From c38bfe86da42f6aeefefa9b93917afaedc06b69f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 6 Aug 2022 11:25:44 +0200 Subject: [PATCH 001/129] Add short path and Image --- .github/workflows/known-FPs.csv | 3 +++ .../proc_creation_win_ntfs_short_name_use.yml | 20 +++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 98f7e89fb..d836ad6d9 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -29,3 +29,6 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 +dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;target\.exe +dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;unzip\.exe +dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;TeamViewer_\.exe diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml index 4dea126c3..46a33868e 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml @@ -7,15 +7,31 @@ references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN date: 2022/08/05 +modified: 2022/08/06 logsource: category: process_creation product: windows detection: - selection: + selection_cmd: CommandLine|contains: - '~1.' - '~2.' - condition: selection + - '~1\' + - '~2\' + selection_image: + Image|contains: + - '~1.' + - '~2.' + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + filter_ninite: + ParentImage|endswith: + - \Ninite.exe + - \target.exe + - \target.bat + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium From 13e5d53f8d365f2f1122266d46a1f00e99c60413 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Sat, 6 Aug 2022 07:04:33 -0700 Subject: [PATCH 002/129] Create azure_priviledged_role_assignment_add.yml User added to privilege role assignment --- .../azure_priviledged_role_assignment_add.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_priviledged_role_assignment_add.yml diff --git a/rules/cloud/azure/azure_priviledged_role_assignment_add.yml b/rules/cloud/azure/azure_priviledged_role_assignment_add.yml new file mode 100644 index 000000000..4652ce035 --- /dev/null +++ b/rules/cloud/azure/azure_priviledged_role_assignment_add.yml @@ -0,0 +1,23 @@ +title: User Added To Privilege Role +id: 49a268a4-72f4-4e38-8a7b-885be690c5b5 +status: experimental +description: Detects when a user is added to a privileged role. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/06 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: + - Add eligible member (permanent) + - Add eligible member (eligible) + condition: selection +falsepositives: + - Legtimate administrator actions of adding members from a role +tags: + - attack.persistence + - attack.t1098 +level: high From 3388b675ac228a6265e432b76b54a6447396ffad Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 6 Aug 2022 18:43:33 +0100 Subject: [PATCH 003/129] Create proc_creation_win_ntfs_short_name_use_image.yml --- ...creation_win_ntfs_short_name_use_image.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml new file mode 100644 index 000000000..0ac2eb323 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -0,0 +1,28 @@ +title: Use NTFS Short Name in Image +id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b +related: + - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/jonasLyk/status/1555914501802921984 +date: 2022/08/06 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - '~1.' + - '~2.' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564.004 From be896d10135b47fe6a01b71660b12c0f423a817a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 6 Aug 2022 18:43:59 +0100 Subject: [PATCH 004/129] rename rule --- ....yml => proc_creation_win_ntfs_short_name_use_cli.yml} | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) rename rules/windows/process_creation/{proc_creation_win_ntfs_short_name_use.yml => proc_creation_win_ntfs_short_name_use_cli.yml} (82%) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml similarity index 82% rename from rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml rename to rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index 4dea126c3..3f9560843 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -1,18 +1,22 @@ title: Use NTFS Short Name in Command Line id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795 +related: + - id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b + type: similar status: experimental description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection author: frack113, Nasreddine Bencherchali references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/05 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - '~1.' - '~2.' condition: selection @@ -21,4 +25,4 @@ falsepositives: level: medium tags: - attack.defense_evasion - - attack.t1564.004 + - attack.t1564.004 From f1eba857803655212c56868afab28d5d8b93179c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 7 Aug 2022 08:37:58 +0200 Subject: [PATCH 005/129] Add short name path --- .github/workflows/known-FPs.csv | 6 ++-- ...ation_win_ntfs_short_name_path_use_cli.yml | 30 +++++++++++++++++++ ...ion_win_ntfs_short_name_path_use_image.yml | 30 +++++++++++++++++++ .../proc_creation_win_ntfs_short_name_use.yml | 20 ++----------- 4 files changed, 65 insertions(+), 21 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml create mode 100644 rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index d836ad6d9..59eed8e9a 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -29,6 +29,6 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 -dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;target\.exe -dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;unzip\.exe -dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795;Use NTFS Short Name in Command Line;TeamViewer_\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe + diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml new file mode 100644 index 000000000..7ee974601 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -0,0 +1,30 @@ +title: Use Short Name Path in Command Line +id: 349d891d-fef0-4fe4-bc53-eee623a15969 +related: + - id: a96970af-f126-420d-90e1-d37bf25e50e1 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + condition: selection and not 1 of filter_* +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: medium +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml new file mode 100644 index 000000000..e01fe0308 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -0,0 +1,30 @@ +title: Use Short Name Path in Image +id: a96970af-f126-420d-90e1-d37bf25e50e1 +related: + - id: 349d891d-fef0-4fe4-bc53-eee623a15969 + type: similar +status: experimental +description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Iamge detection +author: frack113, Nasreddine Bencherchali +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN + - https://twitter.com/frack113/status/1555830623633375232 +date: 2022/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - '~1\' + - '~2\' + filter_dism: + ParentImage: C:\Windows\System32\Dism.exe + condition: selection and not 1 of filter_* +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. +level: high +tags: + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml index 46a33868e..4dea126c3 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use.yml @@ -7,31 +7,15 @@ references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN date: 2022/08/05 -modified: 2022/08/06 logsource: category: process_creation product: windows detection: - selection_cmd: + selection: CommandLine|contains: - '~1.' - '~2.' - - '~1\' - - '~2\' - selection_image: - Image|contains: - - '~1.' - - '~2.' - - '~1\' - - '~2\' - filter_dism: - ParentImage: C:\Windows\System32\Dism.exe - filter_ninite: - ParentImage|endswith: - - \Ninite.exe - - \target.exe - - \target.bat - condition: 1 of selection_* and not 1 of filter_* + condition: selection falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium From acbc9110e4a1d33e7f011952e322366b34400587 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 7 Aug 2022 08:38:11 +0200 Subject: [PATCH 006/129] Add short name path --- .github/workflows/known-FPs.csv | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 59eed8e9a..3717f73f1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -31,4 +31,7 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe - +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe +a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe +349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe From 39fa02009290651abaaf7913de6520c756cb170e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 7 Aug 2022 10:30:30 +0200 Subject: [PATCH 007/129] Add registry_set_dbgmanageddebugger_persistence.yml --- ...try_set_dbgmanageddebugger_persistence.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml new file mode 100644 index 000000000..36c464935 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -0,0 +1,25 @@ +title: Add Debugger Entry To DbgManagedDebugger For Persistence +id: 9827ae57-3802-418f-994b-d5ecf5cd974b +description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes +author: frack113 +date: 2022/08/07 +status: experimental +references: + - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ + - https://github.com/last-byte/PersistenceSniper +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger' + filter: + Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d' + condition: selection and not filter +falsepositives: + - Legitimate use of the key to setup a debugger. Which is often the case on developers machines +level: medium +tags: + - attack.persistence + - attack.t1574 From 58c60684849613e22b680026f7cc7004e1d1fd64 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Mon, 8 Aug 2022 08:41:41 +0200 Subject: [PATCH 008/129] uri inst. of uri-query, r-dns inst of uri-stem --- rules/proxy/proxy_susp_flash_download_loc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 3277e1224..5fe0e3e30 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -11,10 +11,10 @@ logsource: category: proxy detection: selection: - - c-uri-query|contains: '/flash_install.php' - - c-uri-query|endswith: '/install_flash_player.exe' + - c-uri|contains: '/flash_install.php' + - c-uri|endswith: '/install_flash_player.exe' filter: - c-uri-stem|contains: '.adobe.com/' + r-dns|endswith: '.adobe.com' condition: selection and not filter falsepositives: - Unknown flash download locations From 9f8c4a4d44b639f83911cbedc9dacb20797f4540 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Mon, 8 Aug 2022 08:43:35 +0200 Subject: [PATCH 009/129] Update proxy_susp_flash_download_loc.yml --- rules/proxy/proxy_susp_flash_download_loc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 5fe0e3e30..d736ca4a1 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,12 +1,12 @@ -title: Flash Player Update from Suspicious Location -id: 4922a5dd-6743-4fc2-8e81-144374280997 +title: Flashtest +id: 6743-4fc2-8e81-144374280997 status: test description: Detects a flashplayer update from an unofficial location author: Florian Roth references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb date: 2017/10/25 -modified: 2022/01/07 +modified: 2022/08/08 logsource: category: proxy detection: From 9f347bc322cfd984b10b019b358ea2493d71528c Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Mon, 8 Aug 2022 08:53:38 +0200 Subject: [PATCH 010/129] Restore title from previous mistake edit --- rules/proxy/proxy_susp_flash_download_loc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index d736ca4a1..c675fdc0e 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,4 +1,4 @@ -title: Flashtest +title: Flash Player Update from Suspicious Location id: 6743-4fc2-8e81-144374280997 status: test description: Detects a flashplayer update from an unofficial location From 946b0205a24ce139e6a72a508c50ab7e12722456 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Mon, 8 Aug 2022 08:54:50 +0200 Subject: [PATCH 011/129] Revert to correct rule id --- rules/proxy/proxy_susp_flash_download_loc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index c675fdc0e..473c80cd2 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -1,5 +1,5 @@ title: Flash Player Update from Suspicious Location -id: 6743-4fc2-8e81-144374280997 +id: 4922a5dd-6743-4fc2-8e81-144374280997 status: test description: Detects a flashplayer update from an unofficial location author: Florian Roth From eaa0f339ac48c28762a6ad946c642c1860c9e564 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 8 Aug 2022 13:57:10 +0200 Subject: [PATCH 012/129] fix: remove TargetObject, too many occurences in testing --- .../registry/registry_set/registry_set_taskcache_entry.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 182b322bc..4e5ac0362 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/07/29 +modified: 2022/08/08 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -23,11 +23,6 @@ detection: filter_tiworker: Image|startswith: 'C:\Windows\' Image|endswith: '\TiWorker.exe' - TargetObject|contains: - - '\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{1A552422-F571-4376-A7F1-5941E63D7B40}' - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\DeviceDirectoryClient\' - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{04622042-F26B-4CCA-815F-E7A8375D87E6}' - - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C130EB11-1FDE-4953-B222-F44EEC6E1E8B}' filter_svchost: Image: 'C:\WINDOWS\system32\svchost.exe' filter_ngen: From a15044bc1cf804d396d5ebd2e69bb546ce7dc731 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Mon, 8 Aug 2022 14:03:34 +0200 Subject: [PATCH 013/129] Avoid Adobe related false-positives Avoid Adobe related false-positives such as Adobe Synchronizer --- rules/proxy/proxy_ua_susp.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_ua_susp.yml b/rules/proxy/proxy_ua_susp.yml index 9f3b33f65..10a5c8b39 100644 --- a/rules/proxy/proxy_ua_susp.yml +++ b/rules/proxy/proxy_ua_susp.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious malformed user agent strings in proxy logs author: Florian Roth date: 2017/07/08 -modified: 2022/07/07 +modified: 2022/08/08 references: - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb logsource: @@ -33,7 +33,11 @@ detection: - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html - 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880 falsepositives: - c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content + - c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content + - r-dns|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000) + - '.acrobat.com' + - '.adobe.com' + - '.adobe.io' condition: 1 of selection* and not falsepositives fields: - ClientIP From ef1f2b13ec3570f3834acc94345acf179ec7be7e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 8 Aug 2022 17:44:10 +0200 Subject: [PATCH 014/129] fix: use wildcard * instead of plaintext * the changed files seem like they used an esacped * by mistake --- .../image_load/image_load_susp_dbghelp_dbgcore_load.yml | 4 ++-- .../proc_access_win_direct_syscall_ntopenprocess.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 571168acd..7bfa8f60b 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -8,7 +8,7 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 -modified: 2022/02/21 +modified: 2022/08/08 logsource: category: image_load product: windows @@ -52,7 +52,7 @@ detection: - '-k UnistackSvcGroup -s WpnUserService' filter2: # Not available in Sysmon, but in Aurora CommandLine: - - 'C:\WINDOWS\winsxs\*\TiWorker.exe -Embedding' + - 'C:\WINDOWS\winsxs\\*\TiWorker.exe -Embedding' - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' condition: (signedprocess or unsignedprocess) and not filter1 and not filter2 diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 60f5d49b7..4423f8787 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/06/20 +modified: 2022/08/08 logsource: category: process_access product: windows @@ -18,7 +18,7 @@ detection: SourceImage: 'C:\Windows\Explorer.EXE' falsepositive2: TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe' - SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\*\MicrosoftEdgeUpdate.exe' + SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\\*\MicrosoftEdgeUpdate.exe' falsepositive3: TargetImage|endswith: 'vcredist_x64.exe' SourceImage|endswith: 'vcredist_x64.exe' From a90ba27a1cdf58f799d595891065820b0e15462b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 9 Aug 2022 10:55:05 +0200 Subject: [PATCH 015/129] fix: do not use wildcard, where not needed --- .../image_load/image_load_susp_dbghelp_dbgcore_load.yml | 7 +++++-- .../proc_access_win_direct_syscall_ntopenprocess.yml | 5 +++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 7bfa8f60b..358b8f4d3 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -8,7 +8,7 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 -modified: 2022/08/08 +modified: 2022/08/09 logsource: category: image_load product: windows @@ -55,7 +55,10 @@ detection: - 'C:\WINDOWS\winsxs\\*\TiWorker.exe -Embedding' - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' - condition: (signedprocess or unsignedprocess) and not filter1 and not filter2 + filter3: + CommandLine|startswith: 'C:\WINDOWS\winsxs\' + CommandLine|endswith: '\TiWorker.exe -Embedding' + condition: (signedprocess or unsignedprocess) and not 1 of filter* fields: - ComputerName - User diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 4423f8787..c449009b1 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/08/08 +modified: 2022/08/09 logsource: category: process_access product: windows @@ -18,7 +18,8 @@ detection: SourceImage: 'C:\Windows\Explorer.EXE' falsepositive2: TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe' - SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\\*\MicrosoftEdgeUpdate.exe' + SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Temp\' + SourceImage|endswith: '\MicrosoftEdgeUpdate.exe' falsepositive3: TargetImage|endswith: 'vcredist_x64.exe' SourceImage|endswith: 'vcredist_x64.exe' From 43ac43c70d0638a8bd69284fd2aa1c3f35d76f87 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 9 Aug 2022 10:56:00 +0200 Subject: [PATCH 016/129] fix: FP found in testing --- .../net_connection_win_remote_powershell_session_network.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index c06ae8e26..15e2a2d54 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html date: 2019/09/12 -modified: 2022/07/29 +modified: 2022/08/09 logsource: category: network_connection product: windows @@ -26,6 +26,9 @@ detection: - 'SERVICE R' - 'SEAU' - SourceIp|startswith: '0:0:' + - Image: + - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' + - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' condition: selection and not filter falsepositives: - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. From 7ff91656edbc3ec75edfac7c216561d0d593090b Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 9 Aug 2022 10:56:58 +0200 Subject: [PATCH 017/129] fix: remove duplicate filter --- .../windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 358b8f4d3..c3d02ecdd 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -52,7 +52,6 @@ detection: - '-k UnistackSvcGroup -s WpnUserService' filter2: # Not available in Sysmon, but in Aurora CommandLine: - - 'C:\WINDOWS\winsxs\\*\TiWorker.exe -Embedding' - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' filter3: From c455b6bafc454b074ad2397c28c8a9b2113a9d06 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Tue, 9 Aug 2022 08:00:48 -0700 Subject: [PATCH 018/129] Create azure_pim_alerts_disabled.yml Detect when PIM alert settings changed to disabled --- .../cloud/azure/azure_pim_alerts_disabled.