diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 98f7e89fb..3717f73f1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -29,3 +29,9 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index cf7d5756b..f40ccf5ea 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + submodules: true - name: Set up Python 3.8 uses: actions/setup-python@v1 with: diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 000000000..af5385f20 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "tests/cti"] + path = tests/cti + url = https://github.com/mitre/cti.git diff --git a/rules/cloud/azure/azure_guest_invite_failure.yml b/rules/cloud/azure/azure_guest_invite_failure.yml new file mode 100644 index 000000000..9dcb8d272 --- /dev/null +++ b/rules/cloud/azure/azure_guest_invite_failure.yml @@ -0,0 +1,23 @@ +title: Guest User Invited By Non Approved Inviters +id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9 +status: experimental +description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/10 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Invite external user + Status: failure + condition: selection +falsepositives: + - A non malicious user is unaware of the proper process +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1078 +level: medium diff --git a/rules/cloud/azure/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/azure_pim_activation_approve_deny.yml new file mode 100644 index 000000000..238938408 --- /dev/null +++ b/rules/cloud/azure/azure_pim_activation_approve_deny.yml @@ -0,0 +1,21 @@ +title: PIM Approvals And Deny Elevation +id: 039a7469-0296-4450-84c0-f6966b16dc6d +status: experimental +description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Request Approved/Denied + condition: selection +falsepositives: + - Actual admin using PIM. +tags: + - attack.privilege_escalation + - attack.t1078 +level: high diff --git a/rules/cloud/azure/azure_pim_alerts_disabled.yml b/rules/cloud/azure/azure_pim_alerts_disabled.yml new file mode 100644 index 000000000..3881d1b45 --- /dev/null +++ b/rules/cloud/azure/azure_pim_alerts_disabled.yml @@ -0,0 +1,21 @@ +title: PIM Alert Setting Changes To Disabled +id: aeaef14c-e5bf-4690-a9c8-835caad458bd +status: experimental +description: Detects when PIM alerts are set to disabled. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Disable PIM Alert + condition: selection +falsepositives: + - Administrator disabling PIM alerts as an active choice. +tags: + - attack.defense_evasion + - attack.t1484 +level: high diff --git a/rules/cloud/azure/azure_pim_change_settings.yml b/rules/cloud/azure/azure_pim_change_settings.yml new file mode 100644 index 000000000..7402c6fbc --- /dev/null +++ b/rules/cloud/azure/azure_pim_change_settings.yml @@ -0,0 +1,22 @@ +title: Changes To PIM Settings +id: db6c06c4-bf3b-421c-aa88-15672b88c743 +status: experimental +description: Detects when changes are made to PIM roles +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Update role setting in PIM + condition: selection +falsepositives: + - Legit administrative PIM setting configuration changes +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1078 +level: high diff --git a/rules/cloud/azure/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/azure_priviledged_role_assignment_add.yml new file mode 100644 index 000000000..4652ce035 --- /dev/null +++ b/rules/cloud/azure/azure_priviledged_role_assignment_add.yml @@ -0,0 +1,23 @@ +title: User Added To Privilege Role +id: 49a268a4-72f4-4e38-8a7b-885be690c5b5 +status: experimental +description: Detects when a user is added to a privileged role. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/06 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Add eligible member (permanent) + - Add eligible member (eligible) + condition: selection +falsepositives: + - Legtimate administrator actions of adding members from a role +tags: + - attack.persistence + - attack.t1098 +level: high diff --git a/rules/cloud/azure/azure_privileged_account_creation.yml b/rules/cloud/azure/azure_privileged_account_creation.yml new file mode 100644 index 000000000..f93dbd842 --- /dev/null +++ b/rules/cloud/azure/azure_privileged_account_creation.yml @@ -0,0 +1,26 @@ +title: Privileged Account Creation +id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947 +status: experimental +description: Detects when a new admin is created. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton +date: 2022/08/11 +modified: 2022/08/16 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message|contains|all: + - Add user + - Add member to role + Status: Success + condition: selection +falsepositives: + - A legitmate new admin account being created +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1078 +level: medium diff --git a/rules/cloud/azure/azure_tap_added.yml b/rules/cloud/azure/azure_tap_added.yml new file mode 100644 index 000000000..83af179fa --- /dev/null +++ b/rules/cloud/azure/azure_tap_added.yml @@ -0,0 +1,23 @@ +title: Temporary Access Pass Added To An Account +id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce +status: experimental +description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/10 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Admin registered security info + Status: Admin registered temporary access pass method for user + condition: selection +falsepositives: + - Administrator adding a legitmate temporary access pass +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1078 +level: high diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml new file mode 100644 index 000000000..1c948709a --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml @@ -0,0 +1,27 @@ +title: BPFDoor Abnormal Process ID or Lock File Accessed +id: 808146b2-9332-4d78-9416-d7e47012d83d +status: experimental +description: detects BPFDoor .lock and .pid files access in temporary file storage facility +author: Rafal Piasecki +date: 2022/08/10 +references: + - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ + - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - /var/run/haldrund.pid + - /var/run/xinetd.lock + - /var/run/kdevrund.pid + condition: selection +tags: + - attack.execution + - attack.t1106 + - attack.t1059 +falsepositives: + - Unlikely +level: high diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml new file mode 100644 index 000000000..d4d4624b3 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml @@ -0,0 +1,28 @@ +title: Bpfdoor TCP Ports Redirect +id: 70b4156e-50fc-4523-aa50-c9dddf1993fc +status: experimental +description: All TCP traffic on particular port from attacker is routed to diffrent port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only. +author: Rafal Piasecki +date: 2022/08/10 +references: + - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ + - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor +logsource: + product: linux + service: auditd +detection: + cmd: + type: 'EXECVE' + a0|endswith: 'iptables' + a1: '-t' + a2: 'nat' + keywords: + - '--to-ports 42' + - '--to-ports 43' + condition: cmd and keywords +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 +falsepositives: + - Legitimate ports redirect diff --git a/rules/proxy/proxy_baby_shark.yml b/rules/proxy/proxy_baby_shark.yml index 5b6f980b6..84f28d7fe 100644 --- a/rules/proxy/proxy_baby_shark.yml +++ b/rules/proxy/proxy_baby_shark.yml @@ -4,17 +4,18 @@ status: experimental description: Detects Baby Shark C2 Framework communication patterns author: Florian Roth date: 2021/06/09 +modified: 2022/08/15 references: - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 logsource: category: proxy detection: selection: - c-uri|contains: 'momyshark?key=' + c-uri|contains: 'momyshark\?key=' condition: selection falsepositives: - Unknown level: critical tags: - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index eea3ebbfc..d3a9e9283 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -6,12 +6,12 @@ author: Florian Roth references: - https://securelist.com/chafer-used-remexi-malware/89538/ date: 2019/01/31 -modified: 2021/11/27 +modified: 2022/08/15 logsource: category: proxy detection: selection: - c-uri|contains: '/asp.asp?ui=' + c-uri|contains: '/asp.asp\?ui=' condition: selection fields: - ClientIP diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index f6e5d2871..d57deaf5d 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -6,13 +6,13 @@ author: Markus Neis references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile date: 2019/11/12 -modified: 2022/01/07 +modified: 2022/08/15 logsource: category: proxy detection: selection: cs-method: 'GET' - c-uri|endswith: '?manifest=wac' + c-uri|endswith: '\?manifest=wac' cs-host: 'onedrive.live.com' filter: c-uri|startswith: 'http' diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index a86801b78..389bf2f5c 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -7,12 +7,12 @@ references: - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html - https://twitter.com/craiu/status/1167358457344925696 date: 2019/08/30 -modified: 2021/11/27 +modified: 2022/08/15 logsource: category: proxy detection: selection: - c-uri|contains: '/list/suc?name=' + c-uri|contains: '/list/suc\?name=' condition: selection fields: - ClientIP diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 3277e1224..702fee579 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -6,15 +6,15 @@ author: Florian Roth references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb date: 2017/10/25 -modified: 2022/01/07 +modified: 2022/08/08 logsource: category: proxy detection: selection: - - c-uri-query|contains: '/flash_install.php' - - c-uri-query|endswith: '/install_flash_player.exe' + - c-uri|contains: '/flash_install.php' + - c-uri|endswith: '/install_flash_player.exe' filter: - c-uri-stem|contains: '.adobe.com/' + cs-host|endswith: '.adobe.com' condition: selection and not filter falsepositives: - Unknown flash download locations diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index c546ddb69..cee9dee4a 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -6,12 +6,12 @@ author: Florian Roth references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf date: 2020/05/26 -modified: 2021/11/27 +modified: 2022/08/15 logsource: category: proxy detection: selection: - c-uri|contains: '/index/index.php?h=' + c-uri|contains: '/index/index.php\?h=' condition: selection falsepositives: - Unknown diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 6516f0304..c16637dc0 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth, Tim Shelton date: 2019/03/07 -modified: 2022/05/09 +modified: 2022/08/16 logsource: category: proxy detection: @@ -16,6 +16,7 @@ detection: - '.net' - '.org' - '.scdn.co' # spotify streaming + - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json condition: selection and not falsepositives fields: - ClientIP diff --git a/rules/proxy/proxy_ua_susp.yml b/rules/proxy/proxy_ua_susp.yml index 9f3b33f65..e8a8e0786 100644 --- a/rules/proxy/proxy_ua_susp.yml +++ b/rules/proxy/proxy_ua_susp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious malformed user agent strings in proxy logs author: Florian Roth date: 2017/07/08 -modified: 2022/07/07 +modified: 2022/08/08 references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb logsource: @@ -33,12 +33,17 @@ detection: - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html - 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880 falsepositives: - c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content + - c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content + - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000) + - '.acrobat.com' + - '.adobe.com' + - '.adobe.io' condition: 1 of selection* and not falsepositives fields: - ClientIP - c-uri - c-useragent + - cs-host falsepositives: - Unknown level: high diff --git a/rules/proxy/proxy_ursnif_malware_download_url.yml b/rules/proxy/proxy_ursnif_malware_download_url.yml index a320ba350..223ad147c 100644 --- a/rules/proxy/proxy_ursnif_malware_download_url.yml +++ b/rules/proxy/proxy_ursnif_malware_download_url.yml @@ -4,14 +4,14 @@ status: stable description: Detects download of Ursnif malware done by dropper documents. author: Thomas Patzke date: 2019/12/19 -modified: 2021/08/09 +modified: 2022/08/15 logsource: category: proxy detection: selection: c-uri|contains|all: - '/' - - '.php?l=' + - '.php\?l=' c-uri|endswith: '.cab' sc-status: 200 condition: selection @@ -22,4 +22,4 @@ fields: - c-ua falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/web/web_cve_2021_43798_grafana.yml b/rules/web/web_cve_2021_43798_grafana.yml index fc4fc7478..e4622ae43 100644 --- a/rules/web/web_cve_2021_43798_grafana.yml +++ b/rules/web/web_cve_2021_43798_grafana.yml @@ -1,7 +1,7 @@ title: Grafana Path Traversal Exploitation CVE-2021-43798 id: 7b72b328-5708-414f-9a2a-6a6867c26e16 status: experimental -description: Detects a successful Grafana path traversal exploitation +description: Detects a successful Grafana path traversal exploitation author: Florian Roth references: - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ diff --git a/rules/web/web_cve_2022_31656_auth_bypass.yml b/rules/web/web_cve_2022_31656_auth_bypass.yml new file mode 100644 index 000000000..1d5de9178 --- /dev/null +++ b/rules/web/web_cve_2022_31656_auth_bypass.yml @@ -0,0 +1,22 @@ +title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass +id: fcf1101d-07c9-49b2-ad81-7e421ff96d80 +status: experimental +description: | + Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 + VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. +author: Nasreddine Bencherchali +date: 2022/08/12 +references: + - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/SAAS/t/_/;/' + condition: selection +falsepositives: + - Vulnerability scanners +level: high +tags: + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml new file mode 100644 index 000000000..f4c8b747d --- /dev/null +++ b/rules/web/web_cve_2022_31659_vmware_rce.yml @@ -0,0 +1,22 @@ +title: CVE-2022-31659 VMware Workspace ONE Access RCE +id: efdb2003-a922-48aa-8f37-8b80021a9706 +status: experimental +description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 +author: Nasreddine Bencherchali +date: 2022/08/12 +references: + - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to spot the difference between benign and malicious requests to this URL + condition: selection +falsepositives: + - Vulnerability scanners + - Legitimate access to the URI +level: medium +tags: + - attack.initial_access + - attack.t1190 diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml new file mode 100644 index 000000000..5e469d8ea --- /dev/null +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml @@ -0,0 +1,28 @@ +title: Ntdsutil Abuse +id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f +status: experimental +description: Detects potential abuse of ntdsutil to dump ntds.dit database +author: Nasreddine Bencherchali +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +date: 2022/08/14 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'ESENT' + EventID: + - 216 + - 325 + - 326 + - 327 + Data|contains: 'ntds.dit' + condition: selection +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +tags: + - attack.execution diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml new file mode 100644 index 000000000..e38efe053 --- /dev/null +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml @@ -0,0 +1,34 @@ +title: Dump Ntds.dit To Suspicious Location +id: 94dc4390-6b7c-4784-8ffc-335334404650 +status: experimental +description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location +author: Nasreddine Bencherchali +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +date: 2022/08/14 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection_root: + Provider_Name: 'ESENT' + EventID: 325 # New Database Created + Data|contains: 'ntds.dit' + selection_paths: + Data|contains: + # Add more locations that you don't use in your env or that are just suspicious + - '\Users\Public\' + - '\Perflogs\' + - '\Temp\' + - '\Appdata\' + - '\Desktop\' + - '\Downloads\' + - 'C:\ntds.dit' + condition: all of selection_* +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +tags: + - attack.execution diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index a6e0ae1ea..3887e38da 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -5,8 +5,10 @@ description: Detects a suspicious download using the BITS client from a FQDN tha references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: Florian Roth date: 2022/06/28 +modified: 2022/08/09 logsource: product: windows service: bits-client @@ -26,6 +28,8 @@ detection: - '.ghostbin.co/' - 'ufile.io' - 'storage.googleapis.com' + - 'anonfiles.com' + - 'send.exploit.in' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml new file mode 100644 index 000000000..985646ec8 --- /dev/null +++ b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -0,0 +1,22 @@ +title: Loading Diagcab Package From Remote Path +id: 50cb47b8-2c33-4b23-a2e9-4600657d9746 +status: experimental +description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/nas_bench/status/1539679555908141061 + - https://twitter.com/j00sean/status/1537750439701225472 +tags: + - attack.execution +logsource: + product: windows + service: diagnosis-scripted +detection: + selection: + EventID: 101 + PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package + condition: selection +falsepositives: + - Legitimate package hosted on a known and authorized remote location +level: high diff --git a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml index 206a5ae88..4e5e086ff 100644 --- a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml @@ -4,7 +4,7 @@ description: Backdooring domain object to grant the rights associated with DCSyn Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 -modified: 2022/05/10 +modified: 2022/08/10 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton references: - https://twitter.com/menasec1/status/1111556090137903104 @@ -20,13 +20,13 @@ detection: EventID: 5136 AttributeLDAPDisplayName: 'ntSecurityDescriptor' AttributeValue|contains: - - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' - - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - - '89e95b76-444d-4c62-991a-0facbeda640c' + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + - '89e95b76-444d-4c62-991a-0facbeda640c' filter1: - ObjectType: - - 'dnsNode' - - 'dnsZoneScope' + ObjectClass: + - 'dnsNode' + - 'dnsZoneScope' condition: selection and not 1 of filter* falsepositives: - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account. diff --git a/rules/windows/builtin/security/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml