16,7 @@ detection:
selection_delete:
CommandLine|contains: ' delete '
selection_key:
# Add specific services if you would like the rule to be more specific
CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
condition: all of selection*
falsepositives:
rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml
+6 -6
View File
@@ -1,28 +1,28 @@
title: Enabling RDP Service via Reg.exe
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: experimental
description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host
description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' subkeys
author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
date: 2022/02/12
modified: 2022/03/15
modified: 2022/08/06
logsource:
product: windows
category: process_creation
detection:
selection1:
selection_cli:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- ' add '
- '\SYSTEM\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection2:
selection_values_1:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection3:
selection_values_2:
CommandLine|contains:
- 'WinStations\RDP-Tcp'
- 'MaxInstanceCount'
@@ -34,7 +34,7 @@ detection:
- 'TSAdvertise'
- 'AllowTSConnections'
- 'fSingleSessionPerUser'
condition: selection1 and (selection2 or selection3)
condition: selection_cli and 1 of selection_values_*
falsepositives:
- Unknown
level: high

Some files were not shown because too many files have changed in this diff Show More