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_pim_alerts_disabled.yml diff --git a/rules/cloud/azure/azure_pim_alerts_disabled.yml b/rules/cloud/azure/azure_pim_alerts_disabled.yml new file mode 100644 index 000000000..76f94b0cf --- /dev/null +++ b/rules/cloud/azure/azure_pim_alerts_disabled.yml @@ -0,0 +1,21 @@ +title: PIM Alert Setting Changes To Disabled +id: aeaef14c-e5bf-4690-a9c8-835caad458bd +status: experimental +description: Detects when PIM alerts are set to disabled. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Disable PIM Alert + condition: selection +falsepositives: + - Administrator disabling PIM alerts as an active choice. +tags: + - attack.defense_evasion + - attack.T1484 +level: high From f5d07531671be643c7f37d45414ee9e1ff87959f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 9 Aug 2022 16:05:36 +0100 Subject: [PATCH 019/129] Add extensions --- ...c_creation_win_ntfs_short_name_use_cli.yml | 20 +++++++++++++++++-- ...creation_win_ntfs_short_name_use_image.yml | 20 +++++++++++++++++-- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index 3f9560843..56a2100c4 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -17,8 +17,24 @@ logsource: detection: selection: CommandLine|contains: - - '~1.' - - '~2.' + - '~1.exe' + - '~1.bat' + - '~1.msi' + - '~1.vbe' + - '~1.vbs' + - '~1.dll' + - '~1.ps1' + - '~1.js' + - '~1.hta' + - '~2.exe' + - '~2.bat' + - '~2.msi' + - '~2.vbe' + - '~2.vbs' + - '~2.dll' + - '~2.ps1' + - '~2.js' + - '~2.hta' condition: selection falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index 0ac2eb323..9899b4250 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -17,8 +17,24 @@ logsource: detection: selection: Image|contains: - - '~1.' - - '~2.' + - '~1.exe' + - '~1.bat' + - '~1.msi' + - '~1.vbe' + - '~1.vbs' + - '~1.dll' + - '~1.ps1' + - '~1.js' + - '~1.hta' + - '~2.exe' + - '~2.bat' + - '~2.msi' + - '~2.vbe' + - '~2.vbs' + - '~2.dll' + - '~2.ps1' + - '~2.js' + - '~2.hta' condition: selection falsepositives: - Unknown From cdbaa27b9ebaf6adac5c28c968668980f010affc Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Tue, 9 Aug 2022 08:39:45 -0700 Subject: [PATCH 020/129] Update azure_pim_alerts_disabled.yml fixing MITRE tag --- rules/cloud/azure/azure_pim_alerts_disabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_pim_alerts_disabled.yml b/rules/cloud/azure/azure_pim_alerts_disabled.yml index 76f94b0cf..3881d1b45 100644 --- a/rules/cloud/azure/azure_pim_alerts_disabled.yml +++ b/rules/cloud/azure/azure_pim_alerts_disabled.yml @@ -17,5 +17,5 @@ falsepositives: - Administrator disabling PIM alerts as an active choice. tags: - attack.defense_evasion - - attack.T1484 + - attack.t1484 level: high From bfeb23e6222803baded3b2e788c4d5ebd97fc676 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 9 Aug 2022 17:53:44 +0200 Subject: [PATCH 021/129] fix: FP found in testing --- .../registry_set/registry_set_disable_winevt_logging.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 4f027f17d..97abf991e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/07/12 +modified: 2022/08/09 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -23,6 +23,9 @@ detection: Image|startswith: 'C:\Windows\winsxs\' Image|endswith: '\TiWorker.exe' TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-IIS-' + filter_fsmfd: + Image: 'C:\Windows\System32\svchost.exe' + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' condition: selection and not 1 of filter* falsepositives: - Legitimate administrators disabling specific event log for troubleshooting From df4b8eadbfee954a7eba615696cd91970a5ba554 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 9 Aug 2022 18:34:53 +0200 Subject: [PATCH 022/129] fix: FP in testing --- .../proc_creation_win_dll_sideload_defender.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml index 41c4d86e2..3cc1c0336 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml @@ -6,6 +6,7 @@ references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool author: Bhabesh Raj date: 2022/08/01 +modified: 2022/08/09 tags: - attack.defense_evasion - attack.t1574.002 @@ -13,12 +14,13 @@ logsource: product: windows category: process_creation detection: - selection: + selection: Image|endswith: '\MpCmdRun.exe' legit_path: Image|startswith: # MpCmdRun resides in two locations - 'C:\Program Files\Windows Defender\' - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Windows\winsxs\x86_security-malware-windows-defender_' # found on Win7 i386 condition: selection and not legit_path falsepositives: - Unknown From 0c0afaa45c39c10137abd0f1bc8833cacadbd718 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Tue, 9 Aug 2022 10:01:01 -0700 Subject: [PATCH 023/129] Create azure_pim_activation_approve_deny.yml Detection for PIM elevation --- .../azure_pim_activation_approve_deny.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_pim_activation_approve_deny.yml diff --git a/rules/cloud/azure/azure_pim_activation_approve_deny.yml b/rules/cloud/azure/azure_pim_activation_approve_deny.yml new file mode 100644 index 000000000..238938408 --- /dev/null +++ b/rules/cloud/azure/azure_pim_activation_approve_deny.yml @@ -0,0 +1,21 @@ +title: PIM Approvals And Deny Elevation +id: 039a7469-0296-4450-84c0-f6966b16dc6d +status: experimental +description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Request Approved/Denied + condition: selection +falsepositives: + - Actual admin using PIM. +tags: + - attack.privilege_escalation + - attack.t1078 +level: high From b905df6bc74c4e1ac5b4c15180e74a7bacf9396b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 9 Aug 2022 18:35:45 +0100 Subject: [PATCH 024/129] Updates + New Rules --- .../win_bits_client_susp_domain.yml | 4 ++ .../net_connection_win_binary_susp_com.yml | 55 ++++++++-------- ...ion_win_bitsadmin_download_susp_domain.yml | 8 ++- .../proc_creation_win_disable_service.yml | 37 +++++++++++ ...tion_win_install_reg_debugger_backdoor.yml | 42 ++++++------ .../proc_creation_win_mshta_http.yml | 25 +++++++ .../proc_creation_win_reg_delete_safeboot.yml | 26 ++++++++ .../proc_creation_win_reg_delete_services.yml | 1 + .../proc_creation_win_reg_enable_rdp.yml | 12 ++-- .../proc_creation_win_service_stop.yml | 13 ++-- ...tion_win_susp_new_kernel_driver_via_sc.yml | 7 +- .../proc_creation_win_susp_wmi_execution.yml | 43 ------------ .../proc_creation_win_susp_wmic_execution.yml | 43 ++++++++++++ ...roc_creation_win_susp_wmic_proc_create.yml | 49 ++++++++++++++ ...ion_win_susp_wmic_proc_create_rundll32.yml | 27 -------- .../proc_creation_win_tool_nircmd.yml | 18 ++--- ..._creation_win_using_sc_to_hide_sevices.yml | 36 +++++----- ...=> proc_creation_win_wmic_group_recon.yml} | 2 +- ...registry_event_stickykey_like_backdoor.yml | 5 +- .../registry_set_disable_uac_registry.yml | 6 +- ...registry_set_rdp_registry_modification.yml | 31 --------- .../registry_set_rdp_settings_hijack.yml | 31 --------- ...registry_set_terminal_server_tampering.yml | 66 +++++++++++++++++++ .../registry_set_windows_defender_tamper.yml | 2 + 24 files changed, 363 insertions(+), 226 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_disable_service.yml create mode 100644 rules/windows/process_creation/proc_creation_win_mshta_http.yml create mode 100644 rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml rename rules/windows/process_creation/{proc_creation_win_susp_ad_reco.yml => proc_creation_win_wmic_group_recon.yml} (97%) delete mode 100755 rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml delete mode 100755 rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml create mode 100644 rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index a6e0ae1ea..3887e38da 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -5,8 +5,10 @@ description: Detects a suspicious download using the BITS client from a FQDN tha references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: Florian Roth date: 2022/06/28 +modified: 2022/08/09 logsource: product: windows service: bits-client @@ -26,6 +28,8 @@ detection: - '.ghostbin.co/' - 'ufile.io' - 'storage.googleapis.com' + - 'anonfiles.com' + - 'send.exploit.in' condition: selection falsepositives: - Unknown diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 6b2f32837..0c08a1366 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -4,35 +4,38 @@ status: test description: Detects an executable in the Windows folder accessing suspicious domains author: Florian Roth references: - - https://twitter.com/M_haggis/status/900741347035889665 - - https://twitter.com/M_haggis/status/1032799638213066752 + - https://twitter.com/M_haggis/status/900741347035889665 + - https://twitter.com/M_haggis/status/1032799638213066752 + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker date: 2018/08/30 -modified: 2022/07/22 +modified: 2022/08/09 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: - - 'dl.dropboxusercontent.com' - - '.pastebin.com' - - '.githubusercontent.com' # includes both gists and github repositories - - 'cdn.discordapp.com/attachments/' - - 'mediafire.com' - - 'mega.nz' - - 'ddns.net' - - '.paste.ee' - - '.hastebin.com/raw/' - - '.ghostbin.co/' - - 'ufile.io' - Image|startswith: - - 'C:\Windows\' - - 'C:\Users\Public\' - condition: selection + selection: + Initiated: 'true' + DestinationHostname|endswith: + - 'dl.dropboxusercontent.com' + - '.pastebin.com' + - '.githubusercontent.com' # includes both gists and github repositories + - 'cdn.discordapp.com/attachments/' + - 'mediafire.com' + - 'mega.nz' + - 'ddns.net' + - '.paste.ee' + - '.hastebin.com/raw/' + - '.ghostbin.co/' + - 'ufile.io' + - 'anonfiles.com' + - 'send.exploit.in' + Image|startswith: + - 'C:\Windows\' + - 'C:\Users\Public\' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.lateral_movement - - attack.t1105 + - attack.lateral_movement + - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml index 1a7b53840..d705f7745 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml @@ -6,6 +6,7 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker tags: - attack.defense_evasion - attack.persistence @@ -13,6 +14,7 @@ tags: - attack.s0190 - attack.t1036.003 date: 2022/06/28 +modified: 2022/08/09 author: Florian Roth logsource: category: process_creation @@ -20,12 +22,12 @@ logsource: detection: selection: Image|endswith: '\bitsadmin.exe' - CommandLine|contains: + CommandLine|contains: - ' /transfer ' - ' /create ' - ' /addfile ' selection_domain: - CommandLine|contains: + CommandLine|contains: - 'raw.githubusercontent.com' - 'gist.githubusercontent.com' - 'pastebin.com' @@ -38,6 +40,8 @@ detection: - '.ghostbin.co/' - 'ufile.io' - 'storage.googleapis.com' + - 'anonfiles.com' + - 'send.exploit.in' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_disable_service.yml b/rules/windows/process_creation/proc_creation_win_disable_service.yml new file mode 100644 index 000000000..ce6dbe325 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_disable_service.yml @@ -0,0 +1,37 @@ +title: Sc Execution to Disable Services +id: 85c312b7-f44d-4a51-a024-d671c40b49fc +status: experimental +description: Detects when attackers use "sc.exe" or the powershell "Set-Service" cmdlet to change the startup type of a service to "disabled" +author: Nasreddine Bencherchali +references: + - https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 +date: 2022/08/01 +logsource: + category: process_creation + product: windows +detection: + selection_sc_img: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_sc_cli: + CommandLine|contains|all: + - ' config ' + - 'start' + CommandLine|contains: + - 'disabled' + - 'demand' + selection_pwsh: + CommandLine|contains|all: + - 'Set-Service' + - '-StartupType' + CommandLine|contains: + - 'Disabled' + - 'Manual' + condition: 1 of selection_sc_* or selection_pwsh +falsepositives: + - Administrators settings a service to disable via script or cli for testing purposes +level: medium +tags: + - attack.execution + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml index af0f12009..0086d558d 100644 --- a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml @@ -4,29 +4,31 @@ status: test description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). author: Florian Roth, oscd.community, Jonhnathan Ribeiro references: - - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ + - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ date: 2019/09/06 -modified: 2021/11/27 +modified: 2022/08/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: '\CurrentVersion\Image File Execution Options\' - selection2: - CommandLine|contains: - - 'sethc.exe' - - 'utilman.exe' - - 'osk.exe' - - 'magnify.exe' - - 'narrator.exe' - - 'displayswitch.exe' - - 'atbroker.exe' - condition: all of selection* + selection1: + CommandLine|contains: '\CurrentVersion\Image File Execution Options\' + selection2: + CommandLine|contains: + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'magnify.exe' + - 'narrator.exe' + - 'displayswitch.exe' + - 'atbroker.exe' + - 'HelpPane.exe' + condition: all of selection* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.008 + - attack.persistence + - attack.privilege_escalation + - attack.t1546.008 diff --git a/rules/windows/process_creation/proc_creation_win_mshta_http.yml b/rules/windows/process_creation/proc_creation_win_mshta_http.yml new file mode 100644 index 000000000..176c18fde --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mshta_http.yml @@ -0,0 +1,25 @@ +title: Mshta Remotely Hosted HTA File Execution +id: b98d0db6-511d-45de-ad02-e82a98729620 +status: experimental +description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html +date: 2022/08/08 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\mshta.exe' + - OriginalFileName: 'MSHTA.EXE' + selection_cli: + CommandLine|contains: 'http' + condition: all of selection_* +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.execution + - attack.t1218.005 diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml new file mode 100644 index 000000000..b9fa47a79 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -0,0 +1,26 @@ +title: Delete SafeBoot Keys Via Reg Utility +id: fc0e89b5-adb0-43c1-b749-c12a10ec37de +status: experimental +description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +references: + - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html +author: Nasreddine Bencherchali +date: 2022/08/08 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: 'reg.exe' + - OriginalFileName: 'reg.exe' + selection_delete: + CommandLine|contains: + - ' delete ' + - '\SYSTEM\CurrentControlSet\Control\SafeBoot' + condition: all of selection* +falsepositives: + - Unlikely +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml index b7ad621df..154a843e6 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml @@ -16,6 +16,7 @@ detection: selection_delete: CommandLine|contains: ' delete ' selection_key: + # Add specific services if you would like the rule to be more specific CommandLine|contains: '\SYSTEM\CurrentControlSet\services\' condition: all of selection* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 23a373ca5..59ecd7e3a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -1,28 +1,28 @@ title: Enabling RDP Service via Reg.exe id: 0d5675be-bc88-4172-86d3-1e96a4476536 status: experimental -description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host +description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' subkeys author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 -modified: 2022/03/15 +modified: 2022/08/06 logsource: product: windows category: process_creation detection: - selection1: + selection_cli: Image|endswith: '\reg.exe' CommandLine|contains|all: - ' add ' - '\SYSTEM\CurrentControlSet\Control\Terminal Server' - 'REG_DWORD' - ' /f' - selection2: + selection_values_1: CommandLine|contains|all: - 'Licensing Core' - 'EnableConcurrentSessions' - selection3: + selection_values_2: CommandLine|contains: - 'WinStations\RDP-Tcp' - 'MaxInstanceCount' @@ -34,7 +34,7 @@ detection: - 'TSAdvertise' - 'AllowTSConnections' - 'fSingleSessionPerUser' - condition: selection1 and (selection2 or selection3) + condition: selection_cli and 1 of selection_values_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index 1190e74c8..1ab7e528e 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -2,9 +2,9 @@ title: Stop Windows Service id: eb87818d-db5d-49cc-a987-d5da331fbd90 description: Detects a windows service to be stopped status: experimental -author: Jakob Weinzettl, oscd.community +author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali date: 2019/10/23 -modified: 2022/06/20 +modified: 2022/08/08 tags: - attack.impact - attack.t1489 @@ -12,7 +12,7 @@ logsource: category: process_creation product: windows detection: - selection_img: + selection_sc_net_img: - OriginalFileName: - 'sc.exe' - 'net.exe' @@ -21,14 +21,17 @@ detection: - '\sc.exe' - '\net.exe' - '\net1.exe' - selection_cli: + selection_sc_net_cli: CommandLine|contains: 'stop' + selection_pwsh: + Image|endswith: '\powershell.exe' + CommandLine|contains: 'Stop-Service ' filter: CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: all of selection_* and not filter + condition: (all of selection_sc_net* and not filter) or selection_pwsh fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml b/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml index 92d90d52a..92a5ef598 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ date: 2022/07/14 +modified: 2022/08/08 logsource: category: process_creation product: windows @@ -16,12 +17,12 @@ detection: - 'create' - 'config' CommandLine|contains|all: - - 'binPath=' - - 'type=' + - 'binPath' + - 'type' - 'kernel' condition: selection falsepositives: - - Legitimate installation of drivers via sc.exe + - Rare legitimate installation of kernel drivers via sc.exe level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml deleted file mode 100644 index dad73ada0..