index fb4373ec1..5fd385255 100644 --- a/rules/windows/builtin/security/win_atsvc_task.yml +++ b/rules/windows/builtin/security/win_atsvc_task.yml @@ -6,7 +6,7 @@ author: Samir Bousseaden references: - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html date: 2019/04/03 -modified: 2021/11/27 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: atsvc Accesses|contains: 'WriteData' condition: selection diff --git a/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml index bce5e970f..62deb4fbb 100644 --- a/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml @@ -8,14 +8,14 @@ references: - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - https://twitter.com/_dirkjan/status/1309214379003588608 date: 2018/11/28 -modified: 2021/11/27 +modified: 2022/08/11 logsource: product: windows service: security detection: selection: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: spoolss condition: selection falsepositives: diff --git a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml index 6c606fede..e8450ec43 100644 --- a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml @@ -18,7 +18,7 @@ logsource: detection: selection: EventID: '5145' - ShareName: '\\\*\IPC$' + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: 'spoolss' AccessMask: '0x3' ObjectType: 'File' diff --git a/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml index 6659a8c0c..6738b172e 100644 --- a/rules/windows/builtin/security/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/security/win_global_catalog_enumeration.yml @@ -4,7 +4,7 @@ status: experimental author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 -modified: 2021/06/01 +modified: 2022/08/15 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 5156 - DestinationPort: + DestPort: - 3268 - 3269 timeframe: 1h diff --git a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml index 5ab6628d6..c96241fda 100644 --- a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml @@ -15,7 +15,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\SYSVOL + ShareName: '\\\\\*\\SYSVOL' # looking for the string \\*\SYSVOL RelativeTargetName|endswith: 'ScheduledTasks.xml' Accesses|contains: - 'WriteData' diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index 9257af8ce..036a3b101 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -6,7 +6,7 @@ author: Bhabesh Raj references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html date: 2020/12/14 -modified: 2022/01/07 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection1: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName|contains: - 'RemCom_stdint' - 'RemCom_stdoutt' diff --git a/rules/windows/builtin/security/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml index f6941ccd2..685c77947 100644 --- a/rules/windows/builtin/security/win_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_impacket_secretdump.yml @@ -4,7 +4,7 @@ description: Detect AD credential dumping using impacket secretdump HKTL status: experimental author: Samir Bousseaden, wagga date: 2019/04/03 -modified: 2021/06/27 +modified: 2022/08/11 references: - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html tags: @@ -19,7 +19,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\ADMIN$ + ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$ RelativeTargetName|contains|all: - 'SYSTEM32\' - '.tmp' diff --git a/rules/windows/builtin/security/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml index 79fb3d013..ad4a2c855 100644 --- a/rules/windows/builtin/security/win_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_lm_namedpipe.yml @@ -14,7 +14,7 @@ logsource: detection: selection1: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ false_positives: RelativeTargetName: - 'atsvc' diff --git a/rules/windows/builtin/security/win_petitpotam_network_share.yml b/rules/windows/builtin/security/win_petitpotam_network_share.yml index f6966cf10..d1ecbc219 100644 --- a/rules/windows/builtin/security/win_petitpotam_network_share.yml +++ b/rules/windows/builtin/security/win_petitpotam_network_share.yml @@ -4,6 +4,7 @@ description: Detect PetitPotam coerced authentication activity. status: experimental author: Mauricio Velazco, Michael Haag date: 2021/09/02 +modified: 2022/08/11 references: - https://github.com/topotam/PetitPotam - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml @@ -17,7 +18,7 @@ logsource: detection: selection: EventID: 5145 - ShareName|startswith: '\\' + ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$ ShareName|endswith: '\IPC$' RelativeTargetName: lsarpc SubjectUserName: ANONYMOUS LOGON diff --git a/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml index 8f331063c..785337246 100644 --- a/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml @@ -6,16 +6,16 @@ author: Ilyas Ochkov, oscd.community references: - https://github.com/GhostPack/Rubeus date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/08/15 logsource: product: windows service: security detection: selection: EventID: 5156 - DestinationPort: 88 + DestPort: 88 filter: - Image|endswith: + Application|endswith: - '\lsass.exe' - '\opera.exe' - '\chrome.exe' diff --git a/rules/windows/builtin/security/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml index 98c71a6a2..2ad6945f3 100644 --- a/rules/windows/builtin/security/win_susp_psexec.yml +++ b/rules/windows/builtin/security/win_susp_psexec.yml @@ -6,7 +6,7 @@ author: Samir Bousseaden references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html date: 2019/04/03 -modified: 2021/12/08 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection1: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName|endswith: - '-stdin' - '-stdout' diff --git a/rules/windows/builtin/security/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml index 0f7b38a44..17dec5912 100644 --- a/rules/windows/builtin/security/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_svcctl_remote_service.yml @@ -6,7 +6,7 @@ author: Samir Bousseaden references: - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html date: 2019/04/03 -modified: 2021/11/27 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: svcctl Accesses|contains: 'WriteData' condition: selection diff --git a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml new file mode 100644 index 000000000..0c11855c6 --- /dev/null +++ b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -0,0 +1,34 @@ +title: Suspicious Application Installed +id: 83c161b6-ca67-4f33-8ad0-644a0737cf07 +status: experimental +description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 +tags: + - attack.execution +logsource: + product: windows + service: shell-core +detection: + selection_name: + EventID: 28115 + Name|contains: + # Please add more + - 'Zenmap' + - 'AnyDesk' + - 'wireshark' + - 'openvpn' + selection_packageid: + EventID: 28115 + AppID|contains: + # Please add more + - 'zenmap.exe' + - 'prokzult ad' # AnyDesk + - 'wireshark' + - 'openvpn' + condition: 1 of selection_* +falsepositives: + - Packages or applications being legitimately used by users or administrators +level: medium diff --git a/rules/windows/builtin/system/win_anydesk_service_installation.yml b/rules/windows/builtin/system/win_anydesk_service_installation.yml new file mode 100644 index 000000000..0726fc8e3 --- /dev/null +++ b/rules/windows/builtin/system/win_anydesk_service_installation.yml @@ -0,0 +1,22 @@ +title: Anydesk Remote Access Software Service Installation +id: 530a6faa-ff3d-4022-b315-50828e77eef5 +status: experimental +description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used. +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ +date: 2022/08/11 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 + ServiceName: 'AnyDesk Service' + condition: selection +falsepositives: + - Legitimate usage of the anydesk tool +level: medium +tags: + - attack.persistence diff --git a/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml b/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml index 49dec79f7..ab074cb22 100644 --- a/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml +++ b/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter author: Markus Neis date: 2018/08/26 -modified: 2022/02/09 +modified: 2022/08/13 tags: - attack.credential_access # Defender Attack Surface Reduction @@ -36,7 +36,7 @@ detection: - 'C:\Windows\SysWOW64\msiexec.exe' filter_begins: ProcessName|startswith: - - 'C:\Windows\System32\\DriverStore\' + - 'C:\Windows\System32\DriverStore\' - 'C:\WINDOWS\Installer\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 9f3e8861b..10ce5b907 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -6,24 +6,25 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth date: 2022/03/16 -modified: 2022/07/07 +modified: 2022/08/12 logsource: - product: windows - category: create_remote_thread + product: windows + category: create_remote_thread detection: - selection: - TargetImage|endswith: - - '\mspaint.exe' - - '\calc.exe' - - '\notepad.exe' - - '\sethc.exe' - - '\write.exe' - - '\wordpad.exe' - condition: selection + selection: + TargetImage|endswith: + - '\mspaint.exe' + - '\calc.exe' + - '\notepad.exe' + - '\sethc.exe' + - '\write.exe' + - '\wordpad.exe' + - '\explorer.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055.003 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.003 diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml index bde512e95..50c53ef0a 100644 --- a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml @@ -1,12 +1,12 @@ title: Accessing WinAPI in PowerShell. Code Injection id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 status: test -description: Detecting Code injection with PowerShell in another process +description: Detects the creation of a remote thread from a Powershell process to another process author: Nikita Nazarov, oscd.community references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse date: 2020/10/06 -modified: 2022/07/28 +modified: 2022/08/12 logsource: product: windows category: create_remote_thread diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml index f094daf60..c1019a171 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml @@ -7,7 +7,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2022/07/31 +modified: 2022/08/12 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -49,8 +49,6 @@ detection: - '\outlook.exe' - '\ping.exe' - '\powerpnt.exe' - - '\powershell.exe' - - '\pwsh.exe' - '\provtool.exe' - '\python.exe' - '\regsvr32.exe' @@ -99,6 +97,6 @@ fields: - User - SourceImage - TargetImage -level: high falsepositives: - Unknown +level: high diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml new file mode 100644 index 000000000..11b21c196 --- /dev/null +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -0,0 +1,29 @@ +title: File Creation Date Changed to Another Year +id: 558eebe5-f2ba-4104-b339-36f7902bcc1a +status: experimental +description: | + Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. + Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. +references: + - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html +author: frack113, Florian Roth +date: 2022/08/12 +logsource: + category: file_change + product: windows +detection: + selection1: + PreviousCreationUtcTime|startswith: 2022 + filter1: + CreationUtcTime|startswith: 2022 + selection2: + PreviousCreationUtcTime|startswith: 202 + filter2: + CreationUtcTime|startswith: 202 + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) +falsepositives: + - Changes made to or by the local NTP service +level: high +tags: + - attack.t1070.006 + - attack.defense_evasion diff --git a/rules/windows/file_event/file_event_bloodhound_collection.yml b/rules/windows/file_event/file_event_bloodhound_collection.yml new file mode 100644 index 000000000..9c0684d33 --- /dev/null +++ b/rules/windows/file_event/file_event_bloodhound_collection.yml @@ -0,0 +1,40 @@ +title: BloodHound Collection Files +id: 02773bed-83bf-469f-b7ff-e676e7d78bab +description: Detects default file names outputted by the BloodHound collection tool SharpHound +status: experimental +author: C.J. May +references: + - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection +date: 2022/08/09 +modified: 2022/08/09 +tags: + - attack.discovery + - attack.t1087.001 + - attack.t1087.002 + - attack.t1482 + - attack.t1069.001 + - attack.t1069.002 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: file_event +detection: + selection1: + TargetFilename|endswith: + - '_BloodHound.zip' + - '_computers.json' + - '_containers.json' + - '_domains.json' + - '_gpos.json' + - '_groups.json' + - '_ous.json' + - '_users.json' + selection2: + TargetFilename|contains|all: + - 'BloodHound' + - '.zip' + condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml new file mode 100644 index 000000000..9ff1d6061 --- /dev/null +++ b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -0,0 +1,23 @@ +title: Persistence Via ErrorHandler.Cmd +id: 15904280-565c-4b73-9303-3291f964e7f9 +status: experimental +description: | + Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence + The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. +author: Nasreddine Bencherchali +references: + - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ + - https://github.com/last-byte/PersistenceSniper +date: 2022/08/09 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.persistence diff --git a/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml new file mode 100644 index 000000000..195227579 --- /dev/null +++ b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -0,0 +1,27 @@ +title: Malicious DLL File Dropped in the Teams or OneDrive Folder +id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163 +status: experimental +description: | + Detects creation of a malicious DLL file in the location where the OneDrive or Team applications + Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded +references: + - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ +author: frack113 +date: 2022/08/12 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains|all: + - 'iphlpapi.dll' + - '\AppData\Local\Microsoft' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.002 diff --git a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml index 273f38145..4a4f81d67 100644 --- a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -6,12 +6,11 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder tags: - - attack.registry_run_keys_/_startup_folder + - attack.persistence - attack.t1547.001 date: 2021/10/24 -modified: 2022/07/14 +modified: 2022/08/10 author: Christopher Peacock '@securepeacock', SCYTHE -level: high logsource: product: windows category: file_event @@ -26,3 +25,4 @@ detection: falsepositives: - Unknown - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware. +level: high diff --git a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml index 997330451..81b34659c 100755 --- a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml @@ -2,13 +2,13 @@ title: Suspicious ADSI-Cache Usage By Unknown Tool id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb status: test description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. -author: xknow @xknow_infosec +author: xknow @xknow_infosec, Tim Shelton references: - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger date: 2019/03/24 -modified: 2022/04/21 +modified: 2022/08/16 logsource: product: windows category: file_event @@ -27,6 +27,8 @@ detection: - 'C:\Windows\System32\wbem\WmiPrvSE.exe' filter_begins: Image|startswith: 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + filter_ends: + Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe' filter_domain_controller: Image: - 'C:\Windows\system32\efsui.exe' diff --git a/rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml new file mode 100644 index 000000000..78280468e --- /dev/null +++ b/rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -0,0 +1,29 @@ +title: Suspicious Startup Folder Persistence +id: 28208707-fe31-437f-9a7f-4b1108b94d2e +description: Detects when a file with a suspicious extension is created in the startup folder +status: experimental +author: Nasreddine Bencherchali +references: + - https://github.com/last-byte/PersistenceSniper +tags: + - attack.persistence + - attack.t1547.001 +date: 2022/08/10 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\' + TargetFilename|endswith: + # Add or remove suspicious extensions according to your env needs + - '.vbs' + - '.vbe' + - '.bat' + - '.ps1' + - '.hta' + - '.dll' + condition: selection +falsepositives: + - Rare legitimate usage of some of the extensions mentioned in the rule +level: high diff --git a/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml index 6efe66678..fd68a54eb 100644 --- a/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -6,6 +6,7 @@ author: Florian Roth references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm date: 2021/12/07 +modified: 2022/08/13 logsource: product: windows category: file_event @@ -13,7 +14,7 @@ detection: selection: TargetFilename: - 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt' - - 'C:\Windows\System32\config\systemprofile\AppData\\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive' + - 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive' condition: selection falsepositives: - Administrative activity diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml index 135fff322..b1232f7a9 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml @@ -3,7 +3,7 @@ id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 status: experimental description: Detects a Windows executable that writes files to suspicious folders references: - - No references + - Internal Research author: Florian Roth date: 2021/11/20 modified: 2022/07/14 diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml new file mode 100644 index 000000000..5eb617acc --- /dev/null +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -0,0 +1,40 @@ +title: Windows Binaries Write Suspicious Extensions +id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62 +related: + - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 + type: derived +status: experimental +description: Detects windows executables that writes files with suspicious extensions +references: + - Internal Research +author: Nasreddine Bencherchali +date: 2022/08/12 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: + - '\rundll32.exe' + #- '\svchost.exe' # Might generate some FP + - '\dllhost.exe' + - '\smss.exe' + - '\RuntimeBroker.exe' + - '\sihost.exe' + - '\lsass.exe' + - '\csrss.exe' + - '\winlogon.exe' + - '\wininit.exe' + TargetFilename|endswith: + - '.bat' + - '.vbe' + - '.txt' + - '.vbs' + - '.exe' + - '.ps1' + - '.hta' + - '.iso' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml index 0eef7528d..380927c1f 100644 --- a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml @@ -8,13 +8,14 @@ author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share date: 2022/01/01 +modified: 2022/08/13 logsource: product: windows category: file_event detection: selection: TargetFilename|contains|all: - - '\\127.0.0' + - '\\\\127.0.0' - '\ADMIN$\' condition: selection falsepositives: diff --git a/rules/windows/file_rename/file_rename_win_ransomware.yml b/rules/windows/file_rename/file_rename_win_ransomware.yml index 6a245c7f7..6af06ac6f 100644 --- a/rules/windows/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file_rename/file_rename_win_ransomware.yml @@ -4,6 +4,7 @@ status: experimental description: Detects possible ransomware adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky" etc. references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ + - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 tags: diff --git a/rules/windows/image_load/image_load_msdt_sdiageng.yml b/rules/windows/image_load/image_load_msdt_sdiageng.yml index 1db0d173d..dbcb49246 100644 --- a/rules/windows/image_load/image_load_msdt_sdiageng.yml +++ b/rules/windows/image_load/image_load_msdt_sdiageng.yml @@ -4,21 +4,20 @@ status: experimental description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary author: Greg (rule) references: - - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ + - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ date: 2022/06/17 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection_img: - Image|endswith: '\msdt.exe' - selection_load: - ImageLoaded|endswith: '\sdiageng.dll' - condition: all of selection* + selection: + Image|endswith: '\msdt.exe' + ImageLoaded|endswith: '\sdiageng.dll' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1202 - - cve.2022.30190 + - attack.defense_evasion + - attack.t1202 + - cve.2022.30190 diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml index fd9ed05c8..75f0206d0 100644 --- a/rules/windows/image_load/image_load_pingback_backdoor.yml +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report author: Bhabesh Raj date: 2021/05/05 -modified: 2021/09/09 +modified: 2022/08/14 references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 @@ -16,7 +16,7 @@ logsource: category: image_load detection: selection: - Image|endswith: 'msdtc.exe' + Image|endswith: '\msdtc.exe' ImageLoaded: 'C:\Windows\oci.dll' condition: selection falsepositives: diff --git a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml new file mode 100644 index 000000000..8c30f6338 --- /dev/null +++ b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml @@ -0,0 +1,31 @@ +title: Rundll32 Loading Renamed Comsvcs DLL +id: 8cde342c-ba48-4b74-b615-172c330f2e93 +status: experimental +description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/sbousseaden/status/1555200155351228419 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.t1003.001 +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: '\rundll32.exe' + Hashes|contains: + # Add more hashes for other windows verions + - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64 + - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607 + - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809 + - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64 + - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86 + filter: + ImageLoaded|endswith: '\comsvcs.dll' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml new file mode 100644 index 000000000..bdef52fee --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -0,0 +1,370 @@ +title: System DLL Sideloading From Non System Locations +id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 +status: experimental +description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...) +references: + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) + - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll + - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll +author: Nasreddine Bencherchali, Wietze Beukema (project and research) +date: 2022/08/14 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\shfolder.dll' + - '\activeds.dll' + - '\adsldpc.dll' + - '\aepic.dll' + - '\apphelp.dll' + - '\applicationframe.dll' + - '\appxalluserstore.dll' + - '\appxdeploymentclient.dll' + - '\archiveint.dll' + - '\atl.dll' + - '\audioses.dll' + - '\auditpolcore.dll' + - '\authfwcfg.dll' + - '\authz.dll' + - '\avrt.dll' + - '\bcd.dll' + - '\bcp47langs.dll' + - '\bcp47mrm.dll' + - '\bcrypt.dll' + - '\cabinet.dll' + - '\cabview.dll' + - '\certenroll.dll' + - '\cldapi.dll' + - '\clipc.dll' + - '\clusapi.dll' + - '\cmpbk32.dll' + - '\coloradapterclient.dll' + - '\colorui.dll' + - '\comdlg32.dll' + - '\connect.dll' + - '\coremessaging.dll' + - '\credui.dll' + - '\cryptbase.dll' + - '\cryptdll.dll' + - '\cryptui.dll' + - '\cryptxml.dll' + - '\cscapi.dll' + - '\cscobj.dll' + - '\cscui.dll' + - '\d2d1.dll' + - '\d3d10.dll' + - '\d3d10_1.dll' + - '\d3d10_1core.dll' + - '\d3d10core.dll' + - '\d3d10warp.dll' + - '\d3d11.dll' + - '\d3d12.dll' + - '\d3d9.dll' + - '\dataexchange.dll' + - '\davclnt.dll' + - '\dcomp.dll' + - '\defragproxy.dll' + - '\desktopshellext.dll' + - '\deviceassociation.dll' + - '\devicecredential.dll' + - '\devicepairing.dll' + - '\devobj.dll' + - '\devrtl.dll' + - '\dhcpcmonitor.dll' + - '\dhcpcsvc.dll' + - '\dhcpcsvc6.dll' + - '\directmanipulation.dll' + - '\dismapi.dll' + - '\dismcore.dll' + - '\dmcfgutils.dll' + - '\dmcmnutils.dll' + - '\dmenrollengine.dll' + - '\dmenterprisediagnostics.dll' + - '\dmiso8601utils.dll' + - '\dmoleaututils.dll' + - '\dmprocessxmlfiltered.dll' + - '\dmpushproxy.dll' + - '\dmxmlhelputils.dll' + - '\dnsapi.dll' + - '\dot3api.dll' + - '\dot3cfg.dll' + - '\drprov.dll' + - '\dsclient.dll' + - '\dsparse.dll' + - '\dsreg.dll' + - '\dsrole.dll' + - '\dui70.dll' + - '\duser.dll' + - '\dusmapi.dll' + - '\dwmapi.dll' + - '\dwrite.dll' + - '\dxgi.dll' + - '\dxva2.dll' + - '\eappcfg.dll' + - '\eappprxy.dll' + - '\edputil.dll' + - '\efsadu.dll' + - '\efsutil.dll' + - '\esent.dll' + - '\execmodelproxy.dll' + - '\explorerframe.dll' + - '\fastprox.dll' + - '\faultrep.dll' + - '\fddevquery.dll' + - '\feclient.dll' + - '\fhcfg.dll' + - '\firewallapi.dll' + - '\flightsettings.dll' + - '\fltlib.dll' + - '\fveapi.dll' + - '\fwbase.dll' + - '\fwcfg.dll' + - '\fwpolicyiomgr.dll' + - '\fwpuclnt.dll' + - '\getuname.dll' + - '\hid.dll' + - '\hnetmon.dll' + - '\httpapi.dll' + - '\idstore.dll' + - '\ieadvpack.dll' + - '\iedkcs32.dll' + - '\iertutil.dll' + - '\ifmon.dll' + - '\iphlpapi.dll' + - '\iri.dll' + - '\iscsidsc.dll' + - '\iscsium.dll' + - '\isv.exe_rsaenh.dll' + - '\joinutil.dll' + - '\ksuser.dll' + - '\ktmw32.dll' + - '\licensemanagerapi.dll' + - '\licensingdiagspp.dll' + - '\linkinfo.dll' + - '\loadperf.dll' + - '\logoncli.dll' + - '\logoncontroller.dll' + - '\lpksetupproxyserv.dll' + - '\magnification.dll' + - '\mapistub.dll' + - '\mfcore.dll' + - '\mfplat.dll' + - '\mi.dll' + - '\midimap.dll' + - '\miutils.dll' + - '\mlang.dll' + - '\mmdevapi.dll' + - '\mobilenetworking.dll' + - '\mpr.dll' + - '\mprapi.dll' + - '\mrmcorer.dll' + - '\msacm32.dll' + - '\mscms.dll' + - '\mscoree.dll' + - '\msctf.dll' + - '\msctfmonitor.dll' + - '\msdrm.dll' + - '\msftedit.dll' + - '\msi.dll' + - '\msutb.dll' + - '\mswb7.dll' + - '\mswsock.dll' + - '\msxml3.dll' + - '\mtxclu.dll' + - '\napinsp.dll' + - '\ncrypt.dll' + - '\ndfapi.dll' + - '\netid.dll' + - '\netiohlp.dll' + - '\netplwiz.dll' + - '\netprofm.dll' + - '\netsetupapi.dll' + - '\netshell.dll' + - '\netutils.dll' + - '\networkexplorer.dll' + - '\newdev.dll' + - '\ninput.dll' + - '\nlaapi.dll' + - '\nlansp_c.dll' + - '\npmproxy.dll' + - '\nshhttp.dll' + - '\nshipsec.dll' + - '\nshwfp.dll' + - '\ntdsapi.dll' + - '\ntlanman.dll' + - '\ntlmshared.dll' + - '\ntmarta.dll' + - '\ntshrui.dll' + - '\oleacc.dll' + - '\omadmapi.dll' + - '\onex.dll' + - '\osbaseln.dll' + - '\osuninst.dll' + - '\p2p.dll' + - '\p2pnetsh.dll' + - '\p9np.dll' + - '\pcaui.dll' + - '\pdh.dll' + - '\peerdistsh.dll' + - '\pla.dll' + - '\pnrpnsp.dll' + - '\policymanager.dll' + - '\polstore.dll' + - '\printui.dll' + - '\propsys.dll' + - '\prvdmofcomp.dll' + - '\puiapi.dll' + - '\radcui.dll' + - '\rasapi32.dll' + - '\rasgcw.dll' + - '\rasman.dll' + - '\rasmontr.dll' + - '\reagent.dll' + - '\regapi.dll' + - '\resutils.dll' + - '\rmclient.dll' + - '\rpcnsh.dll' + - '\rsaenh.dll' + - '\rtutils.dll' + - '\rtworkq.dll' + - '\samcli.dll' + - '\samlib.dll' + - '\sapi_onecore.dll' + - '\sas.dll' + - '\scansetting.dll' + - '\scecli.dll' + - '\schedcli.dll' + - '\secur32.dll' + - '\shell32.dll' + - '\slc.dll' + - '\snmpapi.dll' + - '\spp.dll' + - '\sppc.dll' + - '\srclient.dll' + - '\srpapi.dll' + - '\srvcli.dll' + - '\ssp.exe_rsaenh.dll' + - '\ssp_isv.exe_rsaenh.dll' + - '\sspicli.dll' + - '\ssshim.dll' + - '\staterepository.core.dll' + - '\structuredquery.dll' + - '\sxshared.dll' + - '\tapi32.dll' + - '\tbs.dll' + - '\tdh.dll' + - '\tquery.dll' + - '\tsworkspace.dll' + - '\ttdrecord.dll' + - '\twext.dll' + - '\twinapi.dll' + - '\twinui.appcore.dll' + - '\uianimation.dll' + - '\uiautomationcore.dll' + - '\uireng.dll' + - '\uiribbon.dll' + - '\updatepolicy.dll' + - '\userenv.dll' + - '\utildll.dll' + - '\uxinit.dll' + - '\uxtheme.dll' + - '\vaultcli.dll' + - '\virtdisk.dll' + - '\vssapi.dll' + - '\vsstrace.dll' + - '\wbemprox.dll' + - '\wbemsvc.dll' + - '\wcmapi.dll' + - '\wcnnetsh.dll' + - '\wdi.dll' + - '\wdscore.dll' + - '\webservices.dll' + - '\wecapi.dll' + - '\wer.dll' + - '\wevtapi.dll' + - '\whhelper.dll' + - '\wimgapi.dll' + - '\winbrand.dll' + - '\windows.storage.dll' + - '\windows.storage.search.dll' + - '\windowscodecs.dll' + - '\windowscodecsext.dll' + - '\windowsudk.shellcommon.dll' + - '\winhttp.dll' + - '\wininet.dll' + - '\winipsec.dll' + - '\winmde.dll' + - '\winmm.dll' + - '\winnsi.dll' + - '\winrnr.dll' + - '\winsqlite3.dll' + - '\winsta.dll' + - '\wkscli.dll' + - '\wlanapi.dll' + - '\wlancfg.dll' + - '\wldp.dll' + - '\wlidprov.dll' + - '\wmiclnt.dll' + - '\wmidcom.dll' + - '\wmiutils.dll' + - '\wmsgapi.dll' + - '\wofutil.dll' + - '\wpdshext.dll' + - '\wshbth.dll' + - '\wshelper.dll' + - '\wtsapi32.dll' + - '\wwapi.dll' + - '\xmllite.dll' + - '\xolehlp.dll' + - '\xwizards.dll' + - '\xwtpw32.dll' + - '\aclui.dll' + - '\bderepair.dll' + - '\bootmenuux.dll' + - '\dcntel.dll' + - '\dwmcore.dll' + - '\dynamoapi.dll' + - '\fhsvcctl.dll' + - '\fxsst.dll' + - '\inproclogger.dll' + - '\iumbase.dll' + - '\kdstub.dll' + - '\maintenanceui.dll' + - '\mdmdiagnostics.dll' + - '\mintdh.dll' + - '\msdtctm.dll' + - '\nettrace.dll' + - '\osksupport.dll' + - '\reseteng.dll' + - '\resetengine.dll' + - '\spectrumsyncclient.dll' + - '\srcore.dll' + - '\systemsettingsthresholdadminflowui.dll' + - '\timesync.dll' + - '\upshared.dll' + - '\wmpdui.dll' + - '\wwancfg.dll' + - '\dpx.dll' + filter_generic: + ImageLoaded|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + - 'C:\Windows\SoftwareDistribution\' + filter_systemp: + ImageLoaded|startswith: 'C:\Windows\SystemTemp\' + User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + condition: selection and not 1 of filter_* +falsepositives: + - Legitimate applications loading their own versions of the DLLs mentioned in this rule +level: medium diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 571168acd..c3d02ecdd 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -8,7 +8,7 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 -modified: 2022/02/21 +modified: 2022/08/09 logsource: category: image_load product: windows @@ -52,10 +52,12 @@ detection: - '-k UnistackSvcGroup -s WpnUserService' filter2: # Not available in Sysmon, but in Aurora CommandLine: - - 'C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding' - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' - condition: (signedprocess or unsignedprocess) and not filter1 and not filter2 + filter3: + CommandLine|startswith: 'C:\WINDOWS\winsxs\' + CommandLine|endswith: '\TiWorker.exe -Embedding' + condition: (signedprocess or unsignedprocess) and not 1 of filter* fields: - ComputerName - User diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index bcc746c2b..f683c2f77 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/08/02 +modified: 2022/08/10 logsource: product: windows category: image_load @@ -20,7 +20,9 @@ detection: - '\Downloads\' - '\AppData\Local\Temp\' - 'C:\PerfLogs\' - condition: selection + filter: + ImageLoaded|contains: '\Program Files' + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml index 866440fb5..01d5c3647 100644 --- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ b/rules/windows/image_load/image_load_susp_system_drawing_load.yml @@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental date: 2020/05/02 -modified: 2021/12/05 +modified: 2022/08/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -27,10 +27,12 @@ detection: - 'C:\Windows\Microsoft.NET\' - 'C:\Windows\ImmersiveControlPanel\' filter2: - Image: - - 'C:\Users\\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' - - 'C:\Users\\*\GitHubDesktop\Update.exe' - - 'C:\Windows\System32\NhNotifSys.exe' + Image: 'C:\Windows\System32\NhNotifSys.exe' + filter3: + Image|startswith: 'C:\Users\' + Image|endswith: + - '\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' + - '\GitHubDesktop\Update.exe' condition: selection and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index 69cac05e7..e82154a0b 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/04/29 +modified: 2022/08/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -24,19 +24,22 @@ detection: - OriginalFileName: - 'credui.dll' - 'wincredui.dll' - filter: - - Image|startswith: + filter_start: + Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\explorer.exe' - 'C:\Program Files\' - - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe' - 'C:\Program Files (x86)\' - - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe' - - 'C:\Users\\*\AppData\Roaming\Spotify\Spotify.exe' - - Image|endswith: '\opera_autoupdate.exe' - - Image|contains: '\Local\Microsoft\OneDrive\' - condition: selection and not filter + filter_end: + Image|endswith: '\opera_autoupdate.exe' + filter_full: + Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + filter_user: + Image|startswith: 'C:\Users\' + Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe' + filter_path: + Image|contains: '\Local\Microsoft\OneDrive\' + condition: selection and not 1 of filter_* falsepositives: - Other legitimate processes loading those DLLs in your environment. level: medium diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 6b2f32837..0c08a1366 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -4,35 +4,38 @@ status: test description: Detects an executable in the Windows folder accessing suspicious domains author: Florian Roth references: - - https://twitter.com/M_haggis/status/900741347035889665 - - https://twitter.com/M_haggis/status/1032799638213066752 + - https://twitter.com/M_haggis/status/900741347035889665 + - https://twitter.com/M_haggis/status/1032799638213066752 + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker date: 2018/08/30 -modified: 2022/07/22 +modified: 2022/08/09 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: - - 'dl.dropboxusercontent.com' - - '.pastebin.com' - - '.githubusercontent.com' # includes both gists and github repositories - - 'cdn.discordapp.com/attachments/' - - 'mediafire.com' - - 'mega.nz' - - 'ddns.net' - - '.paste.ee' - - '.hastebin.com/raw/' - - '.ghostbin.co/' - - 'ufile.io' - Image|startswith: - - 'C:\Windows\' - - 'C:\Users\Public\' - condition: selection + selection: + Initiated: 'true' + DestinationHostname|endswith: + - 'dl.dropboxusercontent.com' + - '.pastebin.com' + - '.githubusercontent.com' # includes both gists and github repositories + - 'cdn.discordapp.com/attachments/' + - 'mediafire.com' + - 'mega.nz' + - 'ddns.net' + - '.paste.ee' + - '.hastebin.com/raw/' + - '.ghostbin.co/' + - 'ufile.io' + - 'anonfiles.com' + - 'send.exploit.in' + Image|startswith: + - 'C:\Windows\' + - 'C:\Users\Public\' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.lateral_movement - - attack.t1105 + - attack.lateral_movement + - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index c06ae8e26..465b440ff 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html date: 2019/09/12 -modified: 2022/07/29 +modified: 2022/08/16 logsource: category: network_connection product: windows @@ -26,7 +26,13 @@ detection: - 'SERVICE R' - 'SEAU' - SourceIp|startswith: '0:0:' - condition: selection and not filter + - Image: + - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' + - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' + filter_localhost: + SourceIp: '::1' + DestinationIp: '::1' + condition: selection and not 1 of filter* falsepositives: - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. - Network Service user name of a not-covered localization diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 46bbb9671..2c87f50da 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -14,7 +14,7 @@ logsource: detection: selection: - Image|contains: - # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows + # - '\ProgramData\' # too many false positives, e.g. with Webex for Windows - '\Users\All Users\' - '\Users\Default\' - '\Users\Public\' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 5e32f9eec..046048072 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 status: experimental author: frack113 -date: 2022/01/01 +date: 2022/08/13 logsource: product: windows category: ps_script @@ -18,7 +18,7 @@ detection: - '-psprovider ' - 'filesystem' - '-root ' - - '\\' + - '\\\\' - '$' condition: selection falsepositives: diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 60f5d49b7..c449009b1 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/06/20 +modified: 2022/08/09 logsource: category: process_access product: windows @@ -18,7 +18,8 @@ detection: SourceImage: 'C:\Windows\Explorer.EXE' falsepositive2: TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe' - SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\*\MicrosoftEdgeUpdate.exe' + SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Temp\' + SourceImage|endswith: '\MicrosoftEdgeUpdate.exe' falsepositive3: TargetImage|endswith: 'vcredist_x64.exe' SourceImage|endswith: 'vcredist_x64.exe' diff --git a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml index 5fe6da531..2ee526a84 100644 --- a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml @@ -3,6 +3,7 @@ id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 description: Detects LSASS process access by LaZagne for credential dumping. status: stable