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: Suspicious WMI Execution -id: 526be59f-a573-4eea-b5f7-f0973207634d -status: test -description: Detects WMI executing suspicious commands -author: Michael Haag, Florian Roth, juju4, oscd.community -references: - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ -date: 2019/01/16 -modified: 2022/05/13 -logsource: - category: process_creation - product: windows -detection: - selection: - - Image|endswith: '\wmic.exe' - - OriginalFileName: 'wmic.exe' - selection2: - CommandLine|contains|all: - - 'process' - - 'call' - - 'create ' - recon_part1: - CommandLine|contains: ' path ' - recon_part2: - CommandLine|contains: - - 'AntiVirus' - - 'Firewall' - CommandLine|contains|all: - - 'Product' - - ' get ' - condition: (selection and selection2) or (selection and recon_part1 and recon_part2) -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine -level: medium -tags: - - attack.execution - - attack.t1047 - - car.2016-03-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml new file mode 100644 index 000000000..fb3c2dd7c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml @@ -0,0 +1,43 @@ +title: Suspicious WMI Execution +id: 526be59f-a573-4eea-b5f7-f0973207634d +status: test +description: Detects WMI executing suspicious commands +author: Michael Haag, Florian Roth, juju4, oscd.community +references: + - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ + - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 + - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ +date: 2019/01/16 +modified: 2022/05/13 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName: 'wmic.exe' + selection_process_call: + CommandLine|contains|all: + - 'process' + - 'call' + - 'create ' + recon_part1: + CommandLine|contains: ' path ' + recon_part2: + CommandLine|contains: + - 'AntiVirus' + - 'Firewall' + CommandLine|contains|all: + - 'Product' + - ' get ' + condition: all of selection_* or (selection_img and all of recon_*) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine +level: medium +tags: + - attack.execution + - attack.t1047 + - car.2016-03-002 diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml new file mode 100644 index 000000000..8e52e8299 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -0,0 +1,49 @@ +title: Suspicious WMIC Execution +id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 +status: test +description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc +author: Florian Roth, Nasreddine Bencherchali +references: + - https://thedfirreport.com/2020/10/08/ryuks-return/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker +date: 2020/10/12 +modified: 2022/08/09 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'process ' + - 'call ' + - 'create ' + CommandLine|contains: + # Add more susupicious paths and binaries as you see fit in your env + - 'rundll32' + - 'bitsadmin' + - 'regsvr32' + - 'cmd.exe /c ' + - 'powershell' + - 'pwsh' + - 'certutil' + - 'cscript' + - 'wscript' + - 'mshta' + - '\Users\Public\' + - '\Windows\Temp\' + - '\AppData\Local\' + - '%temp%' + - '%ProgramData%' + - '%appdata%' + - '%comspec%' + - '%localappdata%' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml deleted file mode 100644 index 19e8d3d73..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create_rundll32.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious WMI Execution Using Rundll32 -id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 -status: test -description: Detects WMI executing rundll32 -author: Florian Roth -references: - - https://thedfirreport.com/2020/10/08/ryuks-return/ -date: 2020/10/12 -modified: 2021/11/27 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - 'process call create' - - 'rundll32' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high -tags: - - attack.execution - - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index 414d3c9b9..0d5fff882 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -2,9 +2,9 @@ title: NirCmd Tool Execution id: 4e2ed651-1906-4a59-a78a-18220fca1b22 status: experimental description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity -author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' +author: Florian Roth, Nasreddine Bencherchali date: 2022/01/24 -modified: 2022/05/13 +modified: 2022/08/08 references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -19,6 +19,12 @@ logsource: detection: selection_org: OriginalFileName: 'NirCmd.exe' + selection_cmd: + CommandLine|contains: + - ' execmd ' + - '.exe script ' + - '.exe shexec ' + - ' runinteractive ' combo_exec: CommandLine|contains: - ' exec ' @@ -27,13 +33,7 @@ detection: CommandLine|contains: - ' show ' - ' hide ' - selection_cmd: - CommandLine|contains: - - ' execmd ' - - '.exe script ' - - '.exe shexec ' - - ' runinteractive ' - condition: (1 of selection*) or (combo_exec and combo_exec_params) + condition: 1 of selection* or all of combo_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml index 838c0c83b..885b29159 100644 --- a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml @@ -4,27 +4,27 @@ status: experimental description: Detection of sc.exe utility adding a new service with special permission which hides that service. author: Andreas Hunkeler (@Karneades) references: - - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ + - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ date: 2021/12/20 -modified: 2022/05/13 +modified: 2022/08/08 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - sc: - - Image|endswith: '\sc.exe' - - OriginalFileName: 'sc.exe' - cli: - CommandLine|contains|all: - - 'sdset' - - 'DCLCWPDTSD' - condition: sc and cli + selection_img: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_cli: + CommandLine|contains|all: + - 'sdset' + - 'DCLCWPDTSD' + condition: all of selection_* falsepositives: - - Intended use of hidden services + - Rare intended use of hidden services level: high tags: - - attack.persistence - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1574.011 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.011 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml rename to rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml index f8a9a26f5..3c46c5c1f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml @@ -25,4 +25,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml index 7a542b20e..411041b6e 100755 --- a/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml +++ b/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml @@ -5,9 +5,10 @@ description: Detects the usage and installation of a backdoor that uses an optio status: experimental references: - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/ + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 -modified: 2021/09/12 +modified: 2022/08/06 logsource: category: registry_event product: windows @@ -20,6 +21,8 @@ detection: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger' condition: selection_registry falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml index 6dd183760..9c24bb969 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml @@ -1,9 +1,9 @@ title: Disable UAC Using Registry id: 48437c39-9e5f-47fb-af95-3d663c3f2919 -description: Disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 +description: Detects when an attacker tries to disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 author: frack113 date: 2022/01/05 -modified: 2022/03/26 +modified: 2022/08/06 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe @@ -13,7 +13,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Details: DWORD (0x00000000) condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml b/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml deleted file mode 100755 index 3b0815014..000000000 --- a/rules/windows/registry/registry_set/registry_set_rdp_registry_modification.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: RDP Registry Modification -id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 -status: test -description: Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections. -author: Roberto Rodriguez @Cyb3rWard0g -references: - - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html -date: 2019/09/12 -modified: 2022/03/26 -logsource: - category: registry_set - product: windows -detection: - selection: - EventType: SetValue - TargetObject|endswith: - - '\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication' - - '\CurrentControlSet\Control\Terminal Server\fDenyTSConnections' - Details: 'DWORD (0x00000000)' - condition: selection -fields: - - ComputerName - - Image - - EventType - - TargetObject -falsepositives: - - Unknown -level: high -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml b/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml deleted file mode 100755 index fa8a24b10..000000000 --- a/rules/windows/registry/registry_set/registry_set_rdp_settings_hijack.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: RDP Sensitive Settings Changed -id: 171b67e1-74b4-460e-8d55-b331f3e32d67 -status: test -description: Detects changes to RDP terminal service sensitive settings -author: Samir Bousseaden, David ANDRE -references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html - - https://knowledge.insourcess.com/Supporting_Technologies/Wonderware/Tech_Notes/TN_WW213_How_to_shadow_an_established_RDP_Session_on_Windows_10_Pro - - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 - - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ -date: 2019/04/03 -modified: 2022/06/26 -logsource: - category: registry_set - product: windows -detection: - selection_reg: - EventType: SetValue - TargetObject|contains: - - '\services\TermService\Parameters\ServiceDll' - - '\Control\Terminal Server\fSingleSessionPerUser' - - '\Control\Terminal Server\fDenyTSConnections' - - '\Policies\Microsoft\Windows NT\Terminal Services\Shadow' - - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - condition: selection_reg -falsepositives: - - Unknown -level: high -tags: - - attack.defense_evasion - - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml new file mode 100644 index 000000000..c41ddf350 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -0,0 +1,66 @@ +title: RDP Sensitive Settings Changed +id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c +related: + - id: 171b67e1-74b4-460e-8d55-b331f3e32d67 + type: obsoletes + - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3 + type: obsoletes +status: test +description: Detects tampering to RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc +author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali +references: + - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) +date: 2022/08/06 +logsource: + category: registry_set + product: windows +detection: + selection_shadow: + EventType: SetValue + TargetObject|contains: + - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\' + - '\Control\Terminal Server\' + TargetObject|endswith: '\Shadow' + Details: + - 'DWORD (0x00000001)' # Full Control with user’s permission + - 'DWORD (0x00000002)' # Full Control without user’s permission + - 'DWORD (0x00000003)' # View Session with user’s permission + - 'DWORD (0x00000004)' # View Session without user’s permission + selection_terminal_services_key: + EventType: SetValue + TargetObject|contains: + - '\Control\Terminal Server\' + - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\' + selection_terminal_services_values_0: + TargetObject|endswith: + - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled + - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions + - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established + Details: 'DWORD (0x00000000)' + selection_terminal_services_values_1: + TargetObject|endswith: + - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers + - '\fAllowUnsolicitedFullControl' + Details: 'DWORD (0x00000001)' + selection_tamper_only: + # Any changes to these keys should be suspicious and looked at + EventType: SetValue + TargetObject|contains: + - '\services\TermService\Parameters\ServiceDll' # RDP hijacking + - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. + - '\Control\Terminal Server\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. + - 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\InitialProgram' # This value can be set to pecify a program to run automatically when a user logs on to a remote computer. + condition: selection_shadow or (selection_terminal_services_key and 1 of selection_terminal_services_values_*) or selection_tamper_only +falsepositives: + - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) +level: high +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 06fe32d49..d0a413eb6 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -12,6 +12,7 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 - https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker status: experimental logsource: product: windows @@ -27,6 +28,7 @@ detection: - '\Real-Time Protection\DisableOnAccessProtection' - '\Real-Time Protection\DisableRealtimeMonitoring' - '\Real-Time Protection\DisableScanOnRealtimeEnable' + - '\Reporting\DisableEnhancedNotifications' - '\SpyNet\DisableBlockAtFirstSeen' - '\DisableAntiSpyware' - '\DisableAntiVirus' From b7e5e128c73869834f60cb5c8e7a68171474e0f6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 9 Aug 2022 18:42:39 +0100 Subject: [PATCH 025/129] Update proc_creation_win_disable_service.yml --- .../process_creation/proc_creation_win_disable_service.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_disable_service.yml b/rules/windows/process_creation/proc_creation_win_disable_service.yml index ce6dbe325..6efd00111 100644 --- a/rules/windows/process_creation/proc_creation_win_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_disable_service.yml @@ -27,7 +27,7 @@ detection: CommandLine|contains: - 'Disabled' - 'Manual' - condition: 1 of selection_sc_* or selection_pwsh + condition: all of selection_sc_* or selection_pwsh falsepositives: - Administrators settings a service to disable via script or cli for testing purposes level: medium From 5591d965cec1ea732a15626c77973bf0b66db692 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Tue, 9 Aug 2022 12:42:29 -0700 Subject: [PATCH 026/129] Create azure_pim_change_settings.yml Detect when changes are made to PIM settings --- .../cloud/azure/azure_pim_change_settings.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/cloud/azure/azure_pim_change_settings.yml diff --git a/rules/cloud/azure/azure_pim_change_settings.yml b/rules/cloud/azure/azure_pim_change_settings.yml new file mode 100644 index 000000000..7402c6fbc --- /dev/null +++ b/rules/cloud/azure/azure_pim_change_settings.yml @@ -0,0 +1,22 @@ +title: Changes To PIM Settings +id: db6c06c4-bf3b-421c-aa88-15672b88c743 +status: experimental +description: Detects when changes are made to PIM roles +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/09 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Update role setting in PIM + condition: selection +falsepositives: + - Legit administrative PIM setting configuration changes +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1078 +level: high From 402882c7647e359c84cb79cb9d051f2477b1ec9f Mon Sep 17 00:00:00 2001 From: "C.J. May" Date: Tue, 9 Aug 2022 17:49:06 -0500 Subject: [PATCH 027/129] Create file_event_bloodhound_collection.yml --- .../file_event_bloodhound_collection.yml | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 rules/windows/file_event/file_event_bloodhound_collection.yml diff --git a/rules/windows/file_event/file_event_bloodhound_collection.yml b/rules/windows/file_event/file_event_bloodhound_collection.yml new file mode 100644 index 000000000..5ec7fd6b1 --- /dev/null +++ b/rules/windows/file_event/file_event_bloodhound_collection.yml @@ -0,0 +1,40 @@ +title: BloodHound Collection Files +id: 02773bed-83bf-469f-b7ff-e676e7d78bab +description: Detects default file names outputted by the BloodHound collection tool SharpHound +status: experimental +author: C.J. May +references: + - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection +date: 2022/08/09 +modified: 2022/08/09 +tags: + - attack.discovery + - attack.t1087.001 + - attack.t1087.002 + - attack.t1482 + - attack.t1069.001 + - attack.t1069.002 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: file_event +detection: + selection1: + TargetFilename|endswith: + - '\_BloodHound.zip' + - '\_computers.json' + - '\_containers.json' + - '\_domains.json' + - '\_gpos.json' + - '\_groups.json' + - '\_ous.json' + - '\_users.json' + selection2: + TargetFilename|contains|all: + - '\BloodHound' + - '.zip' + condition: 1 of selection* +falsepositives: + - Unknown +level: high From d1b123c16a0cd39e9dfae034752df0638c3ee090 Mon Sep 17 00:00:00 2001 From: "C.J. May" Date: Tue, 9 Aug 2022 17:56:28 -0500 Subject: [PATCH 028/129] removed slashes from strings --- .../file_event_bloodhound_collection.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/file_event/file_event_bloodhound_collection.yml b/rules/windows/file_event/file_event_bloodhound_collection.yml index 5ec7fd6b1..9c0684d33 100644 --- a/rules/windows/file_event/file_event_bloodhound_collection.yml +++ b/rules/windows/file_event/file_event_bloodhound_collection.yml @@ -22,17 +22,17 @@ logsource: detection: selection1: TargetFilename|endswith: - - '\_BloodHound.zip' - - '\_computers.json' - - '\_containers.json' - - '\_domains.json' - - '\_gpos.json' - - '\_groups.json' - - '\_ous.json' - - '\_users.json' + - '_BloodHound.zip' + - '_computers.json' + - '_containers.json' + - '_domains.json' + - '_gpos.json' + - '_groups.json' + - '_ous.json' + - '_users.json' selection2: TargetFilename|contains|all: - - '\BloodHound' + - 'BloodHound' - '.zip' condition: 1 of selection* falsepositives: From b13c37ad75b4045f7d5b8caffb4a33fe5d5365e4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 10 Aug 2022 07:42:50 +0200 Subject: [PATCH 029/129] Fix issue 3337 --- tools/sigma/sigmac.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 80eccc23a..0238290e4 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -446,8 +446,8 @@ def main(): if cmdargs.output_fields: if cmdargs.output_format == 'json': print(json.dumps(output_array, indent=4, ensure_ascii=False), file=out) - #elif cmdargs.output_format == 'yaml': - # print(ruamel.yaml.round_trip_dump(output_array), file=out) + elif cmdargs.output_format == 'yaml': + print(ruamel.yaml.round_trip_dump(output_array), file=out) out.close() From 519e4a8f4712174b8f3f83ffc96e7e3450928bc8 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 10 Aug 2022 07:44:56 +0200 Subject: [PATCH 030/129] Fix issue 3339 --- .../win_account_backdoor_dcsync_rights.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml index 206a5ae88..4e5e086ff 100644 --- a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml @@ -4,7 +4,7 @@ description: Backdooring domain object to grant the rights associated with DCSyn Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 -modified: 2022/05/10 +modified: 2022/08/10 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton references: - https://twitter.com/menasec1/status/1111556090137903104 @@ -20,13 +20,13 @@ detection: EventID: 5136 AttributeLDAPDisplayName: 'ntSecurityDescriptor' AttributeValue|contains: - - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' - - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - - '89e95b76-444d-4c62-991a-0facbeda640c' + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' + - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' + - '89e95b76-444d-4c62-991a-0facbeda640c' filter1: - ObjectType: - - 'dnsNode' - - 'dnsZoneScope' + ObjectClass: + - 'dnsNode' + - 'dnsZoneScope' condition: selection and not 1 of filter* falsepositives: - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account. From d666a186155e2045eb591a1a65f9d95b8a21cb00 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 10 Aug 2022 07:52:50 +0200 Subject: [PATCH 031/129] Fix issue 3342 --- .../proc_creation_win_enumeration_for_credentials_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml index 1fe38d31d..38357a803 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml @@ -19,7 +19,7 @@ detection: selection: CommandLine|contains: # Add more paths as they are discovered - '\Software\SimonTatham\PuTTY\Sessions' - - '\Software\\SimonTatham\\PuTTY\SshHostKeys\' + - '\Software\\SimonTatham\PuTTY\SshHostKeys\' - '\Software\Mobatek\MobaXterm\' - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin' - '\Software\Aerofox\FoxmailPreview' From 342ec1c9ccdaaabf9cd8ba1bacd63cb35c68d74e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 10 Aug 2022 11:23:42 +0200 Subject: [PATCH 032/129] fix: FP with wrongly matching folders --- .../image_load/image_load_susp_dll_load_system_process.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index bcc746c2b..f683c2f77 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/08/02 +modified: 2022/08/10 logsource: product: windows category: image_load @@ -20,7 +20,9 @@ detection: - '\Downloads\' - '\AppData\Local\Temp\' - 'C:\PerfLogs\' - condition: selection + filter: + ImageLoaded|contains: '\Program Files' + condition: selection and not filter falsepositives: - Unknown level: high From ac203f99b5dbb3472369e630e22a15e8c3423086 Mon Sep 17 00:00:00 2001 From: Wagga <6437862+wagga40@users.noreply.github.com> Date: Wed, 10 Aug 2022 11:42:27 +0200 Subject: [PATCH 033/129] Restore ruamel in sigmac to allow output in YAML This commit definitely fix the #3337 issue. The commit #3349 restored the commented lines but the ruamel import was not in it. --- tools/sigma/sigmac.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index 0238290e4..8aae2d3fd 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -18,7 +18,7 @@ import sys import argparse import yaml -#import ruamel.yaml +import ruamel.yaml import json import pathlib import itertools From b5c15c5137be774d1714324a1aad2c15e86b83be Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 12:52:49 +0100 Subject: [PATCH 034/129] More additions and updates --- ...vent_win_error_handler_cmd_persistence.yml | 23 +++++++++++++ ...event_win_powershell_startup_shortcuts.yml | 6 ++-- ...nt_win_susp_startup_folder_persistence.yml | 29 +++++++++++++++++ .../proc_creation_win_disable_service.yml | 2 +- ...egistry_event_dns_serverlevelplugindll.yml | 10 +++--- .../registry_event_ssp_added_lsa_config.yml | 32 +++++++++---------- ...eg_keys_modification_currentcontrolset.yml | 6 ++-- .../registry_set_hhctrl_persistence.yml | 2 +- .../registry_set_mpnotify_persistence.yml | 4 +-- .../registry_set_persistence_autodial_dll.yml | 21 ++++++++++++ .../registry_set_persistence_mycomputer.yml | 22 +++++++++++++ .../registry_set_powershell_as_service.yml | 10 +++--- ...yml => registry_set_servicedll_hijack.yml} | 7 ++-- 13 files changed, 135 insertions(+), 39 deletions(-) create mode 100644 rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml create mode 100644 rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml create mode 100644 rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml rename rules/windows/registry/registry_set/{registry_set_set_servicedll.yml => registry_set_servicedll_hijack.yml} (80%) diff --git a/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml new file mode 100644 index 000000000..91f43cd13 --- /dev/null +++ b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -0,0 +1,23 @@ +title: Detection of SafetyKatz +id: e074832a-eada-4fd7-94a1-10642b130e16 +status: experimental +description: | + Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence + The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. +author: Nasreddine Bencherchali +references: + - https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ + - https://github.com/last-byte/PersistenceSniper +date: 2022/08/09 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.persistence diff --git a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml index 273f38145..4a4f81d67 100644 --- a/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -6,12 +6,11 @@ references: - https://redcanary.com/blog/intelligence-insights-october-2021/ - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder tags: - - attack.registry_run_keys_/_startup_folder + - attack.persistence - attack.t1547.001 date: 2021/10/24 -modified: 2022/07/14 +modified: 2022/08/10 author: Christopher Peacock '@securepeacock', SCYTHE -level: high logsource: product: windows category: file_event @@ -26,3 +25,4 @@ detection: falsepositives: - Unknown - Depending on your environment accepted applications may leverage this at times. It is recomended to search for anomolies inidicative of malware. +level: high diff --git a/rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml b/rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml new file mode 100644 index 000000000..78280468e --- /dev/null +++ b/rules/windows/file_event/file_event_win_susp_startup_folder_persistence.yml @@ -0,0 +1,29 @@ +title: Suspicious Startup Folder Persistence +id: 28208707-fe31-437f-9a7f-4b1108b94d2e +description: Detects when a file with a suspicious extension is created in the startup folder +status: experimental +author: Nasreddine Bencherchali +references: + - https://github.com/last-byte/PersistenceSniper +tags: + - attack.persistence + - attack.t1547.001 +date: 2022/08/10 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\' + TargetFilename|endswith: + # Add or remove suspicious extensions according to your env needs + - '.vbs' + - '.vbe' + - '.bat' + - '.ps1' + - '.hta' + - '.dll' + condition: selection +falsepositives: + - Rare legitimate usage of some of the extensions mentioned in the rule +level: high diff --git a/rules/windows/process_creation/proc_creation_win_disable_service.yml b/rules/windows/process_creation/proc_creation_win_disable_service.yml index 6efd00111..06702301b 100644 --- a/rules/windows/process_creation/proc_creation_win_disable_service.yml +++ b/rules/windows/process_creation/proc_creation_win_disable_service.yml @@ -1,4 +1,4 @@ -title: Sc Execution to Disable Services +title: Sc Or Set-Service Cmdlet Execution to Disable Services id: 85c312b7-f44d-4a51-a024-d671c40b49fc status: experimental description: Detects when attackers use "sc.exe" or the powershell "Set-Service" cmdlet to change the startup type of a service to "disabled" diff --git a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml index ca584c21e..572e3ba60 100755 --- a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml @@ -16,16 +16,16 @@ logsource: product: windows category: registry_event detection: - selection: + selection: TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: selection -falsepositives: - - Unknown -level: high fields: - EventID - CommandLine - ParentCommandLine - Image - User - - TargetObject \ No newline at end of file + - TargetObject +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml index 03ff9e243..021550b27 100755 --- a/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml +++ b/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml @@ -4,25 +4,25 @@ status: test description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. author: iwillkeepwatch references: - - https://attack.mitre.org/techniques/T1101/ - - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ + - https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/ date: 2019/01/18 -modified: 2021/11/27 +modified: 2022/08/09 logsource: - category: registry_event - product: windows + category: registry_event + product: windows detection: - selection_registry: - TargetObject: - - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' - - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' - exclusion_images: - - Image: C:\Windows\system32\msiexec.exe - - Image: C:\Windows\syswow64\MsiExec.exe - condition: selection_registry and not exclusion_images + selection_registry: + TargetObject: + - 'HKLM\System\CurrentControlSet\Control\Lsa\Security Packages' + - 'HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' + exclusion_images: + Image: + - 'C:\Windows\system32\msiexec.exe' + - 'C:\Windows\syswow64\MsiExec.exe' + condition: selection_registry and not exclusion_images falsepositives: - - Unlikely + - Unlikely level: critical tags: - - attack.persistence - - attack.t1547.005 + - attack.persistence + - attack.t1547.005 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 2d0a77fdf..8a935e286 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/07/27 +modified: 2022/08/09 logsource: category: registry_set product: windows @@ -19,7 +19,7 @@ detection: system_control_base: EventType: SetValue TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' - system_control: + system_control_keys: TargetObject|contains: - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - '\Terminal Server\Wds\rdpwd\StartupPrograms' @@ -45,7 +45,7 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: system_control_base and system_control and not 1 of filter_* + condition: all of system_control_* and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml index fc5149ec4..f2d1a1811 100644 --- a/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml @@ -21,4 +21,4 @@ falsepositives: - Unlikely level: high tags: - - attack.persistence + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml index fc561f8d1..2a49eed33 100644 --- a/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml @@ -16,8 +16,8 @@ detection: TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify' condition: selection falsepositives: - - Unknown + - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurence in an environment and should be investigated either way level: high tags: - - attack.persistence + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml new file mode 100644 index 000000000..f5fbff59d --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -0,0 +1,21 @@ +title: Persistence Via AutodialDLL +id: e6fe26ee-d063-4f5b-b007-39e90aaf50e3 +description: Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library +status: experimental +author: Nasreddine Bencherchali +date: 2022/08/10 +references: + - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\Services\WinSock2\Parameters\AutodialDLL' + condition: selection +falsepositives: + - Unlikley +level: high +tags: + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml new file mode 100644 index 000000000..4836d2feb --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml @@ -0,0 +1,22 @@ +title: Persistence Via MyComputer Key and SubKeys +id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06 +description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) +status: experimental +author: Nasreddine Bencherchali +date: 2022/08/09 +references: + - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer' + TargetObject|endswith: '(Default)' + condition: selection +falsepositives: + - Unlikely but if you experience FPs add specific processes and locations you would like to monitor for +level: high +tags: + - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml index c78cb893c..f3c05aed5 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml @@ -12,15 +12,15 @@ logsource: product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains: '\Services\' TargetObject|endswith: '\ImagePath' Details|contains: - - 'powershell' - - 'pwsh' + - 'powershell' + - 'pwsh' condition: selection -falsepositives: - - Unknown +falsepositives: + - Unknown level: high tags: - attack.execution diff --git a/rules/windows/registry/registry_set/registry_set_set_servicedll.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml similarity index 80% rename from rules/windows/registry/registry_set/registry_set_set_servicedll.yml rename to rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 54492a306..474ba773b 100644 --- a/rules/windows/registry/registry_set/registry_set_set_servicedll.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -1,12 +1,13 @@ -title: ServiceDll Modification +title: ServiceDll Hijack id: 612e47e9-8a59-43a6-b404-f48683f45bd6 -description: Detects the modification of a ServiceDLL value in the service settings +description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. author: frack113 date: 2022/02/04 -modified: 2022/04/21 +modified: 2022/08/10 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time + - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ logsource: category: registry_set product: windows From 8e63a4b2e1e7961684ddf74b8afc16dadc0e7436 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 10 Aug 2022 13:54:19 +0200 Subject: [PATCH 035/129] fix: another Win7 i386 path --- .../process_creation/proc_creation_win_dll_sideload_defender.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml index 3cc1c0336..b1aa88f29 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml +++ b/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml @@ -21,6 +21,7 @@ detection: - 'C:\Program Files\Windows Defender\' - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - 'C:\Windows\winsxs\x86_security-malware-windows-defender_' # found on Win7 i386 + - 'C:\Program Files\Microsoft Security Client\MpCmdRun.exe' # found on Win7 i386 condition: selection and not legit_path falsepositives: - Unknown From 405ed7e6d28d5c55b5fab0493abdc3d25666dc62 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 13:02:08 +0100 Subject: [PATCH 036/129] Update file_event_win_error_handler_cmd_persistence.yml --- .../file_event/file_event_win_error_handler_cmd_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml index 91f43cd13..370ccb5ba 100644 --- a/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml +++ b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -1,5 +1,5 @@ title: Detection of SafetyKatz -id: e074832a-eada-4fd7-94a1-10642b130e16 +id: 15904280-565c-4b73-9303-3291f964e7f9 status: experimental description: | Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence From d1c5153103b8ed8f1d042a0f3d02a76777dfffe9 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Wed, 10 Aug 2022 07:09:09 -0700 Subject: [PATCH 037/129] Create azure_tap_added.yml Detection for temporary access pass (TAP) added to an account. --- rules/cloud/azure/azure_tap_added.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_tap_added.yml diff --git a/rules/cloud/azure/azure_tap_added.yml b/rules/cloud/azure/azure_tap_added.yml new file mode 100644 index 000000000..83af179fa --- /dev/null +++ b/rules/cloud/azure/azure_tap_added.yml @@ -0,0 +1,23 @@ +title: Temporary Access Pass Added To An Account +id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce +status: experimental +description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/10 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Admin registered security info + Status: Admin registered temporary access pass method for user + condition: selection +falsepositives: + - Administrator adding a legitmate temporary access pass +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1078 +level: high From 14277c5b6dd47dc02b72f0d040bfa7517842cb2b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 15:15:49 +0100 Subject: [PATCH 038/129] Fix FP --- ...roc_creation_win_ntfs_short_name_path_use_cli.yml | 12 ++++++++---- ...c_creation_win_ntfs_short_name_path_use_image.yml | 10 +++++++--- .../proc_creation_win_ntfs_short_name_use_cli.yml | 5 ++++- .../proc_creation_win_ntfs_short_name_use_image.yml | 3 +++ 4 files changed, 22 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 7ee974601..aa34470fc 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,17 +11,21 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 +modified: 2022/08/10 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - '~1\' - '~2\' - filter_dism: - ParentImage: C:\Windows\System32\Dism.exe - condition: selection and not 1 of filter_* + filter: + - ParentImage: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe + - ParentImage|endswith: '\WebEx\WebexHost.exe' + condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml index e01fe0308..0ac7224b3 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -11,6 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 +modified: 2022/08/10 logsource: category: process_creation product: windows @@ -19,9 +20,12 @@ detection: Image|contains: - '~1\' - '~2\' - filter_dism: - ParentImage: C:\Windows\System32\Dism.exe - condition: selection and not 1 of filter_* + filter: + - ParentImage: + - C:\Windows\System32\Dism.exe + - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) + - ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes + condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: high diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index 56a2100c4..eea7d834c 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -11,6 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/05 +modified: 2022/08/10 logsource: category: process_creation product: windows @@ -35,7 +36,9 @@ detection: - '~2.ps1' - '~2.js' - '~2.hta' - condition: selection + filter: + ParentImage|endswith: '\WebEx\WebexHost.exe' + condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index 9899b4250..5826c2444 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,6 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/06 +modified: 2022/08/10 logsource: category: process_creation product: windows @@ -35,6 +36,8 @@ detection: - '~2.ps1' - '~2.js' - '~2.hta' + filter: + ParentImage|endswith: '\WebEx\WebexHost.exe' condition: selection falsepositives: - Unknown From babdecc6424ed9ec4b9ef634c4b7483500a01207 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 15:25:10 +0100 Subject: [PATCH 039/129] Update proc_creation_win_ntfs_short_name_use_image.yml --- .../proc_creation_win_ntfs_short_name_use_image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index 5826c2444..a78bfa522 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -38,7 +38,7 @@ detection: - '~2.hta' filter: ParentImage|endswith: '\WebEx\WebexHost.exe' - condition: selection + condition: selection and not filter falsepositives: - Unknown level: high From 5cde4a2d7ef3e69fd7d4fb5090b81e17a4be47b8 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 10 Aug 2022 16:49:12 +0200 Subject: [PATCH 040/129] fix: FP with Avast --- .../proc_creation_win_tap_installer_execution.