date: 2020/09/09 +modified: 2022/08/13 author: Bhabesh Raj, Jonhnathan Ribeiro references: - https://twitter.com/bh4b3sh/status/1303674603819081728 @@ -17,8 +18,8 @@ detection: selection: TargetImage|endswith: '\lsass.exe' CallTrace|contains|all: - - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' - - '|C:\\Windows\\System32\\KERNELBASE.dll+' + - 'C:\Windows\SYSTEM32\ntdll.dll+' + - '|C:\Windows\System32\KERNELBASE.dll+' - '_ctypes.pyd+' - 'python27.dll+' GrantedAccess: '0x1FFFFF' diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 1ea9488ab..51c980f05 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/07/21 +modified: 2022/08/13 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -32,12 +32,14 @@ detection: - 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe' - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' - 'C:\WINDOWS\system32\taskhostw.exe' - - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' - 'C:\Windows\System32\lsass.exe' - 'C:\WINDOWS\System32\perfmon.exe' + - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' + - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' + - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' @@ -61,12 +63,6 @@ detection: - 'C:\Program Files\' - 'C:\Program Files (x86)\' SourceImage|contains: 'Antivirus' - filter7: - SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' - filter8: - SourceImage: 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' - filter_mcafee: - SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' filter_nextron: # SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' # Can be a manual THOR installation SourceImage|endswith: @@ -95,6 +91,7 @@ detection: - '\DropboxUpdate.exe' - '\MBAMInstallerService.exe' - '\WebEx\WebexHost.exe ' + - '\Programs\Microsoft VS Code\Code.exe' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml index f4bd71b95..5738bf3c8 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth date: 2022/05/20 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -20,9 +21,9 @@ detection: - Company: AnyDesk Software GmbH filter: Image|contains: - - '\\AppData\\' - - 'Program Files (x86)\\AnyDesk' - - 'Program Files\\AnyDesk' + - '\AppData\' + - 'Program Files (x86)\AnyDesk' + - 'Program Files\AnyDesk' condition: selection and not filter falsepositives: - Legitimate use of AnyDesk from a non-standard folder diff --git a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml index 001409a2b..c1ed7c5f5 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ date: 2019/02/21 -modified: 2022/06/28 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -19,7 +19,7 @@ detection: - '/C' - '/Q' - '/H' - - '\\' + - '\\\\' selection2: Image|endswith: '\adexplorer.exe' CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml index 1761c0054..043666225 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml @@ -22,7 +22,7 @@ logsource: detection: selection: CommandLine: - - 'net use \\%DomainController%\C$ "P@ssw0rd" *' + - 'net use \\\\%DomainController%\C$ "P@ssw0rd" *' - 'dir c:\\*.doc* /s' - 'dir %TEMP%\\*.exe' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml index 1a7b53840..d705f7745 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml @@ -6,6 +6,7 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker tags: - attack.defense_evasion - attack.persistence @@ -13,6 +14,7 @@ tags: - attack.s0190 - attack.t1036.003 date: 2022/06/28 +modified: 2022/08/09 author: Florian Roth logsource: category: process_creation @@ -20,12 +22,12 @@ logsource: detection: selection: Image|endswith: '\bitsadmin.exe' - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_domain: - CommandLine|contains: + CommandLine|contains: - 'raw.githubusercontent.com' - 'gist.githubusercontent.com' - 'pastebin.com' @@ -38,6 +40,8 @@ detection: - '.ghostbin.co/' - 'ufile.io' - 'storage.googleapis.com' + - 'anonfiles.com' + - 'send.exploit.in' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml index 871b46ca3..7539879eb 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml @@ -4,34 +4,34 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 description: Detects use of Cobalt Strike module commands accidentally entered in the CMD shell author: _pete_0, TheDFIRReport references: - - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf - - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ + - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf + - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ + - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ date: 2022/05/06 modified: 2022/05/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|startswith: - - 'cmd.exe' - - 'c:\windows\system32\cmd.exe' - CommandLine|contains: - - Invoke-UserHunter - - Invoke-ShareFinder - - Invoke-Kerberoast - - Invoke-SMBAutoBrute - - Invoke-Nightmare - - zerologon - - av_query - Image|endswith: '\cmd.exe' - condition: selection + selection: + Image|endswith: '\cmd.exe' + CommandLine|startswith: + - 'cmd.exe' + - 'c:\windows\system32\cmd.exe' + CommandLine|contains: + - Invoke-UserHunter + - Invoke-ShareFinder + - Invoke-Kerberoast + - Invoke-SMBAutoBrute + - Invoke-Nightmare + - zerologon + - av_query + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.003 \ No newline at end of file + - attack.execution + - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml b/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml index b0ecd7906..ee40b2161 100644 --- a/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml @@ -3,6 +3,7 @@ id: 689308fc-cfba-4f72-9897-796c1dc61487 status: test author: frack113 date: 2021/10/12 +modified: 2022/08/13 description: Conti ransomware command line ioc references: - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ @@ -21,7 +22,7 @@ detection: - '-net ' - '-size ' #size 10 in references - '-nomutex ' - - '-p \\' + - '-p \\\\' - '$' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index bb69fd182..c5bac6632 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -7,28 +7,28 @@ references: - https://attack.mitre.org/techniques/T1196/ - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins date: 2020/06/22 -modified: 2022/05/10 +modified: 2022/08/11 logsource: product: windows category: process_creation detection: - selection1: + selection_reg: + Image|endswith: '\reg.exe' + CommandLine|contains|all: + - 'add' + - 'CurrentVersion\Control Panel\CPLs' + selection_cpl: CommandLine|endswith: '.cpl' - filter: + filter_cpl_sys: CommandLine|contains: - '\System32\' - '%System%' - fp1_igfx: + filter_cpl_igfx: CommandLine|contains|all: - 'regsvr32 ' - ' /s ' - 'igfxCPL.cpl' - selection2: - Image|endswith: '\reg.exe' - CommandLine|contains: 'add' - selection3: - CommandLine|contains: 'CurrentVersion\Control Panel\CPLs' - condition: (selection1 and not filter and not fp1_igfx) or (selection2 and selection3) + condition: selection_reg or (selection_cpl and not 1 of filter_cpl_*) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_disable_service.yml b/rules/windows/process_creation/proc_creation_win_disable_service.yml new file mode 100644 index 000000000..06702301b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_disable_service.yml @@ -0,0 +1,37 @@ +title: Sc Or Set-Service Cmdlet Execution to Disable Services +id: 85c312b7-f44d-4a51-a024-d671c40b49fc +status: experimental +description: Detects when attackers use "sc.exe" or the powershell "Set-Service" cmdlet to change the startup type of a service to "disabled" +author: Nasreddine Bencherchali +references: + - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 +date: 2022/08/01 +logsource: + category: process_creation + product: windows +detection: + selection_sc_img: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_sc_cli: + CommandLine|contains|all: + - ' config ' + - 'start' + CommandLine|contains: + - 'disabled' + - 'demand' + selection_pwsh: + CommandLine|contains|all: + - 'Set-Service' + - '-StartupType' + CommandLine|contains: + - 'Disabled' + - 'Manual' + condition: all of selection_sc_* or selection_pwsh +falsepositives: + - Administrators settings a service to disable via script or cli for testing purposes +level: medium +tags: + - attack.execution + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml index 41c4d86e2..b1aa88f29 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml @@ -6,6 +6,7 @@ references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/01 +modified: 2022/08/09 tags: - attack.defense_evasion - attack.t1574.002 @@ -13,12 +14,14 @@ logsource: product: windows category: process_creation detection: - selection: + selection: Image|endswith: '\MpCmdRun.exe' legit_path: Image|startswith: # MpCmdRun resides in two locations - 'C:\Program Files\Windows Defender\' - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Windows\winsxs\x86_security-malware-windows-defender_' # found on Win7 i386 + - 'C:\Program Files\Microsoft Security Client\MpCmdRun.exe' # found on Win7 i386 condition: selection and not legit_path falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml index 1fe38d31d..38357a803 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml @@ -19,7 +19,7 @@ detection: selection: CommandLine|contains: # Add more paths as they are discovered - '\Software\SimonTatham\PuTTY\Sessions' - - '\Software\\SimonTatham\\PuTTY\SshHostKeys\' + - '\Software\\SimonTatham\PuTTY\SshHostKeys\' - '\Software\Mobatek\MobaXterm\' - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin' - '\Software\Aerofox\FoxmailPreview' diff --git a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml index af0f12009..0086d558d 100644 --- a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml @@ -4,29 +4,31 @@ status: test description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). author: Florian Roth, oscd.community, Jonhnathan Ribeiro references: - - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ + - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ date: 2019/09/06 -modified: 2021/11/27 +modified: 2022/08/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: '\CurrentVersion\Image File Execution Options\' - selection2: - CommandLine|contains: - - 'sethc.exe' - - 'utilman.exe' - - 'osk.exe' - - 'magnify.exe' - - 'narrator.exe' - - 'displayswitch.exe' - - 'atbroker.exe' - condition: all of selection* + selection1: + CommandLine|contains: '\CurrentVersion\Image File Execution Options\' + selection2: + CommandLine|contains: + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'magnify.exe' + - 'narrator.exe' + - 'displayswitch.exe' + - 'atbroker.exe' + - 'HelpPane.exe' + condition: all of selection* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.008 + - attack.persistence + - attack.privilege_escalation + - attack.t1546.008 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml index 5b7ef48c7..0963ea8cf 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml @@ -9,6 +9,7 @@ tags: - attack.t1105 author: frack113 date: 2021/11/26 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -16,7 +17,7 @@ detection: selection: CommandLine|contains|all: - diantz.exe - - ' \\' + - ' \\\\' - '.cab' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml index 7b7d0d1cd..686037a0e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml @@ -9,7 +9,7 @@ tags: - attack.t1105 author: frack113 date: 2021/11/26 -modified: 2022/07/08 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -24,7 +24,7 @@ detection: CommandLine|contains: - /C - /Y - - ' \\' + - ' \\\\' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index fe63247ce..6d2b0f135 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -6,6 +6,7 @@ author: Florian Roth references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia date: 2022/02/25 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -15,7 +16,7 @@ detection: selection2: - CommandLine|contains: - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - - ' 1> \\127.0.0.1\ADMIN$\__16' + - ' 1> \\\\127.0.0.1\ADMIN$\__16' - CommandLine|contains|all: - 'powershell -c ' - '\comsvcs.dll MiniDump ' diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 36f686290..46f530fb0 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -3,16 +3,18 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command that accesses password storing registry hives via volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 -modified: 2021/12/02 +modified: 2022/08/13 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection + - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ logsource: category: process_creation product: windows detection: selection_1: + #copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1 CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' selection_2: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml new file mode 100644 index 000000000..176c18fde --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -0,0 +1,25 @@ +title: Mshta Remotely Hosted HTA File Execution +id: b98d0db6-511d-45de-ad02-e82a98729620 +status: experimental +description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html +date: 2022/08/08 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\mshta.exe' + - OriginalFileName: 'MSHTA.EXE' + selection_cli: + CommandLine|contains: 'http' + condition: all of selection_* +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.005 diff --git a/rules/windows/process_creation/proc_creation_win_net_enum.yml b/rules/windows/process_creation/proc_creation_win_net_enum.yml index 698626b70..35720fb76 100644 --- a/rules/windows/process_creation/proc_creation_win_net_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_net_enum.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/10/30 -modified: 2019/11/11 +modified: 2022/08/13 tags: - attack.discovery - attack.t1018 @@ -21,7 +21,7 @@ detection: - '\net1.exe' CommandLine|contains: 'view' filter: - CommandLine|contains: \\\ + CommandLine|contains: \\\\ condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml new file mode 100644 index 000000000..745649667 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml @@ -0,0 +1,27 @@ +title: Netsh Firewall Rule Deletion +id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 +status: experimental +description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh +author: frack113 +references: + - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ +date: 2022/08/14 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'firewall' + - 'delete' + filter_dropbox: + ParentImage|endswith: '\Dropbox.exe' + CommandLine|contains: 'name=Dropbox' + condition: selection and not filter_dropbox +falsepositives: + - Legitimate administration +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml similarity index 54% rename from rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml rename to rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 4dea126c3..76b3888e5 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -1,24 +1,36 @@ -title: Use NTFS Short Name in Command Line -id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 +title: Use Short Name Path in Command Line +id: 349d891d-fef0-4fe4-bc53-eee623a15969 +related: + - id: a96970af-f126-420d-90e1-d37bf25e50e1 + type: similar status: experimental description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection author: frack113, Nasreddine Bencherchali references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN -date: 2022/08/05 + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +modified: 2022/08/12 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: - - '~1.' - - '~2.' - condition: selection + CommandLine|contains: + - '~1\' + - '~2\' + filter: + - ParentImage: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe + - ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' + condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium tags: - attack.defense_evasion - - attack.t1564.004 + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml new file mode 100644 index 000000000..2263db78e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -0,0 +1,36 @@ +title: Use Short Name Path in Image +id: a96970af-f126-420d-90e1-d37bf25e50e1 +related: + - id: 349d891d-fef0-4fe4-bc53-eee623a15969 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +modified: 2022/08/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - '~1\' + - '~2\' + filter: + - ParentImage: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) + - ParentImage|endswith: + - '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes + - '\thor\thor64.exe' + condition: selection and not filter +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: high +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml new file mode 100644 index 000000000..4158116e8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -0,0 +1,49 @@ +title: Use NTFS Short Name in Command Line +id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 +related: + - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/jonasLyk/status/1555914501802921984 +date: 2022/08/05 +modified: 2022/08/12 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '~1.exe' + - '~1.bat' + - '~1.msi' + - '~1.vbe' + - '~1.vbs' + - '~1.dll' + - '~1.ps1' + - '~1.js' + - '~1.hta' + - '~2.exe' + - '~2.bat' + - '~2.msi' + - '~2.vbe' + - '~2.vbs' + - '~2.dll' + - '~2.ps1' + - '~2.js' + - '~2.hta' + filter: + ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' + condition: selection and not filter +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: medium +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml new file mode 100644 index 000000000..fceefa59e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -0,0 +1,49 @@ +title: Use NTFS Short Name in Image +id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b +related: + - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/jonasLyk/status/1555914501802921984 +date: 2022/08/06 +modified: 2022/08/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - '~1.exe' + - '~1.bat' + - '~1.msi' + - '~1.vbe' + - '~1.vbs' + - '~1.dll' + - '~1.ps1' + - '~1.js' + - '~1.hta' + - '~2.exe' + - '~2.bat' + - '~2.msi' + - '~2.vbe' + - '~2.vbs' + - '~2.dll' + - '~2.ps1' + - '~2.js' + - '~2.hta' + filter: + ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_procdump.yml b/rules/windows/process_creation/proc_creation_win_procdump.yml index 697a761b2..6d34d0b8b 100644 --- a/rules/windows/process_creation/proc_creation_win_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_procdump.yml @@ -1,11 +1,12 @@ title: Procdump Usage id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20 -description: Detects uses of the SysInternals Procdump utility +description: Detects usage of the SysInternals Procdump utility status: experimental references: - Internal Research author: Florian