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml b/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml index 25bfe1c0d..5f794a5c6 100644 --- a/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml @@ -4,14 +4,18 @@ status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/08/10 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\tapinstall.exe' - condition: selection + filter_avast: + Image: + - 'C:\Program Files\Avast Software\SecureLine VPN\tapinstall.exe' + - 'C:\Program Files (x86)\Avast Software\SecureLine VPN\tapinstall.exe' + condition: selection and not 1 of filter* falsepositives: - Legitimate OpenVPN TAP insntallation level: medium From 7b9cd0e74c5aadae116e1a2acfbe72bbec381c79 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:20:07 +0200 Subject: [PATCH 041/129] fix: remove TargetObject restriction bc of too many FPs --- .../registry_set/registry_set_disable_winevt_logging.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 97abf991e..f5e047e88 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/08/09 +modified: 2022/08/10 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -21,8 +21,7 @@ detection: Image|endswith: '\Windows\system32\wevtutil.exe' #FP generated during installation of manifests via wevtutil filter_iis: Image|startswith: 'C:\Windows\winsxs\' - Image|endswith: '\TiWorker.exe' - TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-IIS-' + Image|endswith: '\TiWorker.exe' # many different TargetObjects filter_fsmfd: Image: 'C:\Windows\System32\svchost.exe' TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' From b0f07faa85ab9d00e7930403b1e848b46e6af1df Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:27:35 +0200 Subject: [PATCH 042/129] fix: FP with poqexec.exe --- .../registry_set/registry_set_persistence_search_order.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 4fd312934..28b9cbf5a 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/07/07 +modified: 2022/08/10 logsource: category: registry_set product: windows @@ -71,6 +71,9 @@ detection: Details|startswith: 'C:\ProgramData\Microsoft\' filter_gameservice: Details|contains: 'C:\WINDOWS\system32\GamingServicesProxy.dll' + filter_pocexec: + Image: 'C:\Windows\System32\poqexec.exe' + Details|contains: 'C:\Windows\System32\Autopilot.dll' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level From 6d1dad51fe37892e5db8fe4b0176d256f6a434a6 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 10 Aug 2022 18:09:55 +0200 Subject: [PATCH 043/129] fix: typo in filter name --- .../registry_set/registry_set_persistence_search_order.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 28b9cbf5a..7cc7ca808 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -71,7 +71,7 @@ detection: Details|startswith: 'C:\ProgramData\Microsoft\' filter_gameservice: Details|contains: 'C:\WINDOWS\system32\GamingServicesProxy.dll' - filter_pocexec: + filter_poqexec: Image: 'C:\Windows\System32\poqexec.exe' Details|contains: 'C:\Windows\System32\Autopilot.dll' condition: selection and not 1 of filter* From 80ee1192e6605d008b0ba382ff7dc5a1f1f8f634 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:45:25 +0100 Subject: [PATCH 044/129] Update file_event_win_error_handler_cmd_persistence.yml --- .../file_event/file_event_win_error_handler_cmd_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml index 370ccb5ba..9ff1d6061 100644 --- a/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml +++ b/rules/windows/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -1,4 +1,4 @@ -title: Detection of SafetyKatz +title: Persistence Via ErrorHandler.Cmd id: 15904280-565c-4b73-9303-3291f964e7f9 status: experimental description: | From 021c297e967b327c1cede1318f9042ee985086f9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:48:48 +0100 Subject: [PATCH 045/129] Update title and description --- .../proc_creation_win_susp_wmic_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml index fb3c2dd7c..0162bf4e0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml @@ -1,7 +1,7 @@ -title: Suspicious WMI Execution +title: Suspicious WMIC Execution id: 526be59f-a573-4eea-b5f7-f0973207634d status: test -description: Detects WMI executing suspicious commands +description: Detects WMIC executing suspicious or recon commands author: Michael Haag, Florian Roth, juju4, oscd.community references: - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ From 0f8ad22b9aa4f81ec768733d8c84ee9bdf2a7685 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 17:53:09 +0100 Subject: [PATCH 046/129] Update proc_creation_win_susp_wmic_proc_create.yml --- .../proc_creation_win_susp_wmic_proc_create.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml index 8e52e8299..a0f27bec9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -1,4 +1,4 @@ -title: Suspicious WMIC Execution +title: Suspicious WMIC Execution - ProcessCallCreate id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 status: test description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc From a1b9065a1927d3193b93b4caaf5a039756c1c004 Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Wed, 10 Aug 2022 19:12:35 +0200 Subject: [PATCH 047/129] Create BPFDoor_abnormal_process_id_or_lock_file_accessed.yml detection for BPFDoor IoC files run from temporary file storage --- ...ormal_process_id_or_lock_file_accessed.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml diff --git a/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml b/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml new file mode 100644 index 000000000..fcc7d86c8 --- /dev/null +++ b/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml @@ -0,0 +1,28 @@ +title: BPFDoor Abnormal Process ID or Lock File Accessed +id: 808146b2-9332-4d78-9416-d7e47012d83d +status: experimental +description: detects BPFDoor .lock and .pid files access in temporary file storage facility +author: Rafal Piasecki +date: 2022/08/10 +references: + - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ + - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - /var/run/haldrund.pid + - /var/run/xinetd.lock + - /var/run/kdevrund.pid + condition: selection +tags: + - attack.execution + - attack.T1106 + - attack.T1070 + - attack.T1059 +falsepositives: + - Less Likely +level: high From 327a2b7e7be5f8295256aa1e464fa5b8f887bdbb Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Wed, 10 Aug 2022 19:14:14 +0200 Subject: [PATCH 048/129] Create BPF_Door_port_redirect.yml BPFDoor ports redirect for evasion --- rules/linux/auditd/BPF_Door_port_redirect.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/linux/auditd/BPF_Door_port_redirect.yml diff --git a/rules/linux/auditd/BPF_Door_port_redirect.yml b/rules/linux/auditd/BPF_Door_port_redirect.yml new file mode 100644 index 000000000..5a595896f --- /dev/null +++ b/rules/linux/auditd/BPF_Door_port_redirect.yml @@ -0,0 +1,26 @@ +title: BPFDoor_TCP_ports_redirect +id: 70b4156e-50fc-4523-aa50-c9dddf1993fc +status: experimental +description: All TCP traffic on particular port from attacker is routed to diffrent port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only. +author: Rafal Piasecki +date: 2022/08/10 +references: + - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ + - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor +logsource: + product: linux + service: auditd +detection: + cmd: + type: 'EXECVE' + a0|endswith: 'iptables' + a1: '-t' + a2: 'nat' + keywords: + - '--to-ports 42' + - '--to-ports 43' + condition: cmd and keywords +level: medium +tags: attack.T1562.004 +falsepositives: + - legitimate ports redirect From 3201b68004e5b9c4f37ae70b87e58095deb78be4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 18:33:17 +0100 Subject: [PATCH 049/129] Final update --- .../proc_creation_win_rundll32_unc_path.yml | 27 ++++++++++ ..._reg_keys_modification_session_manager.yml | 1 + .../registry_set_silentprocessexit.yml | 6 +-- ...egistry_set_susp_app_paths_persistence.yml | 49 +++++++++++++++++++ 4 files changed, 80 insertions(+), 3 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml create mode 100644 rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml new file mode 100644 index 000000000..61b84f36f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -0,0 +1,27 @@ +title: Rundll32 UNC Path Execution +id: 5cdb711b-5740-4fb2-ba88-f7945027afac +status: experimental +description: Detects rundll32 execution where the DLL is located on a remote location (share) +author: Nasreddine Bencherchali +date: 2022/08/10 +references: + - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code +tags: + - attack.defense_evasion + - attack.execution + - attack.t1021.002 + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: 'RUNDLL32.EXE' + - CommandLine|contains: 'rundll32' + selection_cli: + CommandLine|contains: ' \\\\' + condition: all of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 9a3c2b9f1..95aed74c3 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -42,3 +42,4 @@ level: medium tags: - attack.persistence - attack.t1547.001 + - attack.t1546.009 diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml index 2f1f92be5..8766c4a55 100644 --- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml @@ -12,8 +12,8 @@ logsource: category: registry_set product: windows detection: - selection: - EventType: SetValue + selection: + EventType: SetValue TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' Details|contains: 'MonitorProcess' condition: selection @@ -22,4 +22,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1546.012 \ No newline at end of file + - attack.t1546.012 diff --git a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml new file mode 100644 index 000000000..52af03166 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml @@ -0,0 +1,49 @@ +title: Suspicious Values In App Paths Default Property +id: 707e097c-e20f-4f67-8807-1f72ff4500d6 +description: | + Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence + The entries found under App Paths are used primarily for the following purposes. + First, to map an application's executable file name to that file's fully qualified path. + Second, to pre-pend information to the PATH environment variable on a per-application, per-process basis. +status: experimental +author: Nasreddine Bencherchali +references: + - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN +date: 2022/08/10 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths' + TargetObject|endswith: + - '(Default)' + - 'Path' + Details|contains: + # Add more suspicious paths or binaries as you see fit. + - '\Users\Public' + - '\AppData\Local\Temp\' + - '\Windows\Temp\' + - '\Desktop\' + - '\Downloads\' + - '%temp%' + - 'iex' + - 'Invoke-' + - 'rundll32' + - 'regsvr32' + - 'mshta' + - 'cscript' + - 'wscript' + - '.bat' + - '.hta' + - '.dll' + - '.ps1' + condition: selection +falsepositives: + - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it) +level: high +tags: + - attack.persistence + - attack.t1546.012 From 8a750770cfb386a982427c4e88476ca56f9ba34b Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Wed, 10 Aug 2022 11:01:40 -0700 Subject: [PATCH 050/129] Create azure_guest_invite_failure.yml Detection when a user without proper permissions attempts to invite a guest account. --- .../azure/azure_guest_invite_failure.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_guest_invite_failure.yml diff --git a/rules/cloud/azure/azure_guest_invite_failure.yml b/rules/cloud/azure/azure_guest_invite_failure.yml new file mode 100644 index 000000000..9dcb8d272 --- /dev/null +++ b/rules/cloud/azure/azure_guest_invite_failure.yml @@ -0,0 +1,23 @@ +title: Guest User Invited By Non Approved Inviters +id: 0b4b72e3-4c53-4d5b-b198-2c58cfef39a9 +status: experimental +description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/10 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message: Invite external user + Status: failure + condition: selection +falsepositives: + - A non malicious user is unaware of the proper process +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1078 +level: medium From f51547fe9606717c175688cfc58b4cf459283665 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 21:15:12 +0100 Subject: [PATCH 051/129] Update proc_creation_win_rundll32_unc_path.yml --- .../process_creation/proc_creation_win_rundll32_unc_path.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml index 61b84f36f..d59458c4e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -20,7 +20,7 @@ detection: - OriginalFileName: 'RUNDLL32.EXE' - CommandLine|contains: 'rundll32' selection_cli: - CommandLine|contains: ' \\\\' + CommandLine|contains: ' \\' condition: all of selection_* falsepositives: - Unlikely From f34a60b215b54f3acf4fe988994dc78cb2268767 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 10 Aug 2022 22:08:03 +0100 Subject: [PATCH 052/129] Update proc_creation_win_rundll32_unc_path.yml --- .../process_creation/proc_creation_win_rundll32_unc_path.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml index d59458c4e..61b84f36f 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml @@ -20,7 +20,7 @@ detection: - OriginalFileName: 'RUNDLL32.EXE' - CommandLine|contains: 'rundll32' selection_cli: - CommandLine|contains: ' \\' + CommandLine|contains: ' \\\\' condition: all of selection_* falsepositives: - Unlikely From 80df54d0929a77ed28ca5b30d70820a5b10b077c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Aug 2022 06:59:01 +0200 Subject: [PATCH 053/129] Fix condition --- .../proc_creation_win_control_panel_item.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index bb69fd182..c5bac6632 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -7,28 +7,28 @@ references: - https://attack.mitre.org/techniques/T1196/ - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins date: 2020/06/22 -modified: 2022/05/10 +modified: 2022/08/11 logsource: product: windows category: process_creation detection: - selection1: + selection_reg: + Image|endswith: '\reg.exe' + CommandLine|contains|all: + - 'add' + - 'CurrentVersion\Control Panel\CPLs' + selection_cpl: CommandLine|endswith: '.cpl' - filter: + filter_cpl_sys: CommandLine|contains: - '\System32\' - '%System%' - fp1_igfx: + filter_cpl_igfx: CommandLine|contains|all: - 'regsvr32 ' - ' /s ' - 'igfxCPL.cpl' - selection2: - Image|endswith: '\reg.exe' - CommandLine|contains: 'add' - selection3: - CommandLine|contains: 'CurrentVersion\Control Panel\CPLs' - condition: (selection1 and not filter and not fp1_igfx) or (selection2 and selection3) + condition: selection_reg or (selection_cpl and not 1 of filter_cpl_*) falsepositives: - Unknown level: high From 61c2e6b532aee7e8860fa555cc8d69c90152cf84 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Thu, 11 Aug 2022 08:33:07 +0200 Subject: [PATCH 054/129] Update proxy_susp_flash_download_loc.yml --- rules/proxy/proxy_susp_flash_download_loc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 473c80cd2..702fee579 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -14,7 +14,7 @@ detection: - c-uri|contains: '/flash_install.php' - c-uri|endswith: '/install_flash_player.exe' filter: - r-dns|endswith: '.adobe.com' + cs-host|endswith: '.adobe.com' condition: selection and not filter falsepositives: - Unknown flash download locations From 7f86fcf89d75ea3728b85ee15453339c1e847d2b Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Thu, 11 Aug 2022 08:36:23 +0200 Subject: [PATCH 055/129] Update to use cs-host instead of r-dns --- rules/proxy/proxy_ua_susp.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_susp.yml b/rules/proxy/proxy_ua_susp.yml index 10a5c8b39..e8a8e0786 100644 --- a/rules/proxy/proxy_ua_susp.yml +++ b/rules/proxy/proxy_ua_susp.yml @@ -34,7 +34,7 @@ detection: - 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880 falsepositives: - c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content - - r-dns|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000) + - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000) - '.acrobat.com' - '.adobe.com' - '.adobe.io' @@ -43,6 +43,7 @@ fields: - ClientIP - c-uri - c-useragent + - cs-host falsepositives: - Unknown level: high From a75e9a41a2490b912d8abaf28df20a1b1fb0786a Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 11 Aug 2022 09:50:45 +0200 Subject: [PATCH 056/129] fix: FP with office click to run --- .../registry/registry_set/registry_set_taskcache_entry.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 4e5ac0362..5283cd144 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/08/08 +modified: 2022/08/11 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -29,6 +29,10 @@ detection: Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' Image|endswith: '\ngen.exe' TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + filter_office_click_to_run: + Image: + - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe' condition: selection and not 1 of filter* falsepositives: - Unknown From 8da1502e5d93f0139da2a1304ab9291286438a32 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 11 Aug 2022 13:20:40 +0200 Subject: [PATCH 057/129] Update proc_creation_win_vul_java_remote_debugging.yml For Java Running with Remote Debugging, add filtering to vulnerable jvm versions. Later jvm versions limit remote debugging access to localhost by default. --- ...creation_win_vul_java_remote_debugging.yml | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index aacaaae88..c37d909a3 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -3,18 +3,38 @@ id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 status: test description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth +references: + - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp date: 2019/01/16 modified: 2021/11/27 logsource: category: process_creation product: windows detection: - selection: + selection_jdwp_transport: CommandLine|contains: 'transport=dt_socket,address=' + selection_old_jvm_version: + CommandLine|contains: + - jre1.8 + - jre1.7 + - jre1.6 + - jre1.5 + - jre1.4 + - jre1.3 + - jre1.2 + - jre1.1 + - jdk1.8 + - jdk1.7 + - jdk1.6 + - jdk1.5 + - jdk1.4 + - jdk1.3 + - jdk1.2 + - jdk1.1 exclusion: - CommandLine|contains: 'address=127.0.0.1' - CommandLine|contains: 'address=localhost' - condition: selection and not exclusion + condition: all of selection* and not exclusion fields: - CommandLine - ParentCommandLine From 41d79d4d1be93d1a62ada42eef2d1a8b91182738 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 11 Aug 2022 13:29:15 +0200 Subject: [PATCH 058/129] Update proc_creation_win_vul_java_remote_debugging.yml simplified rule --- ..._creation_win_vul_java_remote_debugging.yml | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml index c37d909a3..fb22b7b7d 100644 --- a/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml @@ -15,22 +15,8 @@ detection: CommandLine|contains: 'transport=dt_socket,address=' selection_old_jvm_version: CommandLine|contains: - - jre1.8 - - jre1.7 - - jre1.6 - - jre1.5 - - jre1.4 - - jre1.3 - - jre1.2 - - jre1.1 - - jdk1.8 - - jdk1.7 - - jdk1.6 - - jdk1.5 - - jdk1.4 - - jdk1.3 - - jdk1.2 - - jdk1.1 + - jre1. + - jdk1. exclusion: - CommandLine|contains: 'address=127.0.0.1' - CommandLine|contains: 'address=localhost' From 10871396c4845418198e26a5feee5c94180c3c05 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Thu, 11 Aug 2022 07:08:15 -0700 Subject: [PATCH 059/129] Create azure_privileged_account_creation.yml Detects when a priv account is created --- .../azure_privileged_account_creation.