Roth date: 2021/08/16 +modified: 2022/08/11 tags: - attack.defense_evasion - attack.t1036 @@ -14,15 +15,11 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - selection2: - CommandLine|contains|all: - - ' -ma ' - - '.exe' - condition: selection1 or selection2 + condition: selection falsepositives: - Legitimate use of procdump by a developer or administrator level: medium diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml new file mode 100644 index 000000000..9ef55c3e1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -0,0 +1,27 @@ +title: Delete SafeBoot Keys Via Reg Utility +id: fc0e89b5-adb0-43c1-b749-c12a10ec37de +status: experimental +description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +references: + - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html +author: Nasreddine Bencherchali, Tim Shelton +date: 2022/08/08 +modified: 2022/08/12 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: 'reg.exe' + - OriginalFileName: 'reg.exe' + selection_delete: + CommandLine|contains|all: + - ' delete ' + - '\SYSTEM\CurrentControlSet\Control\SafeBoot' + condition: all of selection* +falsepositives: + - Unlikely +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index b7ad621df..154a843e6 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -16,6 +16,7 @@ detection: selection_delete: CommandLine|contains: ' delete ' selection_key: + # Add specific services if you would like the rule to be more specific CommandLine|contains: '\SYSTEM\CurrentControlSet\services\' condition: all of selection* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 23a373ca5..59ecd7e3a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -1,28 +1,28 @@ title: Enabling RDP Service via Reg.exe id: 0d5675be-bc88-4172-86d3-1e96a4476536 status: experimental -description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host +description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' subkeys author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 -modified: 2022/03/15 +modified: 2022/08/06 logsource: product: windows category: process_creation detection: - selection1: + selection_cli: Image|endswith: '\reg.exe' CommandLine|contains|all: - ' add ' - '\SYSTEM\CurrentControlSet\Control\Terminal Server' - 'REG_DWORD' - ' /f' - selection2: + selection_values_1: CommandLine|contains|all: - 'Licensing Core' - 'EnableConcurrentSessions' - selection3: + selection_values_2: CommandLine|contains: - 'WinStations\RDP-Tcp' - 'MaxInstanceCount' @@ -34,7 +34,7 @@ detection: - 'TSAdvertise' - 'AllowTSConnections' - 'fSingleSessionPerUser' - condition: selection1 and (selection2 or selection3) + condition: selection_cli and 1 of selection_values_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 87107e01e..9a09c3246 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,12 +1,15 @@ title: Renamed ProcDump id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 +related: + - id: 03795938-1387-481b-9f4c-3f6241e604fe + type: obsoletes status: test description: Detects the execution of a renamed ProcDump executable often used by attackers or malware references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2021/08/16 +modified: 2022/08/12 tags: - attack.defense_evasion - attack.t1036.003 @@ -14,22 +17,22 @@ logsource: product: windows category: process_creation detection: - selection1: + selection_org: OriginalFileName: 'procdump' - selection2: - CommandLine|contains|all: + selection_args_ma: + CommandLine|contains: - ' -ma ' + - ' /ma ' + selection_args_other: + CommandLine|contains: - ' -accepteula ' - selection3: - CommandLine|contains|all: - - ' -ma ' - - '.dmp' + - ' /accepteula ' filter: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: ( selection1 or selection2 or selection3 ) and not filter + condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries + - Weird admins who renamed binaries (and should be investigated) level: high diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml new file mode 100644 index 000000000..61b84f36f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -0,0 +1,27 @@ +title: Rundll32 UNC Path Execution +id: 5cdb711b-5740-4fb2-ba88-f7945027afac +status: experimental +description: Detects rundll32 execution where the DLL is located on a remote location (share) +author: Nasreddine Bencherchali +date: 2022/08/10 +references: + - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code +tags: + - attack.defense_evasion + - attack.execution + - attack.t1021.002 + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: 'RUNDLL32.EXE' + - CommandLine|contains: 'rundll32' + selection_cli: + CommandLine|contains: ' \\\\' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sdelete.yml index 179b39028..b235477bd 100644 --- a/rules/windows/process_creation/proc_creation_win_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sdelete.yml @@ -3,6 +3,7 @@ id: a4824fca-976f-4964-b334-0621379e84c4 status: experimental author: frack113 date: 2021/06/03 +modified: 2022/08/13 description: Use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md @@ -20,7 +21,7 @@ detection: - ' -h' - ' -c' - ' -z' - - ' /?' + - ' /\?' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index 1190e74c8..1ab7e528e 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -2,9 +2,9 @@ title: Stop Windows Service id: eb87818d-db5d-49cc-a987-d5da331fbd90 description: Detects a windows service to be stopped status: experimental -author: Jakob Weinzettl, oscd.community +author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali date: 2019/10/23 -modified: 2022/06/20 +modified: 2022/08/08 tags: - attack.impact - attack.t1489 @@ -12,7 +12,7 @@ logsource: category: process_creation product: windows detection: - selection_img: + selection_sc_net_img: - OriginalFileName: - 'sc.exe' - 'net.exe' @@ -21,14 +21,17 @@ detection: - '\sc.exe' - '\net.exe' - '\net1.exe' - selection_cli: + selection_sc_net_cli: CommandLine|contains: 'stop' + selection_pwsh: + Image|endswith: '\powershell.exe' + CommandLine|contains: 'Stop-Service ' filter: CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: all of selection_* and not filter + condition: (all of selection_sc_net* and not filter) or selection_pwsh fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind.yml deleted file mode 100644 index 2e7aa684c..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Suspicious AdFind Execution -id: 75df3b17-8bcc-4565-b89b-c9898acef911 -status: experimental -description: Detects the execution of a AdFind for Active Directory enumeration -references: - - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md - - https://thedfirreport.com/2020/05/08/adfind-recon/ -author: FPT.EagleEye Team, omkar72, oscd.community -date: 2020/09/26 -modified: 2021/05/12 -tags: - - attack.discovery - - attack.t1018 - - attack.t1087.002 - - attack.t1482 - - attack.t1069.002 -logsource: - product: windows - category: process_creation -detection: - selection: - CommandLine|contains: - - 'objectcategory' - - 'trustdmp' - - 'dcmodes' - - 'dclist' - - 'computers_pwdnotreqd' - Image|endswith: '\adfind.exe' - condition: selection -falsepositives: - - Administrative activity -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml similarity index 69% rename from rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml rename to rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml index 41ff9f25c..b5c219af6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml @@ -1,19 +1,18 @@ -title: Suspicious AdFind Enumerate +title: Suspicious AdFind Enumeration id: 455b9d50-15a1-4b99-853f-8d37655a4c1b status: experimental -description: Detects the execution of a AdFind for enumeration +description: Detects the execution of a AdFind for enumeration based on it's commadline flags references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md author: frack113 date: 2021/12/13 +modified: 2022/08/12 logsource: product: windows category: process_creation detection: - selection: - Image|endswith: '\adfind.exe' - test_5: #Listing password policy + selection_password: #Listing password policy CommandLine|contains: - lockoutduration - lockoutthreshold @@ -23,14 +22,14 @@ detection: - minpwdlength - pwdhistorylength - pwdproperties - test_6: #Enumerate Active Directory Admins + selection_enum_ad: #Enumerate Active Directory Admins CommandLine|contains: '-sc admincountdmp' - test_8: #Enumerate Active Directory Exchange AD Objects + selection_enum_exchange: #Enumerate Active Directory Exchange AD Objects CommandLine|contains: '-sc exchaddresses' - condition: selection and 1 of test_* + condition: 1 of selection_* falsepositives: - Administrative activity -level: medium +level: high tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml similarity index 67% rename from rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml rename to rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml index 93d568e96..b75743797 100644 --- a/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml @@ -1,24 +1,31 @@ title: AdFind Usage Detection id: 9a132afa-654e-11eb-ae93-0242ac130002 +related: + - id: 75df3b17-8bcc-4565-b89b-c9898acef911 + type: obsoletes status: test description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. -author: Janantha Marasinghe (https://github.com/blueteam0ps) +author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community references: - https://thedfirreport.com/2020/05/08/adfind-recon/ - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ + - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx + - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md date: 2021/02/02 -modified: 2021/02/02 +modified: 2022/08/12 tags: - attack.discovery - - attack.t1482 - attack.t1018 + - attack.t1087.002 + - attack.t1482 + - attack.t1069.002 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'domainlist' - 'trustdmp' - 'dcmodes' @@ -37,7 +44,8 @@ detection: - 'fspdmp' - 'users_noexpire' - 'computers_active' + - 'computers_pwdnotreqd' condition: selection falsepositives: - - Admin activity + - Legitimate admin activity level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml index a03d6071b..58b3afad5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml @@ -3,15 +3,18 @@ id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 description: Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use) author: Max Altgelt, Tobias Michalski date: 2021/08/09 +modified: 2022/08/13 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection + - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ logsource: category: process_creation product: windows detection: selection: + #cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ CommandLine|contains: 'copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup.yml b/rules/windows/process_creation/proc_creation_win_susp_gup.yml index 4d09b1602..22e132d76 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup.yml @@ -6,20 +6,23 @@ author: Florian Roth references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html date: 2019/02/06 -modified: 2021/11/27 +modified: 2022/08/13 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\GUP.exe' - filter: + filter_end: Image|endswith: - - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' - - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' - '\Program Files\Notepad++\updater\GUP.exe' - '\Program Files (x86)\Notepad++\updater\GUP.exe' - condition: selection and not filter + filter_user: + Image|contains: '\Users\' + Image|endswith: + - '\AppData\Local\Notepad++\updater\GUP.exe' + - '\AppData\Roaming\Notepad++\updater\GUP.exe' + condition: selection and not 1 of filter_* falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml new file mode 100644 index 000000000..da52f9558 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml @@ -0,0 +1,26 @@ +title: Mshtml DLL RunHTMLApplication Abuse +id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c +related: + - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 + type: derived +status: experimental +description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/n1nj4sec/status/1421190238081277959 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '\..\' + - 'mshtml' + - 'RunHTMLApplication' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml b/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml index 92d90d52a..92a5ef598 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ date: 2022/07/14 +modified: 2022/08/08 logsource: category: process_creation product: windows @@ -16,12 +17,12 @@ detection: - 'create' - 'config' CommandLine|contains|all: - - 'binPath=' - - 'type=' + - 'binPath' + - 'type' - 'kernel' condition: selection falsepositives: - - Legitimate installation of drivers via sc.exe + - Rare legitimate installation of kernel drivers via sc.exe level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml index a8b3ce72a..0ead24280 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml @@ -7,15 +7,15 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 date: 2019/08/30 -modified: 2021/11/27 +modified: 2022/08/13 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' - - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' + - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)' + - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump.yml deleted file mode 100644 index 7c3256d94..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Suspicious Use of Procdump -id: 03795938-1387-481b-9f4c-3f6241e604fe -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -status: experimental -references: - - Internal Research -author: Florian Roth -date: 2021/02/02 -modified: 2021/08/16 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.t1003.001 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - ' -ma ' - - ' -accepteula ' - condition: selection -falsepositives: - - Another tool that uses the command line switches of Procdump - - Legitimate use of procdump by a developer or administrator -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml index fbefa0c1f..c19213fc3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth date: 2018/10/30 -modified: 2021/02/02 +modified: 2022/08/12 tags: - attack.defense_evasion - attack.t1036 @@ -18,14 +18,12 @@ logsource: product: windows detection: selection1: - CommandLine|contains: ' -ma ' - selection2: - CommandLine|contains: ' lsass' - selection3: - CommandLine|contains|all: + CommandLine|contains: - ' -ma ' - - ' ls' - condition: ( selection1 and selection2 ) or selection3 + - ' /ma ' + selection2: + CommandLine|contains: ' ls' # Short for lsass + condition: all of selection* falsepositives: - Unlikely, because no one should dump an lsass process memory - Another tool that uses the command line switches of Procdump diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index dfef79f64..8d41da599 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -21,6 +21,6 @@ detection: CommandLine|contains: ';document.write();GetObject("script' condition: 1 of selection* falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml deleted file mode 100644 index dad73ada0..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: Suspicious WMI Execution -id: 526be59f-a573-4eea-b5f7-f0973207634d -status: test -description: Detects WMI executing suspicious commands -author: Michael Haag, Florian Roth, juju4, oscd.community -references: - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ -date: 2019/01/16 -modified: 2022/05/13 -logsource: - category: process_creation - product: windows -detection: - selection: - - Image|endswith: '\wmic.exe' - - OriginalFileName: 'wmic.exe' - selection2: - CommandLine|contains|all: - - 'process' - - 'call' - - 'create ' - recon_part1: - CommandLine|contains: ' path ' - recon_part2: - CommandLine|contains: - - 'AntiVirus' - - 'Firewall' - CommandLine|contains|all: - - 'Product' - - ' get ' - condition: (selection and selection2) or (selection and recon_part1 and recon_part2) -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine -level: medium -tags: - - attack.execution - - attack.t1047 - - car.2016-03-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml new file mode 100644 index 000000000..0162bf4e0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml @@ -0,0 +1,43 @@ +title: Suspicious WMIC Execution +id: 526be59f-a573-4eea-b5f7-f0973207634d +status: test +description: Detects WMIC executing suspicious or recon commands +author: Michael Haag, Florian Roth, juju4, oscd.community +references: + - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ + - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 + - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ +date: 2019/01/16 +modified: 2022/05/13 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName: 'wmic.exe' + selection_process_call: + CommandLine|contains|all: + - 'process' + - 'call' + - 'create ' + recon_part1: + CommandLine|contains: ' path ' + recon_part2: + CommandLine|contains: + - 'AntiVirus' + - 'Firewall' + CommandLine|contains|all: + - 'Product' + - ' get ' + condition: all of selection_* or (selection_img and all of recon_*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine +level: medium +tags: + - attack.execution + - attack.t1047 + - car.2016-03-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml new file mode 100644 index 000000000..a0f27bec9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -0,0 +1,49 @@ +title: Suspicious WMIC Execution - ProcessCallCreate +id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 +status: test +description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc +author: Florian Roth, Nasreddine Bencherchali +references: + - https://thedfirreport.com/2020/10/08/ryuks-return/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker +date: 2020/10/12 +modified: 2022/08/09 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'process ' + - 'call ' + - 'create ' + CommandLine|contains: + # Add more susupicious paths and binaries as you see fit in your env + - 'rundll32' + - 'bitsadmin' + - 'regsvr32' + - 'cmd.exe /c ' + - 'powershell' + - 'pwsh' + - 'certutil' + - 'cscript' + - 'wscript' + - 'mshta' + - '\Users\Public\' + - '\Windows\Temp\' + - '\AppData\Local\' + - '%temp%' + - '%ProgramData%' + - '%appdata%' + - '%comspec%' + - '%localappdata%' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml deleted file mode 100644 index 19e8d3d73..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious WMI Execution Using Rundll32 -id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 -status: test -description: Detects WMI executing rundll32 -author: Florian Roth -references: - - https://thedfirreport.com/2020/10/08/ryuks-return/ -date: 2020/10/12 -modified: 2021/11/27 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - 'process call create' - - 'rundll32' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high -tags: - - attack.execution - - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml b/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml index 25bfe1c0d..5f794a5c6 100644 --- a/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml @@ -4,14 +4,18 @@ status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/08/10 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\tapinstall.exe' - condition: selection + filter_avast: + Image: + - 'C:\Program Files\Avast Software\SecureLine VPN\tapinstall.exe' + - 'C:\Program Files (x86)\Avast Software\SecureLine VPN\tapinstall.exe' + condition: selection and not 1 of filter* falsepositives: - Legitimate OpenVPN TAP insntallation level: medium diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index 414d3c9b9..0d5fff882 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -2,9 +2,9 @@ title: NirCmd Tool Execution id: 4e2ed651-1906-4a59-a78a-18220fca1b22 status: experimental description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity -author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' +author: Florian Roth, Nasreddine Bencherchali date: 2022/01/24 -modified: 2022/05/13 +modified: 2022/08/08 references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -19,6 +19,12 @@ logsource: detection: selection_org: OriginalFileName: 'NirCmd.exe' + selection_cmd: + CommandLine|contains: + - ' execmd ' + - '.exe script ' + - '.exe shexec ' + - ' runinteractive ' combo_exec: CommandLine|contains: - ' exec ' @@ -27,13 +33,7 @@ detection: CommandLine|contains: - ' show ' - ' hide ' - selection_cmd: - CommandLine|contains: - - ' execmd ' - - '.exe script ' - - '.exe shexec ' - - ' runinteractive ' - condition: (1 of selection*) or (combo_exec and combo_exec_params) + condition: 1 of selection* or all of combo_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml index 838c0c83b..885b29159 100644 --- a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml @@ -4,27 +4,27 @@ status: experimental description: Detection of sc.exe utility adding a new service with special permission which hides that service. author: Andreas Hunkeler (@Karneades) references: - - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ + - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ date: 2021/12/20 -modified: 2022/05/13 +modified: 2022/08/08 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - sc: - - Image|endswith: '\sc.exe' - - OriginalFileName: 'sc.exe' - cli: - CommandLine|contains|all: - - 'sdset' - - 'DCLCWPDTSD' - condition: sc and cli + selection_img: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_cli: + CommandLine|contains|all: + - 'sdset' + - 'DCLCWPDTSD' + condition: all of selection_* falsepositives: - - Intended use of hidden services + - Rare intended use of hidden services level: high tags: - - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1574.011 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.011 diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index aacaaae88..fb22b7b7d 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -3,18 +3,24 @@ id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 status: test description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth +references: + - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp date: 2019/01/16 modified: 2021/11/27 logsource: category: process_creation product: windows detection: - selection: + selection_jdwp_transport: CommandLine|contains: 'transport=dt_socket,address=' + selection_old_jvm_version: + CommandLine|contains: + - jre1. + - jdk1. exclusion: - CommandLine|contains: 'address=127.0.0.1' - CommandLine|contains: 'address=localhost' - condition: selection and not exclusion + condition: all of selection* and not exclusion fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml new file mode 100644 index 000000000..601a65f63 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -0,0 +1,27 @@ +title: Wab Execution From Non Default Location +id: 395907ee-96e5-4666-af2e-2ca91688e151 +status: experimental +description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime +author: Nasreddine Bencherchali +date: 2022/08/12 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\wab.exe' + filter: + Image|startswith: + - 'C:\Windows\WinSxS\' + - 'C:\Program Files\Windows Mail\' + - 'C:\Program Files (x86)\Windows Mail\' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml new file mode 100644 index 000000000..ad84a9698 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -0,0 +1,29 @@ +title: Wab.Exe Unusual Parent Or Child Processes +id: 63d1ccc0-2a43-4f4b-9289-361b308991ff +status: experimental +description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime +author: Nasreddine Bencherchali +date: 2022/08/12 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + # Add more if known + - \WmiPrvSE.exe + - \svchost.exe + - \dllhost.exe + Image|endswith: '\wab.exe' + selection_child: + ParentImage|endswith: '\wab.exe' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml rename to rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml index f8a9a26f5..3c46c5c1f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml @@ -25,4 +25,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml index ca584c21e..572e3ba60 100755 --- a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -16,16 +16,16 @@ logsource: product: windows category: registry_event detection: - selection: + selection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: selection -falsepositives: - - Unknown -level: high fields: - EventID - CommandLine - ParentCommandLine - Image - User - - TargetObject \ No newline at end of file + - TargetObject +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml index 03ff9e243..021550b27 100755 --- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -4,25 +4,25 @@ status: test description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. author: iwillkeepwatch references: - - https://attack.mitre.org/techniques/T1101/ - - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ + - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ date: 2019/01/18 -modified: 2021/11/27 +modified: 2022/08/09 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection_registry: - TargetObject: - - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' - - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' - exclusion_images: - - Image: C:\Windows\system32\msiexec.exe - - Image: C:\Windows\syswow64\MsiExec.exe - condition: selection_registry and not exclusion_images + selection_registry: + TargetObject: + - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' + - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' + exclusion_images: + Image: + - 'C:\Windows\system32\msiexec.exe' + - 'C:\Windows\syswow64\MsiExec.exe' + condition: selection_registry and not exclusion_images falsepositives: - - Unlikely + - Unlikely level: critical tags: - - attack.persistence - - attack.t1547.005 + - attack.persistence + - attack.t1547.005 diff --git a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml index 7a542b20e..411041b6e 100755 --- a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -5,9 +5,10 @@ description: Detects the usage and installation of a backdoor that uses an optio status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 -modified: 2021/09/12 +modified: 2022/08/06 logsource: category: registry_event product: windows @@ -20,6 +21,8 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger' condition: selection_registry falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 2d0a77fdf..8a935e286 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/07/27 +modified: 2022/08/09 logsource: category: registry_set product: windows @@ -19,7 +19,7 @@ detection: system_control_base: EventType: SetValue TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' - system_control: + system_control_keys: TargetObject|contains: - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - '\Terminal Server\Wds\rdpwd\StartupPrograms' @@ -45,7 +45,7 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: system_control_base and system_control and not 1 of filter_* + condition: all of system_control_* and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 9a3c2b9f1..95aed74c3 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -42,3 +42,4 @@ level: medium tags: - attack.persistence - attack.t1547.001 + - attack.t1546.009 diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml new file mode 100644 index 000000000..36c464935 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -0,0 +1,25 @@ +title: Add Debugger Entry To DbgManagedDebugger For Persistence +id: 9827ae57-3802-418f-994b-d5ecf5cd974b +description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes +author: frack113 +date: 2022/08/07 +status: experimental +references: + - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ + - https://github.com/last-byte/PersistenceSniper +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger' + filter: + Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d' + condition: selection and not filter +falsepositives: + - Legitimate use of the key to setup a debugger. Which is often the case on developers machines +level: medium +tags: + - attack.persistence + - attack.t1574 diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml index 6dd183760..9c24bb969 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,9 +1,9 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 -description: Disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 +description: Detects when an attacker tries to disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 author: frack113 date: 2022/01/05 -modified: 2022/03/26 +modified: 2022/08/06 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe @@ -13,7 +13,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Details: DWORD (0x00000000) condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 4f027f17d..f5e047e88 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/07/12 +modified: 2022/08/10 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -21,8 +21,10 @@ detection: Image|endswith: '\Windows\system32\wevtutil.exe' #FP generated during installation of manifests via wevtutil filter_iis: Image|startswith: 'C:\Windows\winsxs\' - Image|endswith: '\TiWorker.exe' - TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-IIS-' + Image|endswith: '\TiWorker.exe' # many different TargetObjects + filter_fsmfd: + Image: 'C:\Windows\System32\svchost.exe' + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' condition: selection and not 1 of filter* falsepositives: - Legitimate administrators disabling specific event log for troubleshooting diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index fc5149ec4..f2d1a1811 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -21,4 +21,4 @@ falsepositives: - Unlikely level: high tags: - - attack.persistence + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml index fc561f8d1..2a49eed33 100644 --- a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml @@ -16,8 +16,8 @@ detection: TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify' condition: selection falsepositives: - - Unknown + - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurence in an environment and should be investigated either way level: high tags: - - attack.persistence + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml new file mode 100644 index 000000000..f5fbff59d --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -0,0 +1,21 @@ +title: Persistence Via AutodialDLL +id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3 +description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library +status: experimental +author: Nasreddine Bencherchali +date: 2022/08/10 +references: + - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\Services\WinSock2\Parameters\AutodialDLL' + condition: selection +falsepositives: + - Unlikley +level: high +tags: + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml new file mode 100644 index 000000000..4836d2feb --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -0,0 +1,22 @@ +title: Persistence Via MyComputer Key and SubKeys +id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 +description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) +status: experimental +author: Nasreddine Bencherchali +date: 2022/08/09 +references: + - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer' + TargetObject|endswith: '(Default)' + condition: selection +falsepositives: + - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for +level: high +tags: + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 4fd312934..7cc7ca808 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/07/07 +modified: 2022/08/10 logsource: category: registry_set product: windows @@ -71,6 +71,9 @@ detection: Details|startswith: 'C:\ProgramData\Microsoft\' filter_gameservice: Details|contains: 'C:\WINDOWS\system32\GamingServicesProxy.dll' + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + Details|contains: 'C:\Windows\System32\Autopilot.dll' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level diff --git a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml index c78cb893c..f3c05aed5 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml @@ -12,15 +12,15 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: '\Services\' TargetObject|endswith: '\ImagePath' Details|contains: - - 'powershell' - - 'pwsh' + - 'powershell' + - 'pwsh' condition: selection -falsepositives: - - Unknown +falsepositives: + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml b/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml deleted file mode 100755 index 3b0815014..000000000 --- a/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: RDP Registry Modification -id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 -status: test -description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html -date: 2019/09/12 -modified: 2022/03/26 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: SetValue - TargetObject|endswith: - - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' - Details: 'DWORD (0x00000000)' - condition: selection -fields: - - ComputerName - - Image - - EventType - - TargetObject -falsepositives: - - Unknown -level: high -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml b/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml deleted file mode 100755 index fa8a24b10..000000000 --- a/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: RDP Sensitive Settings Changed -id: 171b67e1-74b4-460e-8d55-b331f3e32d67 -status: test -description: Detects changes to RDP terminal service sensitive settings -author: Samir Bousseaden, David ANDRE -references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html - - https://knowledge.insourcess.com/Supporting_Technologies/Wonderware/Tech_Notes/TN_WW213_How_to_shadow_an_established_RDP_Session_on_Windows_10_Pro - - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 - - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ -date: 2019/04/03 -modified: 2022/06/26 -logsource: - category: registry_set - product: windows -detection: - selection_reg: - EventType: SetValue - TargetObject|contains: - - '\services\TermService\Parameters\ServiceDll' - - '\Control\Terminal Server\fSingleSessionPerUser' - - '\Control\Terminal Server\fDenyTSConnections' - - '\Policies\Microsoft\Windows NT\Terminal Services\Shadow' - - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - condition: selection_reg -falsepositives: - - Unknown -level: high -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_set_servicedll.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml similarity index 80% rename from rules/windows/registry/registry_set/registry_set_set_servicedll.yml rename to rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 54492a306..474ba773b 100644 --- a/rules/windows/registry/registry_set/registry_set_set_servicedll.