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/cloud/azure/azure_privileged_account_creation.yml diff --git a/rules/cloud/azure/azure_privileged_account_creation.yml b/rules/cloud/azure/azure_privileged_account_creation.yml new file mode 100644 index 000000000..bba0aebe1 --- /dev/null +++ b/rules/cloud/azure/azure_privileged_account_creation.yml @@ -0,0 +1,25 @@ +title: Privileged Account Creation +id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947 +status: experimental +description: Detects when a new admin is created. +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/11 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts +logsource: + product: azure + service: auditlogs +detection: + selection: + properties.message|contains|all: + - Add user + - Add member to role + Status: Sucess + condition: selection +falsepositives: + - A legitmate new admin account being created +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1078 +level: medium From b5ebc2033e07672af2f0e6b46ef8478fce32b220 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 11 Aug 2022 18:25:10 +0200 Subject: [PATCH 060/129] Update azure_privileged_account_creation.yml --- rules/cloud/azure/azure_privileged_account_creation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_privileged_account_creation.yml b/rules/cloud/azure/azure_privileged_account_creation.yml index bba0aebe1..f417e2832 100644 --- a/rules/cloud/azure/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/azure_privileged_account_creation.yml @@ -12,8 +12,8 @@ logsource: detection: selection: properties.message|contains|all: - - Add user - - Add member to role + - Add user + - Add member to role Status: Sucess condition: selection falsepositives: From f001d35c8bd90998ffaba0deb091550fceabb424 Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Thu, 11 Aug 2022 18:59:58 +0200 Subject: [PATCH 061/129] Update and rename BPFDoor_abnormal_process_id_or_lock_file_accessed.yml to lnx_auditd_BPFDoor_file_accessed.yml --- ...ile_accessed.yml => lnx_auditd_BPFDoor_file_accessed.yml} | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) rename rules/linux/auditd/{BPFDoor_abnormal_process_id_or_lock_file_accessed.yml => lnx_auditd_BPFDoor_file_accessed.yml} (93%) diff --git a/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml b/rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml similarity index 93% rename from rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml rename to rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml index fcc7d86c8..0c5ceb1ce 100644 --- a/rules/linux/auditd/BPFDoor_abnormal_process_id_or_lock_file_accessed.yml +++ b/rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml @@ -20,9 +20,8 @@ detection: condition: selection tags: - attack.execution - - attack.T1106 - - attack.T1070 - - attack.T1059 + - attack.t1106 + - attack.t1059 falsepositives: - Less Likely level: high From 35d69a5a4b8b0119807980e2ebd70e39d7586b68 Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Thu, 11 Aug 2022 19:04:17 +0200 Subject: [PATCH 062/129] Update and rename BPF_Door_port_redirect.yml to lnx_auditd_BPF_Door_port_redirect.yml --- ...ort_redirect.yml => lnx_auditd_BPF_Door_port_redirect.yml} | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) rename rules/linux/auditd/{BPF_Door_port_redirect.yml => lnx_auditd_BPF_Door_port_redirect.yml} (94%) diff --git a/rules/linux/auditd/BPF_Door_port_redirect.yml b/rules/linux/auditd/lnx_auditd_BPF_Door_port_redirect.yml similarity index 94% rename from rules/linux/auditd/BPF_Door_port_redirect.yml rename to rules/linux/auditd/lnx_auditd_BPF_Door_port_redirect.yml index 5a595896f..c8eb7cab5 100644 --- a/rules/linux/auditd/BPF_Door_port_redirect.yml +++ b/rules/linux/auditd/lnx_auditd_BPF_Door_port_redirect.yml @@ -21,6 +21,8 @@ detection: - '--to-ports 43' condition: cmd and keywords level: medium -tags: attack.T1562.004 +tags: + - attack.defense_evasion + - attack.t1562.004 falsepositives: - legitimate ports redirect From 8cf1d92c847bd86e0124606fc24955716b67310c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Aug 2022 19:07:47 +0200 Subject: [PATCH 063/129] Fix ShareName --- rules/windows/builtin/security/win_impacket_secretdump.yml | 4 ++-- rules/windows/builtin/security/win_susp_psexec.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/security/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml index f6941ccd2..ac36a75e2 100644 --- a/rules/windows/builtin/security/win_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_impacket_secretdump.yml @@ -4,7 +4,7 @@ description: Detect AD credential dumping using impacket secretdump HKTL status: experimental author: Samir Bousseaden, wagga date: 2019/04/03 -modified: 2021/06/27 +modified: 2022/08/11 references: - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html tags: @@ -19,7 +19,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\ADMIN$ + ShareName: \\\\\*\\ADMIN$ # looking for the string \\*\ADMIN$ RelativeTargetName|contains|all: - 'SYSTEM32\' - '.tmp' diff --git a/rules/windows/builtin/security/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml index 98c71a6a2..9e4718cd9 100644 --- a/rules/windows/builtin/security/win_susp_psexec.yml +++ b/rules/windows/builtin/security/win_susp_psexec.yml @@ -6,7 +6,7 @@ author: Samir Bousseaden references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html date: 2019/04/03 -modified: 2021/12/08 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection1: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ RelativeTargetName|endswith: - '-stdin' - '-stdout' From 3268a6c9b051dbff2d212551dd52bf0efacf2b1d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 11 Aug 2022 19:19:07 +0200 Subject: [PATCH 064/129] Fix ShareName --- rules/windows/builtin/security/win_atsvc_task.yml | 4 ++-- .../builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml | 4 ++-- .../win_exploit_cve_2021_1675_printspooler_security.yml | 2 +- rules/windows/builtin/security/win_gpo_scheduledtasks.yml | 2 +- rules/windows/builtin/security/win_impacket_psexec.yml | 4 ++-- rules/windows/builtin/security/win_impacket_secretdump.yml | 2 +- rules/windows/builtin/security/win_lm_namedpipe.yml | 2 +- .../windows/builtin/security/win_petitpotam_network_share.yml | 3 ++- rules/windows/builtin/security/win_susp_psexec.yml | 2 +- rules/windows/builtin/security/win_svcctl_remote_service.yml | 4 ++-- 10 files changed, 15 insertions(+), 14 deletions(-) diff --git a/rules/windows/builtin/security/win_atsvc_task.yml b/rules/windows/builtin/security/win_atsvc_task.yml index fb4373ec1..5fd385255 100644 --- a/rules/windows/builtin/security/win_atsvc_task.yml +++ b/rules/windows/builtin/security/win_atsvc_task.yml @@ -6,7 +6,7 @@ author: Samir Bousseaden references: - https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html date: 2019/04/03 -modified: 2021/11/27 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: atsvc Accesses|contains: 'WriteData' condition: selection diff --git a/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml index bce5e970f..62deb4fbb 100644 --- a/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/windows/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml @@ -8,14 +8,14 @@ references: - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ - https://twitter.com/_dirkjan/status/1309214379003588608 date: 2018/11/28 -modified: 2021/11/27 +modified: 2022/08/11 logsource: product: windows service: security detection: selection: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: spoolss condition: selection falsepositives: diff --git a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml index 6c606fede..e8450ec43 100644 --- a/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml +++ b/rules/windows/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml @@ -18,7 +18,7 @@ logsource: detection: selection: EventID: '5145' - ShareName: '\\\*\IPC$' + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: 'spoolss' AccessMask: '0x3' ObjectType: 'File' diff --git a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml index 5ab6628d6..c96241fda 100644 --- a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml @@ -15,7 +15,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\SYSVOL + ShareName: '\\\\\*\\SYSVOL' # looking for the string \\*\SYSVOL RelativeTargetName|endswith: 'ScheduledTasks.xml' Accesses|contains: - 'WriteData' diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index 9257af8ce..036a3b101 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -6,7 +6,7 @@ author: Bhabesh Raj references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html date: 2020/12/14 -modified: 2022/01/07 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection1: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName|contains: - 'RemCom_stdint' - 'RemCom_stdoutt' diff --git a/rules/windows/builtin/security/win_impacket_secretdump.yml b/rules/windows/builtin/security/win_impacket_secretdump.yml index ac36a75e2..685c77947 100644 --- a/rules/windows/builtin/security/win_impacket_secretdump.yml +++ b/rules/windows/builtin/security/win_impacket_secretdump.yml @@ -19,7 +19,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\\\*\\ADMIN$ # looking for the string \\*\ADMIN$ + ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$ RelativeTargetName|contains|all: - 'SYSTEM32\' - '.tmp' diff --git a/rules/windows/builtin/security/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml index 79fb3d013..ad4a2c855 100644 --- a/rules/windows/builtin/security/win_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_lm_namedpipe.yml @@ -14,7 +14,7 @@ logsource: detection: selection1: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ false_positives: RelativeTargetName: - 'atsvc' diff --git a/rules/windows/builtin/security/win_petitpotam_network_share.yml b/rules/windows/builtin/security/win_petitpotam_network_share.yml index f6966cf10..d1ecbc219 100644 --- a/rules/windows/builtin/security/win_petitpotam_network_share.yml +++ b/rules/windows/builtin/security/win_petitpotam_network_share.yml @@ -4,6 +4,7 @@ description: Detect PetitPotam coerced authentication activity. status: experimental author: Mauricio Velazco, Michael Haag date: 2021/09/02 +modified: 2022/08/11 references: - https://github.com/topotam/PetitPotam - https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml @@ -17,7 +18,7 @@ logsource: detection: selection: EventID: 5145 - ShareName|startswith: '\\' + ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$ ShareName|endswith: '\IPC$' RelativeTargetName: lsarpc SubjectUserName: ANONYMOUS LOGON diff --git a/rules/windows/builtin/security/win_susp_psexec.yml b/rules/windows/builtin/security/win_susp_psexec.yml index 9e4718cd9..2ad6945f3 100644 --- a/rules/windows/builtin/security/win_susp_psexec.yml +++ b/rules/windows/builtin/security/win_susp_psexec.yml @@ -14,7 +14,7 @@ logsource: detection: selection1: EventID: 5145 - ShareName: \\\\\*\\IPC$ # looking for the string \\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName|endswith: - '-stdin' - '-stdout' diff --git a/rules/windows/builtin/security/win_svcctl_remote_service.yml b/rules/windows/builtin/security/win_svcctl_remote_service.yml index 0f7b38a44..17dec5912 100644 --- a/rules/windows/builtin/security/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/security/win_svcctl_remote_service.yml @@ -6,7 +6,7 @@ author: Samir Bousseaden references: - https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html date: 2019/04/03 -modified: 2021/11/27 +modified: 2022/08/11 logsource: product: windows service: security @@ -14,7 +14,7 @@ logsource: detection: selection: EventID: 5145 - ShareName: \\\*\IPC$ + ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName: svcctl Accesses|contains: 'WriteData' condition: selection From 28ee157216014ee338d2c00c5a6f7ada7cd64c5e Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Thu, 11 Aug 2022 19:32:17 +0200 Subject: [PATCH 065/129] Rename lnx_auditd_BPFDoor_file_accessed.yml to lnx_auditd_bpfdoor_file_accessed.yml --- ...oor_file_accessed.yml => lnx_auditd_bpfdoor_file_accessed.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/auditd/{lnx_auditd_BPFDoor_file_accessed.yml => lnx_auditd_bpfdoor_file_accessed.yml} (100%) diff --git a/rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml similarity index 100% rename from rules/linux/auditd/lnx_auditd_BPFDoor_file_accessed.yml rename to rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml From a3dcc61eacf403e4be9dd7f0249ab13bb6435a63 Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Thu, 11 Aug 2022 19:34:43 +0200 Subject: [PATCH 066/129] Rename lnx_auditd_BPF_Door_port_redirect.yml to lnx_auditd_bpfdoor_port_redirect.yml --- ...oor_port_redirect.yml => lnx_auditd_bpfdoor_port_redirect.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/auditd/{lnx_auditd_BPF_Door_port_redirect.yml => lnx_auditd_bpfdoor_port_redirect.yml} (100%) diff --git a/rules/linux/auditd/lnx_auditd_BPF_Door_port_redirect.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml similarity index 100% rename from rules/linux/auditd/lnx_auditd_BPF_Door_port_redirect.yml rename to rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml From 1d6199494d66765f5d2c32903413c8c9c1311c96 Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Thu, 11 Aug 2022 19:51:48 +0200 Subject: [PATCH 067/129] Update lnx_auditd_bpfdoor_port_redirect.yml --- rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml index c8eb7cab5..4676e895b 100644 --- a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml @@ -25,4 +25,4 @@ tags: - attack.defense_evasion - attack.t1562.004 falsepositives: - - legitimate ports redirect + - Legitimate ports redirect From 29dbe65d9266d75eed016f6b92e5ebf663c669a5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:04:38 +0200 Subject: [PATCH 068/129] Add file_change_win_2022_timestomping --- .../file_change_win_2022_timestomping.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/file_change/file_change_win_2022_timestomping.yml diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml new file mode 100644 index 000000000..c58e8af44 --- /dev/null +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -0,0 +1,25 @@ +title: File Creation Date Is Change to Another Years +id: 558eebe5-f2ba-4104-b339-36f7902bcc1a +status: experimental +description: | + Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. + Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. +references: + - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html +author: frack113 +date: 2022/08/12 +logsource: + category: file_change + product: windows +detection: + selection: + PreviousCreationUtcTime|startwith: 2022 + filter: + CreationUtcTime|startwith: 2022 + condition: selection and not filter +falsepositives: + - NTP change +level: high +tags: + - attack.t1070.006 + - attack.defense_evasion From 472da1d8ef8601ea0b455f0df3adb4cf412f93d3 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:07:03 +0200 Subject: [PATCH 069/129] Fix startswith --- .../windows/file_change/file_change_win_2022_timestomping.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index c58e8af44..a8c501b61 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -13,9 +13,9 @@ logsource: product: windows detection: selection: - PreviousCreationUtcTime|startwith: 2022 + PreviousCreationUtcTime|startswith: 2022 filter: - CreationUtcTime|startwith: 2022 + CreationUtcTime|startswith: 2022 condition: selection and not filter falsepositives: - NTP change From 4ccb8d9ca0c50854fd406cd9ac0682e98a31fe18 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:38:07 +0200 Subject: [PATCH 070/129] Escape question mark --- rules/proxy/proxy_ursnif_malware_download_url.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_ursnif_malware_download_url.yml b/rules/proxy/proxy_ursnif_malware_download_url.yml index a320ba350..d34d4fd40 100644 --- a/rules/proxy/proxy_ursnif_malware_download_url.yml +++ b/rules/proxy/proxy_ursnif_malware_download_url.yml @@ -11,7 +11,7 @@ detection: selection: c-uri|contains|all: - '/' - - '.php?l=' + - '.php\?l=' c-uri|endswith: '.cab' sc-status: 200 condition: selection @@ -22,4 +22,4 @@ fields: - c-ua falsepositives: - Unknown -level: high \ No newline at end of file +level: high From 75b9b7b1a9e178ac78ab00976d6c4eb9655fdca2 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:43:58 +0200 Subject: [PATCH 071/129] Escape ? character --- rules/proxy/proxy_chafer_malware.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index eea3ebbfc..6e2c7c79b 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - c-uri|contains: '/asp.asp?ui=' + c-uri|contains: '/asp.asp\?ui=' condition: selection fields: - ClientIP From b189122287a09f112c6ef93ad58cb9720f863738 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:44:23 +0200 Subject: [PATCH 072/129] Escape ? character --- rules/proxy/proxy_ios_implant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index a86801b78..4e65c5efb 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -12,7 +12,7 @@ logsource: category: proxy detection: selection: - c-uri|contains: '/list/suc?name=' + c-uri|contains: '/list/suc\?name=' condition: selection fields: - ClientIP From 08d25bd0655676322b5eada5ce2a75a18e6a7a17 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:44:53 +0200 Subject: [PATCH 073/129] Escape ? character --- rules/proxy/proxy_cobalt_onedrive.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index f6e5d2871..273851d5d 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -12,7 +12,7 @@ logsource: detection: selection: cs-method: 'GET' - c-uri|endswith: '?manifest=wac' + c-uri|endswith: '\?manifest=wac' cs-host: 'onedrive.live.com' filter: c-uri|startswith: 'http' From 5c549a2825b96eefd25870c961a38bbf9900a4af Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:45:52 +0200 Subject: [PATCH 074/129] Escape ? character --- rules/proxy/proxy_turla_comrat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index c546ddb69..4423e4a74 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - c-uri|contains: '/index/index.php?h=' + c-uri|contains: '/index/index.php\?h=' condition: selection falsepositives: - Unknown From 2bcb6abd723b0ba4e23909d9843dc7ac0aee0952 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Fri, 12 Aug 2022 12:46:21 +0200 Subject: [PATCH 075/129] Escape ? character --- rules/proxy/proxy_baby_shark.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_baby_shark.yml b/rules/proxy/proxy_baby_shark.yml index 5b6f980b6..e768fba26 100644 --- a/rules/proxy/proxy_baby_shark.yml +++ b/rules/proxy/proxy_baby_shark.yml @@ -10,11 +10,11 @@ logsource: category: proxy detection: selection: - c-uri|contains: 'momyshark?key=' + c-uri|contains: 'momyshark\?key=' condition: selection falsepositives: - Unknown level: critical tags: - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 From 0214a0632a0d1cb1381432f0451d988858cb3b5f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 11:47:15 +0100 Subject: [PATCH 076/129] Fix FP --- .../proc_creation_win_ntfs_short_name_path_use_cli.