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,12 +1,13 @@ -title: ServiceDll Modification +title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 -description: Detects the modification of a ServiceDLL value in the service settings +description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. author: frack113 date: 2022/02/04 -modified: 2022/04/21 +modified: 2022/08/10 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time + - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml index 2f1f92be5..8766c4a55 100644 --- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml @@ -12,8 +12,8 @@ logsource: category: registry_set product: windows detection: - selection: - EventType: SetValue + selection: + EventType: SetValue TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' condition: selection @@ -22,4 +22,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1546.012 \ No newline at end of file + - attack.t1546.012 diff --git a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml new file mode 100644 index 000000000..52af03166 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml @@ -0,0 +1,49 @@ +title: Suspicious Values In App Paths Default Property +id: 707e097c-e20f-4f67-8807-1f72ff4500d6 +description: | + Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence + The entries found under App Paths are used primarily for the following purposes. + First, to map an application's executable file name to that file's fully qualified path. + Second, to pre-pend information to the PATH environment variable on a per-application, per-process basis. +status: experimental +author: Nasreddine Bencherchali +references: + - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN +date: 2022/08/10 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths' + TargetObject|endswith: + - '(Default)' + - 'Path' + Details|contains: + # Add more suspicious paths or binaries as you see fit. + - '\Users\Public' + - '\AppData\Local\Temp\' + - '\Windows\Temp\' + - '\Desktop\' + - '\Downloads\' + - '%temp%' + - 'iex' + - 'Invoke-' + - 'rundll32' + - 'regsvr32' + - 'mshta' + - 'cscript' + - 'wscript' + - '.bat' + - '.hta' + - '.dll' + - '.ps1' + condition: selection +falsepositives: + - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) +level: high +tags: + - attack.persistence + - attack.t1546.012 diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 182b322bc..5283cd144 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/07/29 +modified: 2022/08/11 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -23,17 +23,16 @@ detection: filter_tiworker: Image|startswith: 'C:\Windows\' Image|endswith: '\TiWorker.exe' - TargetObject|contains: - - '\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{1A552422-F571-4376-A7F1-5941E63D7B40}' - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DeviceDirectoryClient\' - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04622042-F26B-4CCA-815F-E7A8375D87E6}' - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C130EB11-1FDE-4953-B222-F44EEC6E1E8B}' filter_svchost: Image: 'C:\WINDOWS\system32\svchost.exe' filter_ngen: Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' Image|endswith: '\ngen.exe' TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + filter_office_click_to_run: + Image: + - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe' condition: selection and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml new file mode 100644 index 000000000..c41ddf350 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -0,0 +1,66 @@ +title: RDP Sensitive Settings Changed +id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c +related: + - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 + type: obsoletes + - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 + type: obsoletes +status: test +description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +references: + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +date: 2022/08/06 +logsource: + category: registry_set + product: windows +detection: + selection_shadow: + EventType: SetValue + TargetObject|contains: + - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\' + - '\Control\Terminal Server\' + TargetObject|endswith: '\Shadow' + Details: + - 'DWORD (0x00000001)' # Full Control with user’s permission + - 'DWORD (0x00000002)' # Full Control without user’s permission + - 'DWORD (0x00000003)' # View Session with user’s permission + - 'DWORD (0x00000004)' # View Session without user’s permission + selection_terminal_services_key: + EventType: SetValue + TargetObject|contains: + - '\Control\Terminal Server\' + - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\' + selection_terminal_services_values_0: + TargetObject|endswith: + - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled + - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions + - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established + Details: 'DWORD (0x00000000)' + selection_terminal_services_values_1: + TargetObject|endswith: + - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers + - '\fAllowUnsolicitedFullControl' + Details: 'DWORD (0x00000001)' + selection_tamper_only: + # Any changes to these keys should be suspicious and looked at + EventType: SetValue + TargetObject|contains: + - '\services\TermService\Parameters\ServiceDll' # RDP hijacking + - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. + - '\Control\Terminal Server\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. + - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. + condition: selection_shadow or (selection_terminal_services_key and 1 of selection_terminal_services_values_*) or selection_tamper_only +falsepositives: + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) +level: high +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 06fe32d49..d0a413eb6 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -12,6 +12,7 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker status: experimental logsource: product: windows @@ -27,6 +28,7 @@ detection: - '\Real-Time Protection\DisableOnAccessProtection' - '\Real-Time Protection\DisableRealtimeMonitoring' - '\Real-Time Protection\DisableScanOnRealtimeEnable' + - '\Reporting\DisableEnhancedNotifications' - '\SpyNet\DisableBlockAtFirstSeen' - '\DisableAntiSpyware' - '\DisableAntiVirus' diff --git a/tests/cti b/tests/cti new file mode 160000 index 000000000..e78357f1f --- /dev/null +++ b/tests/cti @@ -0,0 +1 @@ +Subproject commit e78357f1f3cf1ac4e9f2aa04ac0ff831260305a7 diff --git a/tests/test_rules.py b/tests/test_rules.py index 74e87ce44..cd74c0fae 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -14,21 +14,24 @@ from attackcti import attack_client from colorama import init from colorama import Fore + class TestRules(unittest.TestCase): - MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list - MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] + MITRE_TECHNIQUE_NAMES = [ + "process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list + MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", + "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} path_to_rules = "rules" # Helper functions - def yield_next_rule_file_path(self, path_to_rules:str) -> str: + def yield_next_rule_file_path(self, path_to_rules: str) -> str: for root, _, files in os.walk(path_to_rules): for file in files: yield os.path.join(root, file) - def get_rule_part(self, file_path:str, part_name:str): + def get_rule_part(self, file_path: str, part_name: str): yaml_dicts = self.get_rule_yaml(file_path) for yaml_part in yaml_dicts: if part_name in yaml_part.keys(): @@ -36,10 +39,10 @@ class TestRules(unittest.TestCase): return None - def get_rule_yaml(self, file_path:str) -> dict: + def get_rule_yaml(self, file_path: str) -> dict: data = [] - with open(file_path,encoding='utf-8') as f: + with open(file_path, encoding='utf-8') as f: yaml_parts = yaml.safe_load_all(f) for part in yaml_parts: data.append(part) @@ -51,37 +54,39 @@ class TestRules(unittest.TestCase): # files_with_incorrect_extensions = [] # for file in self.yield_next_rule_file_path(self.path_to_rules): - # file_name_and_extension = os.path.splitext(file) - # if len(file_name_and_extension) == 2: - # extension = file_name_and_extension[1] - # if extension != ".yml": - # files_with_incorrect_extensions.append(file) + # file_name_and_extension = os.path.splitext(file) + # if len(file_name_and_extension) == 2: + # extension = file_name_and_extension[1] + # if extension != ".yml": + # files_with_incorrect_extensions.append(file) # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + - # "There are rule files with extensions other than .yml") + # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - with open(file, 'r',encoding='utf-8') as fh: + with open(file, 'r', encoding='utf-8') as fh: file_data = fh.read() for tm in self.TRADE_MARKS: if tm in file_data: files_with_legal_issues.append(file) self.assertEqual(files_with_legal_issues, [], Fore.RED + - "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") def test_optional_tags(self): files_with_incorrect_tags = [] - tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") + tags_pattern = re.compile( + r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: if tags_pattern.match(tag) == None: - print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) + print( + Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + @@ -95,7 +100,8 @@ class TestRules(unittest.TestCase): if tags: for tag in tags: if tag not in MITRE_ALL and tag.startswith("attack."): - print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) + print( + Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + @@ -110,7 +116,8 @@ class TestRules(unittest.TestCase): known_tags = [] for tag in tags: if tag in known_tags: - print(Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag)) + print( + Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) else: known_tags.append(tag) @@ -119,14 +126,14 @@ class TestRules(unittest.TestCase): "There are rules with duplicate tags") def test_look_for_duplicate_filters(self): - def check_list_or_recurse_on_dict(item, depth:int) -> None: + def check_list_or_recurse_on_dict(item, depth: int) -> None: if type(item) == list: check_if_list_contain_duplicates(item, depth) elif type(item) == dict and depth <= MAX_DEPTH: for sub_item in item.values(): check_list_or_recurse_on_dict(sub_item, depth + 1) - def check_if_list_contain_duplicates(item:list, depth:int) -> None: + def check_if_list_contain_duplicates(item: list, depth: int) -> None: try: if len(item) != len(set(item)): print(Fore.RED + "Rule {} has duplicate filters".format(file)) @@ -141,7 +148,8 @@ class TestRules(unittest.TestCase): files_with_duplicate_filters = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") check_list_or_recurse_on_dict(detection, 1) self.assertEqual(files_with_duplicate_filters, [], Fore.RED + @@ -152,24 +160,27 @@ class TestRules(unittest.TestCase): for key, value in fields.items(): if " " in key: faulty.append(key) - print(Fore.YELLOW + "Rule {} has a space in field name ({}).".format(file, key)) + print( + Fore.YELLOW + "Rule {} has a space in field name ({}).".format(file, key)) if type(value) == dict: key_iterator(value, faulty) faulty_fieldnames = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") key_iterator(detection, faulty_fieldnames) self.assertEqual(faulty_fieldnames, [], Fore.RED + - "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )") + "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )") def test_single_named_condition_with_x_of_them(self): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - yaml = self.get_rule_yaml(file_path = file) - detection = self.get_rule_part(file_path = file, part_name = "detection") + yaml = self.get_rule_yaml(file_path=file) + detection = self.get_rule_part( + file_path=file, part_name="detection") has_them_in_condition = "them" in detection["condition"] has_only_one_named_condition = len(detection) == 2 @@ -187,7 +198,8 @@ class TestRules(unittest.TestCase): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") if "all of them" in detection["condition"]: faulty_detections.append(file) @@ -196,14 +208,14 @@ class TestRules(unittest.TestCase): "There are rules using 'all of them'. Better use e.g. 'all of selection*' instead (and use the 'selection_' prefix as search-identifier).") def test_duplicate_detections(self): - def compare_detections(detection1:dict, detection2:dict) -> bool: + def compare_detections(detection1: dict, detection2: dict) -> bool: # detections not the same count can't be the same if len(detection1) != len(detection2): return False for named_condition in detection1: - #don't check timeframes + # don't check timeframes if named_condition == "timeframe": continue @@ -218,11 +230,10 @@ class TestRules(unittest.TestCase): if named_condition not in detection2: return False - #can not be the same if len is not equal + # can not be the same if len is not equal if len(detection1[named_condition]) != len(detection2[named_condition]): return False - for condition in detection1[named_condition]: if type(condition) != str: return False @@ -241,11 +252,13 @@ class TestRules(unittest.TestCase): files_and_their_detections = {} for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") - logsource = self.get_rule_part(file_path = file, part_name = "logsource") + detection = self.get_rule_part( + file_path=file, part_name="detection") + logsource = self.get_rule_part( + file_path=file, part_name="logsource") detection["logsource"] = {} detection["logsource"].update(logsource) - yaml = self.get_rule_yaml(file_path = file) + yaml = self.get_rule_yaml(file_path=file) is_multipart_yaml_file = len(yaml) != 1 if is_multipart_yaml_file: @@ -264,7 +277,8 @@ class TestRules(unittest.TestCase): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") detection_str = str(detection).lower() if "'source': 'eventlog'" in detection_str: faulty_detections.append(file) @@ -275,7 +289,7 @@ class TestRules(unittest.TestCase): def test_event_id_instead_of_process_creation(self): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - with open(file,encoding='utf-8') as f: + with open(file, encoding='utf-8') as f: for line in f: if re.search(r'.*EventID: (?:1|4688)\s*$', line) and file not in faulty_detections: faulty_detections.append(file) @@ -292,10 +306,12 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has no field 'id'.".format(file)) faulty_rules.append(file) elif len(id) != 36: - print(Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) faulty_rules.append(file) elif id in dict_id.keys(): - print(Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file,dict_id[id])) + print( + Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file, dict_id[id])) faulty_rules.append(file) else: dict_id[id] = file @@ -311,13 +327,15 @@ class TestRules(unittest.TestCase): "merged", "renamed", "similar" - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): - related_lst = self.get_rule_part(file_path=file, part_name="related") + related_lst = self.get_rule_part( + file_path=file, part_name="related") if related_lst: # it exists but isn't a list if not isinstance(related_lst, list): - print(Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) faulty_rules.append(file) else: # should probably test if we have only 'id' and 'type' ... @@ -326,10 +344,11 @@ class TestRules(unittest.TestCase): id_str = ref['id'] type_str = ref['type'] if not type_str in valid_type: - type_ok = False - #Only add one time if many bad type in the same file + type_ok = False + # Only add one time if many bad type in the same file if type_ok == False: - print(Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -338,14 +357,16 @@ class TestRules(unittest.TestCase): def test_sysmon_rule_without_eventid(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - logsource = self.get_rule_part(file_path=file, part_name="logsource") + logsource = self.get_rule_part( + file_path=file, part_name="logsource") if logsource: service = logsource.get('service', '') if service.lower() == 'sysmon': - with open(file,encoding='utf-8') as f: + with open(file, encoding='utf-8') as f: found = False for line in f: - if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines + # might be on a single line or in multiple lines + if re.search(r'.*EventID:.*$', line): found = True break if not found: @@ -362,13 +383,16 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has no field 'date'.".format(file)) faulty_rules.append(file) elif not isinstance(datefield, str): - print(Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif len(datefield) != 10: - print(Fore.YELLOW + "Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif datefield[4] != '/' or datefield[7] != '/': - print(Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -377,15 +401,18 @@ class TestRules(unittest.TestCase): def test_missing_description(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - descriptionfield = self.get_rule_part(file_path=file, part_name="description") + descriptionfield = self.get_rule_part( + file_path=file, part_name="description") if not descriptionfield: print(Fore.YELLOW + "Rule {} has no field 'description'.".format(file)) faulty_rules.append(file) elif not isinstance(descriptionfield, str): - print(Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) faulty_rules.append(file) elif len(descriptionfield) < 16: - print(Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) + print( + Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -394,16 +421,20 @@ class TestRules(unittest.TestCase): def test_optional_date_modified(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - modifiedfield = self.get_rule_part(file_path=file, part_name="modified") + modifiedfield = self.get_rule_part( + file_path=file, part_name="modified") if modifiedfield: if not isinstance(modifiedfield, str): - print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif len(modifiedfield) != 10: - print(Fore.YELLOW + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif modifiedfield[4] != '/' or modifiedfield[7] != '/': - print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -417,15 +448,17 @@ class TestRules(unittest.TestCase): "experimental", "deprecated", "unsupported" - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): status_str = self.get_rule_part(file_path=file, part_name="status") if status_str: if not status_str in valid_status: - print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) + print( + Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) faulty_rules.append(file) elif status_str == "unsupported": - print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file)) + print( + Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -439,15 +472,16 @@ class TestRules(unittest.TestCase): "medium", "high", "critical", - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): level_str = self.get_rule_part(file_path=file, part_name="level") if not level_str: print(Fore.YELLOW + "Rule {} has no field 'level'.".format(file)) faulty_rules.append(file) elif not level_str in valid_level: - print(Fore.YELLOW + "Rule {} has a invalid 'level' (check wiki).".format(file)) - faulty_rules.append(file) + print( + Fore.YELLOW + "Rule {} has a invalid 'level' (check wiki).".format(file)) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") @@ -459,7 +493,8 @@ class TestRules(unittest.TestCase): if fields_str: # it exists but isn't a list if not isinstance(fields_str, list): - print(Fore.YELLOW + "Rule {} has a 'fields' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'fields' field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -468,11 +503,13 @@ class TestRules(unittest.TestCase): def test_optional_falsepositives_listtype(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - falsepositives_str = self.get_rule_part(file_path=file, part_name="falsepositives") + falsepositives_str = self.get_rule_part( + file_path=file, part_name="falsepositives") if falsepositives_str: # it exists but isn't a list if not isinstance(falsepositives_str, list): - print(Fore.YELLOW + "Rule {} has a 'falsepositives' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'falsepositives' field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -481,13 +518,15 @@ class TestRules(unittest.TestCase): def test_optional_falsepositives_capital(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - fps = self.get_rule_part(file_path=file, part_name="falsepositives") + fps = self.get_rule_part( + file_path=file, part_name="falsepositives") if fps: for fp in fps: # first letter should be capital try: if fp[0].upper() != fp[0]: - print(Fore.YELLOW + "Rule {} defines a falsepositive that does not start with a capital letter: '{}'.".format(file, fp)) + print( + Fore.YELLOW + "Rule {} defines a falsepositive that does not start with a capital letter: '{}'.".format(file, fp)) faulty_rules.append(file) except TypeError as err: print("TypeError Exception for rule {}".format(file)) @@ -502,16 +541,19 @@ class TestRules(unittest.TestCase): banned_words = ["none", "pentest", "penetration test"] common_typos = ["unkown", "ligitimate", "legitim ", "legitimeate"] for file in self.yield_next_rule_file_path(self.path_to_rules): - fps = self.get_rule_part(file_path=file, part_name="falsepositives") + fps = self.get_rule_part( + file_path=file, part_name="falsepositives") if fps: for fp in fps: for typo in common_typos: if fp == "Unknow" or typo in fp.lower(): - print(Fore.YELLOW + "Rule {} defines a falsepositive with a common typo: '{}'.".format(file, typo)) + print( + Fore.YELLOW + "Rule {} defines a falsepositive with a common typo: '{}'.".format(file, typo)) faulty_rules.append(file) for banned_word in banned_words: if banned_word in fp.lower(): - print(Fore.YELLOW + "Rule {} defines a falsepositive with an invalid reason: '{}'.".format(file, banned_word)) + print( + Fore.YELLOW + "Rule {} defines a falsepositive with an invalid reason: '{}'.".format(file, banned_word)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -525,7 +567,8 @@ class TestRules(unittest.TestCase): if author_str: # it exists but isn't a string if not isinstance(author_str, str): - print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -534,10 +577,12 @@ class TestRules(unittest.TestCase): def test_optional_license(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - license_str = self.get_rule_part(file_path=file, part_name="license") + license_str = self.get_rule_part( + file_path=file, part_name="license") if license_str: if not isinstance(license_str, str): - print(Fore.YELLOW + "Rule {} has a malformed 'license' (has to be a string).