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_path_use_image.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_use_cli.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_use_image.yml | 6 ++++-- 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index aa34470fc..76b3888e5 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -24,7 +24,9 @@ detection: - ParentImage: - C:\Windows\System32\Dism.exe - C:\Windows\System32\cleanmgr.exe - - ParentImage|endswith: '\WebEx\WebexHost.exe' + - ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml index 0ac7224b3..2263db78e 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -24,7 +24,9 @@ detection: - ParentImage: - C:\Windows\System32\Dism.exe - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) - - ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes + - ParentImage|endswith: + - '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index eea7d834c..4158116e8 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/05 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -37,7 +37,9 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: '\WebEx\WebexHost.exe' + ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index a78bfa522..fceefa59e 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/06 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -37,7 +37,9 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: '\WebEx\WebexHost.exe' + ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Unknown From 19eaa0ae8a8e3b8696c26c29bd793fb8ef39e03a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 12 Aug 2022 14:06:54 +0200 Subject: [PATCH 077/129] Update file_change_win_2022_timestomping.yml --- rules/windows/file_change/file_change_win_2022_timestomping.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index a8c501b61..7fd1e4d00 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -1,4 +1,4 @@ -title: File Creation Date Is Change to Another Years +title: File Creation Date Changed to Another Year id: 558eebe5-f2ba-4104-b339-36f7902bcc1a status: experimental description: | From 0b93aea4d049a1ea4fc0249da79e6aa6d8f29ed1 Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Fri, 12 Aug 2022 14:19:08 +0200 Subject: [PATCH 078/129] chore: Offline Tests --- .gitmodules | 3 + tests/cti | 1 + tests/test_rules.py | 402 ++++++++++++++++++++++++++------------------ 3 files changed, 244 insertions(+), 162 deletions(-) create mode 100644 .gitmodules create mode 160000 tests/cti diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 000000000..5d64ad6dc --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "tests/cti"] + path = tests/cti + url = git@github.com:mitre/cti.git diff --git a/tests/cti b/tests/cti new file mode 160000 index 000000000..e78357f1f --- /dev/null +++ b/tests/cti @@ -0,0 +1 @@ +Subproject commit e78357f1f3cf1ac4e9f2aa04ac0ff831260305a7 diff --git a/tests/test_rules.py b/tests/test_rules.py index 74e87ce44..cd74c0fae 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -14,21 +14,24 @@ from attackcti import attack_client from colorama import init from colorama import Fore + class TestRules(unittest.TestCase): - MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list - MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] + MITRE_TECHNIQUE_NAMES = [ + "process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list + MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", + "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} path_to_rules = "rules" # Helper functions - def yield_next_rule_file_path(self, path_to_rules:str) -> str: + def yield_next_rule_file_path(self, path_to_rules: str) -> str: for root, _, files in os.walk(path_to_rules): for file in files: yield os.path.join(root, file) - def get_rule_part(self, file_path:str, part_name:str): + def get_rule_part(self, file_path: str, part_name: str): yaml_dicts = self.get_rule_yaml(file_path) for yaml_part in yaml_dicts: if part_name in yaml_part.keys(): @@ -36,10 +39,10 @@ class TestRules(unittest.TestCase): return None - def get_rule_yaml(self, file_path:str) -> dict: + def get_rule_yaml(self, file_path: str) -> dict: data = [] - with open(file_path,encoding='utf-8') as f: + with open(file_path, encoding='utf-8') as f: yaml_parts = yaml.safe_load_all(f) for part in yaml_parts: data.append(part) @@ -51,37 +54,39 @@ class TestRules(unittest.TestCase): # files_with_incorrect_extensions = [] # for file in self.yield_next_rule_file_path(self.path_to_rules): - # file_name_and_extension = os.path.splitext(file) - # if len(file_name_and_extension) == 2: - # extension = file_name_and_extension[1] - # if extension != ".yml": - # files_with_incorrect_extensions.append(file) + # file_name_and_extension = os.path.splitext(file) + # if len(file_name_and_extension) == 2: + # extension = file_name_and_extension[1] + # if extension != ".yml": + # files_with_incorrect_extensions.append(file) # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + - # "There are rule files with extensions other than .yml") + # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - with open(file, 'r',encoding='utf-8') as fh: + with open(file, 'r', encoding='utf-8') as fh: file_data = fh.read() for tm in self.TRADE_MARKS: if tm in file_data: files_with_legal_issues.append(file) self.assertEqual(files_with_legal_issues, [], Fore.RED + - "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") def test_optional_tags(self): files_with_incorrect_tags = [] - tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") + tags_pattern = re.compile( + r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") for file in self.yield_next_rule_file_path(self.path_to_rules): tags = self.get_rule_part(file_path=file, part_name="tags") if tags: for tag in tags: if tags_pattern.match(tag) == None: - print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) + print( + Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) files_with_incorrect_tags.append(file) self.assertEqual(files_with_incorrect_tags, [], Fore.RED + @@ -95,7 +100,8 @@ class TestRules(unittest.TestCase): if tags: for tag in tags: if tag not in MITRE_ALL and tag.startswith("attack."): - print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) + print( + Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + @@ -110,7 +116,8 @@ class TestRules(unittest.TestCase): known_tags = [] for tag in tags: if tag in known_tags: - print(Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag)) + print( + Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) else: known_tags.append(tag) @@ -119,14 +126,14 @@ class TestRules(unittest.TestCase): "There are rules with duplicate tags") def test_look_for_duplicate_filters(self): - def check_list_or_recurse_on_dict(item, depth:int) -> None: + def check_list_or_recurse_on_dict(item, depth: int) -> None: if type(item) == list: check_if_list_contain_duplicates(item, depth) elif type(item) == dict and depth <= MAX_DEPTH: for sub_item in item.values(): check_list_or_recurse_on_dict(sub_item, depth + 1) - def check_if_list_contain_duplicates(item:list, depth:int) -> None: + def check_if_list_contain_duplicates(item: list, depth: int) -> None: try: if len(item) != len(set(item)): print(Fore.RED + "Rule {} has duplicate filters".format(file)) @@ -141,7 +148,8 @@ class TestRules(unittest.TestCase): files_with_duplicate_filters = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") check_list_or_recurse_on_dict(detection, 1) self.assertEqual(files_with_duplicate_filters, [], Fore.RED + @@ -152,24 +160,27 @@ class TestRules(unittest.TestCase): for key, value in fields.items(): if " " in key: faulty.append(key) - print(Fore.YELLOW + "Rule {} has a space in field name ({}).".format(file, key)) + print( + Fore.YELLOW + "Rule {} has a space in field name ({}).".format(file, key)) if type(value) == dict: key_iterator(value, faulty) faulty_fieldnames = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") key_iterator(detection, faulty_fieldnames) self.assertEqual(faulty_fieldnames, [], Fore.RED + - "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )") + "There are rules with an unsupported field name. Spaces are not allowed. (Replace space with an underscore character '_' )") def test_single_named_condition_with_x_of_them(self): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - yaml = self.get_rule_yaml(file_path = file) - detection = self.get_rule_part(file_path = file, part_name = "detection") + yaml = self.get_rule_yaml(file_path=file) + detection = self.get_rule_part( + file_path=file, part_name="detection") has_them_in_condition = "them" in detection["condition"] has_only_one_named_condition = len(detection) == 2 @@ -187,7 +198,8 @@ class TestRules(unittest.TestCase): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") if "all of them" in detection["condition"]: faulty_detections.append(file) @@ -196,14 +208,14 @@ class TestRules(unittest.TestCase): "There are rules using 'all of them'. Better use e.g. 'all of selection*' instead (and use the 'selection_' prefix as search-identifier).") def test_duplicate_detections(self): - def compare_detections(detection1:dict, detection2:dict) -> bool: + def compare_detections(detection1: dict, detection2: dict) -> bool: # detections not the same count can't be the same if len(detection1) != len(detection2): return False for named_condition in detection1: - #don't check timeframes + # don't check timeframes if named_condition == "timeframe": continue @@ -218,11 +230,10 @@ class TestRules(unittest.TestCase): if named_condition not in detection2: return False - #can not be the same if len is not equal + # can not be the same if len is not equal if len(detection1[named_condition]) != len(detection2[named_condition]): return False - for condition in detection1[named_condition]: if type(condition) != str: return False @@ -241,11 +252,13 @@ class TestRules(unittest.TestCase): files_and_their_detections = {} for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") - logsource = self.get_rule_part(file_path = file, part_name = "logsource") + detection = self.get_rule_part( + file_path=file, part_name="detection") + logsource = self.get_rule_part( + file_path=file, part_name="logsource") detection["logsource"] = {} detection["logsource"].update(logsource) - yaml = self.get_rule_yaml(file_path = file) + yaml = self.get_rule_yaml(file_path=file) is_multipart_yaml_file = len(yaml) != 1 if is_multipart_yaml_file: @@ -264,7 +277,8 @@ class TestRules(unittest.TestCase): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path = file, part_name = "detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") detection_str = str(detection).lower() if "'source': 'eventlog'" in detection_str: faulty_detections.append(file) @@ -275,7 +289,7 @@ class TestRules(unittest.TestCase): def test_event_id_instead_of_process_creation(self): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - with open(file,encoding='utf-8') as f: + with open(file, encoding='utf-8') as f: for line in f: if re.search(r'.*EventID: (?:1|4688)\s*$', line) and file not in faulty_detections: faulty_detections.append(file) @@ -292,10 +306,12 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has no field 'id'.".format(file)) faulty_rules.append(file) elif len(id) != 36: - print(Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) faulty_rules.append(file) elif id in dict_id.keys(): - print(Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file,dict_id[id])) + print( + Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file, dict_id[id])) faulty_rules.append(file) else: dict_id[id] = file @@ -311,13 +327,15 @@ class TestRules(unittest.TestCase): "merged", "renamed", "similar" - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): - related_lst = self.get_rule_part(file_path=file, part_name="related") + related_lst = self.get_rule_part( + file_path=file, part_name="related") if related_lst: # it exists but isn't a list if not isinstance(related_lst, list): - print(Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) faulty_rules.append(file) else: # should probably test if we have only 'id' and 'type' ... @@ -326,10 +344,11 @@ class TestRules(unittest.TestCase): id_str = ref['id'] type_str = ref['type'] if not type_str in valid_type: - type_ok = False - #Only add one time if many bad type in the same file + type_ok = False + # Only add one time if many bad type in the same file if type_ok == False: - print(Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -338,14 +357,16 @@ class TestRules(unittest.TestCase): def test_sysmon_rule_without_eventid(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - logsource = self.get_rule_part(file_path=file, part_name="logsource") + logsource = self.get_rule_part( + file_path=file, part_name="logsource") if logsource: service = logsource.get('service', '') if service.lower() == 'sysmon': - with open(file,encoding='utf-8') as f: + with open(file, encoding='utf-8') as f: found = False for line in f: - if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines + # might be on a single line or in multiple lines + if re.search(r'.*EventID:.*$', line): found = True break if not found: @@ -362,13 +383,16 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has no field 'date'.".format(file)) faulty_rules.append(file) elif not isinstance(datefield, str): - print(Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif len(datefield) != 10: - print(Fore.YELLOW + "Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'date' (not 10 chars, should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif datefield[4] != '/' or datefield[7] != '/': - print(Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'date' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -377,15 +401,18 @@ class TestRules(unittest.TestCase): def test_missing_description(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - descriptionfield = self.get_rule_part(file_path=file, part_name="description") + descriptionfield = self.get_rule_part( + file_path=file, part_name="description") if not descriptionfield: print(Fore.YELLOW + "Rule {} has no field 'description'.".format(file)) faulty_rules.append(file) elif not isinstance(descriptionfield, str): - print(Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'description' field that isn't a string.".format(file)) faulty_rules.append(file) elif len(descriptionfield) < 16: - print(Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) + print( + Fore.YELLOW + "Rule {} has a really short description. Please elaborate.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -394,16 +421,20 @@ class TestRules(unittest.TestCase): def test_optional_date_modified(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - modifiedfield = self.get_rule_part(file_path=file, part_name="modified") + modifiedfield = self.get_rule_part( + file_path=file, part_name="modified") if modifiedfield: if not isinstance(modifiedfield, str): - print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif len(modifiedfield) != 10: - print(Fore.YELLOW + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'modified' (not 10 chars, should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) elif modifiedfield[4] != '/' or modifiedfield[7] != '/': - print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -417,15 +448,17 @@ class TestRules(unittest.TestCase): "experimental", "deprecated", "unsupported" - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): status_str = self.get_rule_part(file_path=file, part_name="status") if status_str: if not status_str in valid_status: - print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) + print( + Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) faulty_rules.append(file) elif status_str == "unsupported": - print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file)) + print( + Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -439,15 +472,16 @@ class TestRules(unittest.TestCase): "medium", "high", "critical", - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): level_str = self.get_rule_part(file_path=file, part_name="level") if not level_str: print(Fore.YELLOW + "Rule {} has no field 'level'.".format(file)) faulty_rules.append(file) elif not level_str in valid_level: - print(Fore.YELLOW + "Rule {} has a invalid 'level' (check wiki).".format(file)) - faulty_rules.append(file) + print( + Fore.YELLOW + "Rule {} has a invalid 'level' (check wiki).".format(file)) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'level' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") @@ -459,7 +493,8 @@ class TestRules(unittest.TestCase): if fields_str: # it exists but isn't a list if not isinstance(fields_str, list): - print(Fore.YELLOW + "Rule {} has a 'fields' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'fields' field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -468,11 +503,13 @@ class TestRules(unittest.TestCase): def test_optional_falsepositives_listtype(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - falsepositives_str = self.get_rule_part(file_path=file, part_name="falsepositives") + falsepositives_str = self.get_rule_part( + file_path=file, part_name="falsepositives") if falsepositives_str: # it exists but isn't a list if not isinstance(falsepositives_str, list): - print(Fore.YELLOW + "Rule {} has a 'falsepositives' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'falsepositives' field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -481,13 +518,15 @@ class TestRules(unittest.TestCase): def test_optional_falsepositives_capital(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - fps = self.get_rule_part(file_path=file, part_name="falsepositives") + fps = self.get_rule_part( + file_path=file, part_name="falsepositives") if fps: for fp in fps: # first letter should be capital try: if fp[0].upper() != fp[0]: - print(Fore.YELLOW + "Rule {} defines a falsepositive that does not start with a capital letter: '{}'.".format(file, fp)) + print( + Fore.YELLOW + "Rule {} defines a falsepositive that does not start with a capital letter: '{}'.".format(file, fp)) faulty_rules.append(file) except TypeError as err: print("TypeError Exception for rule {}".format(file)) @@ -502,16 +541,19 @@ class TestRules(unittest.TestCase): banned_words = ["none", "pentest", "penetration test"] common_typos = ["unkown", "ligitimate", "legitim ", "legitimeate"] for file in self.yield_next_rule_file_path(self.path_to_rules): - fps = self.get_rule_part(file_path=file, part_name="falsepositives") + fps = self.get_rule_part( + file_path=file, part_name="falsepositives") if fps: for fp in fps: for typo in common_typos: if fp == "Unknow" or typo in fp.lower(): - print(Fore.YELLOW + "Rule {} defines a falsepositive with a common typo: '{}'.".format(file, typo)) + print( + Fore.YELLOW + "Rule {} defines a falsepositive with a common typo: '{}'.".format(file, typo)) faulty_rules.append(file) for banned_word in banned_words: if banned_word in fp.lower(): - print(Fore.YELLOW + "Rule {} defines a falsepositive with an invalid reason: '{}'.".format(file, banned_word)) + print( + Fore.YELLOW + "Rule {} defines a falsepositive with an invalid reason: '{}'.".format(file, banned_word)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -525,7 +567,8 @@ class TestRules(unittest.TestCase): if author_str: # it exists but isn't a string if not isinstance(author_str, str): - print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -534,10 +577,12 @@ class TestRules(unittest.TestCase): def test_optional_license(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - license_str = self.get_rule_part(file_path=file, part_name="license") + license_str = self.get_rule_part( + file_path=file, part_name="license") if license_str: if not isinstance(license_str, str): - print(Fore.YELLOW + "Rule {} has a malformed 'license' (has to be a string).".format(file)) + print( + Fore.YELLOW + "Rule {} has a malformed 'license' (has to be a string).".