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'license' (has to be a string).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -550,16 +595,18 @@ class TestRules(unittest.TestCase): "GREEN", "AMBER", "RED", - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): tlp_str = self.get_rule_part(file_path=file, part_name="tlp") if tlp_str: # it exists but isn't a string if not isinstance(tlp_str, str): - print(Fore.YELLOW + "Rule {} has a 'tlp' field that isn't a string.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'tlp' field that isn't a string.".format(file)) faulty_rules.append(file) elif not tlp_str.upper() in valid_tlp: - print(Fore.YELLOW + "Rule {} has a 'tlp' field with not valid value.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'tlp' field with not valid value.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -572,7 +619,8 @@ class TestRules(unittest.TestCase): if target: # it exists but isn't a list if not isinstance(target, list): - print(Fore.YELLOW + "Rule {} has a 'target' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'target' field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -581,15 +629,17 @@ class TestRules(unittest.TestCase): def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - references = self.get_rule_part(file_path=file, part_name="references") + references = self.get_rule_part( + file_path=file, part_name="references") # Reference field doesn't exist # if not references: - # print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) - # faulty_rules.append(file) + # print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) + # faulty_rules.append(file) if references: # it exists but isn't a list if not isinstance(references, list): - print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -598,7 +648,8 @@ class TestRules(unittest.TestCase): def test_references_plural(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - reference = self.get_rule_part(file_path=file, part_name="reference") + reference = self.get_rule_part( + file_path=file, part_name="reference") if reference: # it exists but in singular form faulty_rules.append(file) @@ -616,16 +667,20 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} is a duplicate file name.".format(file)) faulty_rules.append(file) elif filename[-4:] != ".yml": - print(Fore.YELLOW + "Rule {} has a invalid extension (.yml).".format(file)) + print(Fore.YELLOW + + "Rule {} has a invalid extension (.yml).".format(file)) faulty_rules.append(file) elif len(filename) > 74: - print(Fore.YELLOW + "Rule {} has a file name too long >70.".format(file)) + print(Fore.YELLOW + + "Rule {} has a file name too long >70.".format(file)) faulty_rules.append(file) elif len(filename) < 14: - print(Fore.YELLOW + "Rule {} has a file name too short <10.".format(file)) + print(Fore.YELLOW + + "Rule {} has a file name too short <10.".format(file)) faulty_rules.append(file) elif filename_pattern.match(filename) == None or not '_' in filename: - print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) + print( + Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) name_lst.append(filename) @@ -635,27 +690,27 @@ class TestRules(unittest.TestCase): def test_title(self): faulty_rules = [] allowed_lowercase_words = [ - 'the', - 'for', - 'in', - 'with', - 'via', - 'on', - 'to', - 'without', - 'of', - 'through', - 'from', - 'by', - 'as', - 'a', - 'or', - 'at', - 'and', - 'an', - 'over', - 'new', - ] + 'the', + 'for', + 'in', + 'with', + 'via', + 'on', + 'to', + 'without', + 'of', + 'through', + 'from', + 'by', + 'as', + 'a', + 'or', + 'at', + 'and', + 'an', + 'over', + 'new', + ] for file in self.yield_next_rule_file_path(self.path_to_rules): title = self.get_rule_part(file_path=file, part_name="title") if not title: @@ -663,10 +718,12 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) continue elif len(title) > 70: - print(Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) + print( + Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) faulty_rules.append(file) if title.startswith("Detects "): - print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) + print( + Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) if title.endswith("."): print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) @@ -676,7 +733,8 @@ class TestRules(unittest.TestCase): if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit(): wrong_casing.append(word) if len(wrong_casing) > 0: - print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing))) + print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format( + file, ", ".join(wrong_casing))) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -695,22 +753,24 @@ class TestRules(unittest.TestCase): # title is the attribute given in the 1st line # (also assumes dict keeps the order from the input file) if list(yaml[0].keys())[0] != "title": - print(Fore.RED + "Rule {} does not have its 'title' attribute in the first line".format(file)) + print( + Fore.RED + "Rule {} does not have its 'title' attribute in the first line".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules without the 'title' attribute in their first line.") + "There are rules without the 'title' attribute in their first line.") def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ - 'category', - 'product', - 'service', - 'definition', - ] + 'category', + 'product', + 'service', + 'definition', + ] for file in self.yield_next_rule_file_path(self.path_to_rules): - logsource = self.get_rule_part(file_path=file, part_name="logsource") + logsource = self.get_rule_part( + file_path=file, part_name="logsource") if not logsource: print(Fore.RED + "Rule {} has no 'logsource'.".format(file)) faulty_rules.append(file) @@ -718,44 +778,52 @@ class TestRules(unittest.TestCase): valid = True for key in logsource: if key.lower() not in valid_logsource: - print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) + print( + Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) valid = False - elif not isinstance(logsource[key],str): - print(Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key)) + elif not isinstance(logsource[key], str): + print( + Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key)) valid = False if not valid: - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") - def test_selection_list_one_value(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") if detection: valid = True for key in detection: - if isinstance(detection[key],list): - if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term - print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) + if isinstance(detection[key], list): + # rule with only list of Keywords term + if len(detection[key]) == 1 and not isinstance(detection[key][0], str): + print( + Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) valid = False - if isinstance(detection[key],dict): + if isinstance(detection[key], dict): for sub_key in detection[key]: - if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" + # split in 2 if as get a error "int has not len()" + if isinstance(detection[key][sub_key], list): if len(detection[key][sub_key]) == 1: - print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) valid = False if not valid: faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules using list with only 1 element") def test_unused_selection(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") condition = detection["condition"] wildcard_selections = re.compile(r"\sof\s([\w\*]+)(?:$|\s|\))") @@ -779,26 +847,30 @@ class TestRules(unittest.TestCase): break # selection was not found in condition if not found: - print(Fore.RED + "Rule {} has an unused selection '{}'".format(file, selection)) + print( + Fore.RED + "Rule {} has an unused selection '{}'".format(file, selection)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with unused selections") + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with unused selections") def test_all_value_modifier_single_item(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") if detection: for search_identifier in detection: - if isinstance(detection[search_identifier],dict): + if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: - if "|all" in field and not isinstance(detection[search_identifier][field],list): - print (Fore.RED + "Rule {} uses the 'all' modifier on a single item in selection ({}/{})".format(file, search_identifier, field)) + if "|all" in field and not isinstance(detection[search_identifier][field], list): + print(Fore.RED + "Rule {} uses the 'all' modifier on a single item in selection ({}/{})".format( + file, search_identifier, field)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with |all modifier only having one item. " + - "Single item values are not allowed to have an all modifier as some back-ends cannot support it. " + - "If you use it as a workaround to duplicate a field in a selection, use a new selection instead.") + "Single item values are not allowed to have an all modifier as some back-ends cannot support it. " + + "If you use it as a workaround to duplicate a field in a selection, use a new selection instead.") def test_field_user_localization(self): def checkUser(faulty_rules, dict): @@ -811,7 +883,8 @@ class TestRules(unittest.TestCase): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") for sel_key, sel_value in detection.items(): if sel_key == "condition" or sel_key == "timeframe": continue @@ -827,21 +900,20 @@ class TestRules(unittest.TestCase): checkUser(faulty_rules, item) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules that match using localized user accounts. Better employ a generic version such as:\n" + - "User|contains: # covers many language settings\n" + - " - 'AUTHORI'\n" + - " - 'AUTORI'") - - + "User|contains: # covers many language settings\n" + + " - 'AUTHORI'\n" + + " - 'AUTORI'") def test_condition_operator_casesensitive(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - if detection: - valid = True - if isinstance(detection["condition"],str): - param = detection["condition"].split(' ') - for item in param: + detection = self.get_rule_part( + file_path=file, part_name="detection") + if detection: + valid = True + if isinstance(detection["condition"], str): + param = detection["condition"].split(' ') + for item in param: if item.lower() == 'or' and not item == 'or': valid = False elif item.lower() == 'and' and not item == 'and': @@ -850,18 +922,22 @@ class TestRules(unittest.TestCase): valid = False elif item.lower() == 'of' and not item == 'of': valid = False - if not valid: - print(Fore.RED + "Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase".format(file,detection["condition"])) - faulty_rules.append(file) + if not valid: + print(Fore.RED + "Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase".format( + file, detection["condition"])) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules using condition without lowercase operator") - self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using condition without lowercase operator") def get_mitre_data(): """ - Generate tags from live TAXI service to get up-to-date data + Use Tags from CTI subrepo to get consitant data """ + cti_path = "tests/cti/" # Get ATT&CK information - lift = attack_client() + lift = attack_client(local_path=cti_path) # Techniques MITRE_TECHNIQUES = [] MITRE_TECHNIQUE_NAMES = [] @@ -871,14 +947,15 @@ def get_mitre_data(): # Techniques enterprise_techniques = lift.get_enterprise_techniques() for t in enterprise_techniques: - MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_')) + MITRE_TECHNIQUE_NAMES.append( + t['name'].lower().replace(' ', '_').replace('-', '_')) for r in t.external_references: if 'external_id' in r: MITRE_TECHNIQUES.append(r['external_id'].lower()) if 'kill_chain_phases' in t: for kc in t['kill_chain_phases']: if 'phase_name' in kc: - MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-','_')) + MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-', '_')) # Tools / Malware enterprise_tools = lift.get_enterprise_tools() for t in enterprise_tools: @@ -898,7 +975,8 @@ def get_mitre_data(): MITRE_GROUPS.append(r['external_id'].lower()) # Debugging - print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) + print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len( + MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) # Combine all IDs to a big tag list return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS] diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 9f04061e9..d2d0f9e2e 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -81,12 +81,22 @@ logsources: product: windows service: bits-client conditions: - EventLog: 'Microsoft-Windows-Bits-Client/Operational' + EventLog: 'Microsoft-Windows-Bits-Client/Operational' windows-security-mitigations: product: windows service: security-mitigations conditions: EventLog: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + EventLog: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index ef2728b92..abdd5c3cc 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -87,8 +87,18 @@ logsources: service: security-mitigations conditions: log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 7a6f87482..79300a018 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -89,6 +89,16 @@ logsources: logname: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + logname: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 151e464e7..613ec4c7b 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -115,6 +115,16 @@ logsources: channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + channel: 'Microsoft-Windows-Shell-Core/Operational' linux: product: linux index: posix diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 2930e0f25..f93f31ff0 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -787,7 +787,7 @@ fieldmappings: AccountName: target_username TargetDomainName: target_domain DnsServerIpAddress: dns_address - QueryName: hostname_dst + QueryName: dns_query AuthenticationPackageName: package_name HostProcess: image Application: image @@ -846,10 +846,10 @@ fieldmappings: DeviceClassName: object_name CallTrace: calltrace IpAddress: ip_src - WorkstationName: hostname_src - Workstation: hostname_src + WorkstationName: ip_src_host + Workstation: ip_src_host DestinationIp: ip_dst - DestinationHostname: hostname_dst + DestinationHostname: ip_dst_host DestinationPort: ip_dport GrantedAccess: access_mask StartModule: target_process_name diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 235bfeb17..60ca2c22c 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -89,6 +89,16 @@ logsources: event_source: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + event_source: 'Microsoft-Windows-Shell-Core/Operational' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 494395b20..03ed667ad 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -110,4 +110,14 @@ logsources: Channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 012c5e1fc..aaa9038aa 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -128,4 +128,14 @@ logsources: conditions: LogName: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' \ No newline at end of file + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + LogName: 'Microsoft-Windows-Shell-Core/Operational' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 46b2c86db..88f0ee855 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -144,6 +144,16 @@ logsources: source: - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + source: 'Microsoft-Windows-Shell-Core/Operational' windows-defender: product: windows service: windefend diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 634d96c21..c289dcc6c 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -118,6 +118,16 @@ logsources: EventChannel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + EventChannel: 'Microsoft-Windows-Shell-Core/Operational' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 150e4052a..6cddafdd6 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -391,6 +391,16 @@ logsources: sources: - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + sources: + - 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + sources: + - 'Microsoft-Windows-Shell-Core/Operational' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 3a9d377be..456756902 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -132,6 +132,16 @@ logsources: winlog.channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index a04e65c65..263ba8731 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -95,6 +95,16 @@ logsources: log_name: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 1860d3dcc..22f9afb67 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -121,6 +121,16 @@ logsources: winlog.channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis-scripted + conditions: + winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 80eccc23a..8aae2d3fd 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -18,7 +18,7 @@ import sys import argparse import yaml -#import ruamel.yaml +import ruamel.yaml import json import pathlib import itertools @@ -446,8 +446,8 @@ def main(): if cmdargs.output_fields: if cmdargs.output_format == 'json': print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out) - #elif cmdargs.output_format == 'yaml': - # print(ruamel.yaml.round_trip_dump(output_array), file=out) + elif cmdargs.output_format == 'yaml': + print(ruamel.yaml.round_trip_dump(output_array), file=out) out.close()