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -550,16 +595,18 @@ class TestRules(unittest.TestCase): "GREEN", "AMBER", "RED", - ] + ] for file in self.yield_next_rule_file_path(self.path_to_rules): tlp_str = self.get_rule_part(file_path=file, part_name="tlp") if tlp_str: # it exists but isn't a string if not isinstance(tlp_str, str): - print(Fore.YELLOW + "Rule {} has a 'tlp' field that isn't a string.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'tlp' field that isn't a string.".format(file)) faulty_rules.append(file) elif not tlp_str.upper() in valid_tlp: - print(Fore.YELLOW + "Rule {} has a 'tlp' field with not valid value.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'tlp' field with not valid value.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -572,7 +619,8 @@ class TestRules(unittest.TestCase): if target: # it exists but isn't a list if not isinstance(target, list): - print(Fore.YELLOW + "Rule {} has a 'target' field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a 'target' field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -581,15 +629,17 @@ class TestRules(unittest.TestCase): def test_references(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - references = self.get_rule_part(file_path=file, part_name="references") + references = self.get_rule_part( + file_path=file, part_name="references") # Reference field doesn't exist # if not references: - # print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) - # faulty_rules.append(file) + # print(Fore.YELLOW + "Rule {} has no field 'references'.".format(file)) + # faulty_rules.append(file) if references: # it exists but isn't a list if not isinstance(references, list): - print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) + print( + Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -598,7 +648,8 @@ class TestRules(unittest.TestCase): def test_references_plural(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - reference = self.get_rule_part(file_path=file, part_name="reference") + reference = self.get_rule_part( + file_path=file, part_name="reference") if reference: # it exists but in singular form faulty_rules.append(file) @@ -616,16 +667,20 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} is a duplicate file name.".format(file)) faulty_rules.append(file) elif filename[-4:] != ".yml": - print(Fore.YELLOW + "Rule {} has a invalid extension (.yml).".format(file)) + print(Fore.YELLOW + + "Rule {} has a invalid extension (.yml).".format(file)) faulty_rules.append(file) elif len(filename) > 74: - print(Fore.YELLOW + "Rule {} has a file name too long >70.".format(file)) + print(Fore.YELLOW + + "Rule {} has a file name too long >70.".format(file)) faulty_rules.append(file) elif len(filename) < 14: - print(Fore.YELLOW + "Rule {} has a file name too short <10.".format(file)) + print(Fore.YELLOW + + "Rule {} has a file name too short <10.".format(file)) faulty_rules.append(file) elif filename_pattern.match(filename) == None or not '_' in filename: - print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) + print( + Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) name_lst.append(filename) @@ -635,27 +690,27 @@ class TestRules(unittest.TestCase): def test_title(self): faulty_rules = [] allowed_lowercase_words = [ - 'the', - 'for', - 'in', - 'with', - 'via', - 'on', - 'to', - 'without', - 'of', - 'through', - 'from', - 'by', - 'as', - 'a', - 'or', - 'at', - 'and', - 'an', - 'over', - 'new', - ] + 'the', + 'for', + 'in', + 'with', + 'via', + 'on', + 'to', + 'without', + 'of', + 'through', + 'from', + 'by', + 'as', + 'a', + 'or', + 'at', + 'and', + 'an', + 'over', + 'new', + ] for file in self.yield_next_rule_file_path(self.path_to_rules): title = self.get_rule_part(file_path=file, part_name="title") if not title: @@ -663,10 +718,12 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) continue elif len(title) > 70: - print(Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) + print( + Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) faulty_rules.append(file) if title.startswith("Detects "): - print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) + print( + Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) if title.endswith("."): print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) @@ -676,7 +733,8 @@ class TestRules(unittest.TestCase): if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit(): wrong_casing.append(word) if len(wrong_casing) > 0: - print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing))) + print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format( + file, ", ".join(wrong_casing))) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + @@ -695,22 +753,24 @@ class TestRules(unittest.TestCase): # title is the attribute given in the 1st line # (also assumes dict keeps the order from the input file) if list(yaml[0].keys())[0] != "title": - print(Fore.RED + "Rule {} does not have its 'title' attribute in the first line".format(file)) + print( + Fore.RED + "Rule {} does not have its 'title' attribute in the first line".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules without the 'title' attribute in their first line.") + "There are rules without the 'title' attribute in their first line.") def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ - 'category', - 'product', - 'service', - 'definition', - ] + 'category', + 'product', + 'service', + 'definition', + ] for file in self.yield_next_rule_file_path(self.path_to_rules): - logsource = self.get_rule_part(file_path=file, part_name="logsource") + logsource = self.get_rule_part( + file_path=file, part_name="logsource") if not logsource: print(Fore.RED + "Rule {} has no 'logsource'.".format(file)) faulty_rules.append(file) @@ -718,44 +778,52 @@ class TestRules(unittest.TestCase): valid = True for key in logsource: if key.lower() not in valid_logsource: - print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) + print( + Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) valid = False - elif not isinstance(logsource[key],str): - print(Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key)) + elif not isinstance(logsource[key], str): + print( + Fore.RED + "Rule {} has a logsource with an invalid field type ({})".format(file, key)) valid = False if not valid: - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") - def test_selection_list_one_value(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") if detection: valid = True for key in detection: - if isinstance(detection[key],list): - if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term - print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) + if isinstance(detection[key], list): + # rule with only list of Keywords term + if len(detection[key]) == 1 and not isinstance(detection[key][0], str): + print( + Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) valid = False - if isinstance(detection[key],dict): + if isinstance(detection[key], dict): for sub_key in detection[key]: - if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" + # split in 2 if as get a error "int has not len()" + if isinstance(detection[key][sub_key], list): if len(detection[key][sub_key]) == 1: - print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) valid = False if not valid: faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules using list with only 1 element") def test_unused_selection(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") condition = detection["condition"] wildcard_selections = re.compile(r"\sof\s([\w\*]+)(?:$|\s|\))") @@ -779,26 +847,30 @@ class TestRules(unittest.TestCase): break # selection was not found in condition if not found: - print(Fore.RED + "Rule {} has an unused selection '{}'".format(file, selection)) + print( + Fore.RED + "Rule {} has an unused selection '{}'".format(file, selection)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with unused selections") + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with unused selections") def test_all_value_modifier_single_item(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") if detection: for search_identifier in detection: - if isinstance(detection[search_identifier],dict): + if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: - if "|all" in field and not isinstance(detection[search_identifier][field],list): - print (Fore.RED + "Rule {} uses the 'all' modifier on a single item in selection ({}/{})".format(file, search_identifier, field)) + if "|all" in field and not isinstance(detection[search_identifier][field], list): + print(Fore.RED + "Rule {} uses the 'all' modifier on a single item in selection ({}/{})".format( + file, search_identifier, field)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with |all modifier only having one item. " + - "Single item values are not allowed to have an all modifier as some back-ends cannot support it. " + - "If you use it as a workaround to duplicate a field in a selection, use a new selection instead.") + "Single item values are not allowed to have an all modifier as some back-ends cannot support it. " + + "If you use it as a workaround to duplicate a field in a selection, use a new selection instead.") def test_field_user_localization(self): def checkUser(faulty_rules, dict): @@ -811,7 +883,8 @@ class TestRules(unittest.TestCase): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") + detection = self.get_rule_part( + file_path=file, part_name="detection") for sel_key, sel_value in detection.items(): if sel_key == "condition" or sel_key == "timeframe": continue @@ -827,21 +900,20 @@ class TestRules(unittest.TestCase): checkUser(faulty_rules, item) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules that match using localized user accounts. Better employ a generic version such as:\n" + - "User|contains: # covers many language settings\n" + - " - 'AUTHORI'\n" + - " - 'AUTORI'") - - + "User|contains: # covers many language settings\n" + + " - 'AUTHORI'\n" + + " - 'AUTORI'") def test_condition_operator_casesensitive(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - if detection: - valid = True - if isinstance(detection["condition"],str): - param = detection["condition"].split(' ') - for item in param: + detection = self.get_rule_part( + file_path=file, part_name="detection") + if detection: + valid = True + if isinstance(detection["condition"], str): + param = detection["condition"].split(' ') + for item in param: if item.lower() == 'or' and not item == 'or': valid = False elif item.lower() == 'and' and not item == 'and': @@ -850,18 +922,22 @@ class TestRules(unittest.TestCase): valid = False elif item.lower() == 'of' and not item == 'of': valid = False - if not valid: - print(Fore.RED + "Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase".format(file,detection["condition"])) - faulty_rules.append(file) + if not valid: + print(Fore.RED + "Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase".format( + file, detection["condition"])) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules using condition without lowercase operator") - self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using condition without lowercase operator") def get_mitre_data(): """ - Generate tags from live TAXI service to get up-to-date data + Use Tags from CTI subrepo to get consitant data """ + cti_path = "tests/cti/" # Get ATT&CK information - lift = attack_client() + lift = attack_client(local_path=cti_path) # Techniques MITRE_TECHNIQUES = [] MITRE_TECHNIQUE_NAMES = [] @@ -871,14 +947,15 @@ def get_mitre_data(): # Techniques enterprise_techniques = lift.get_enterprise_techniques() for t in enterprise_techniques: - MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_')) + MITRE_TECHNIQUE_NAMES.append( + t['name'].lower().replace(' ', '_').replace('-', '_')) for r in t.external_references: if 'external_id' in r: MITRE_TECHNIQUES.append(r['external_id'].lower()) if 'kill_chain_phases' in t: for kc in t['kill_chain_phases']: if 'phase_name' in kc: - MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-','_')) + MITRE_PHASE_NAMES.add(kc['phase_name'].replace('-', '_')) # Tools / Malware enterprise_tools = lift.get_enterprise_tools() for t in enterprise_tools: @@ -898,7 +975,8 @@ def get_mitre_data(): MITRE_GROUPS.append(r['external_id'].lower()) # Debugging - print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) + print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len( + MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) # Combine all IDs to a big tag list return ["attack." + item for item in MITRE_TECHNIQUES + MITRE_TECHNIQUE_NAMES + list(MITRE_PHASE_NAMES) + MITRE_GROUPS + MITRE_TOOLS] From 6f467656fed9823b616f377eed727377d61da1e0 Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Fri, 12 Aug 2022 14:33:31 +0200 Subject: [PATCH 079/129] chore: Get Submodules for test_rules.py test --- .github/workflows/sigma-test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index cf7d5756b..f40ccf5ea 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -20,6 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + submodules: true - name: Set up Python 3.8 uses: actions/setup-python@v1 with: From d7bc975c71bad874bc7041713285d230176ab2e5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:42:52 +0100 Subject: [PATCH 080/129] Update meta --- .../create_remote_thread_win_susp_targets.yml | 33 ++++++++++--------- .../sysmon_powershell_code_injection.yml | 4 +-- .../sysmon_susp_remote_thread.yml | 6 ++-- ...ent_win_win_shell_write_susp_directory.yml | 2 +- 4 files changed, 22 insertions(+), 23 deletions(-) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 6f8bb5e82..038d93f23 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -6,24 +6,25 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth date: 2022/03/16 -modified: 2022/07/07 +modified: 2022/08/12 logsource: - product: windows - category: create_remote_thread + product: windows + category: create_remote_thread detection: - selection: - TargetImage|endswith: - - '\mspaint.exe' - - '\calc.exe' - - '\notepad.exe' - - '\sethc.exe' - - '\write.exe' - - '\wordpad.exe' - condition: selection + selection: + TargetImage|endswith: + - '\mspaint.exe' + - '\calc.exe' + - '\notepad.exe' + - '\sethc.exe' + - '\write.exe' + - '\wordpad.exe' + - '\explorer.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055.003 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.003 diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml index bde512e95..50c53ef0a 100644 --- a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml @@ -1,12 +1,12 @@ title: Accessing WinAPI in PowerShell. Code Injection id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 status: test -description: Detecting Code injection with PowerShell in another process +description: Detects the creation of a remote thread from a Powershell process to another process author: Nikita Nazarov, oscd.community references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse date: 2020/10/06 -modified: 2022/07/28 +modified: 2022/08/12 logsource: product: windows category: create_remote_thread diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml index f094daf60..c1019a171 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml @@ -7,7 +7,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2022/07/31 +modified: 2022/08/12 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -49,8 +49,6 @@ detection: - '\outlook.exe' - '\ping.exe' - '\powerpnt.exe' - - '\powershell.exe' - - '\pwsh.exe' - '\provtool.exe' - '\python.exe' - '\regsvr32.exe' @@ -99,6 +97,6 @@ fields: - User - SourceImage - TargetImage -level: high falsepositives: - Unknown +level: high diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml index 135fff322..b1232f7a9 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml @@ -3,7 +3,7 @@ id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 status: experimental description: Detects a Windows executable that writes files to suspicious folders references: - - No references + - Internal Research author: Florian Roth date: 2021/11/20 modified: 2022/07/14 From b1e0668ae30ace687f2391b62650d9bd0ae3f978 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:43:36 +0100 Subject: [PATCH 081/129] Update adfind rules --- .../proc_creation_win_susp_adfind.yml | 33 ------------------- ..._creation_win_susp_adfind_enumeration.yml} | 17 +++++----- ...> proc_creation_win_susp_adfind_usage.yml} | 18 +++++++--- 3 files changed, 21 insertions(+), 47 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_adfind.yml rename rules/windows/process_creation/{proc_creation_win_susp_adfind_enumerate.yml => proc_creation_win_susp_adfind_enumeration.yml} (69%) rename rules/windows/process_creation/{proc_creation_win_ad_find_discovery.yml => proc_creation_win_susp_adfind_usage.yml} (67%) diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind.yml deleted file mode 100644 index 2e7aa684c..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Suspicious AdFind Execution -id: 75df3b17-8bcc-4565-b89b-c9898acef911 -status: experimental -description: Detects the execution of a AdFind for Active Directory enumeration -references: - - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md - - https://thedfirreport.com/2020/05/08/adfind-recon/ -author: FPT.EagleEye Team, omkar72, oscd.community -date: 2020/09/26 -modified: 2021/05/12 -tags: - - attack.discovery - - attack.t1018 - - attack.t1087.002 - - attack.t1482 - - attack.t1069.002 -logsource: - product: windows - category: process_creation -detection: - selection: - CommandLine|contains: - - 'objectcategory' - - 'trustdmp' - - 'dcmodes' - - 'dclist' - - 'computers_pwdnotreqd' - Image|endswith: '\adfind.exe' - condition: selection -falsepositives: - - Administrative activity -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml similarity index 69% rename from rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml rename to rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml index 41ff9f25c..b5c219af6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml @@ -1,19 +1,18 @@ -title: Suspicious AdFind Enumerate +title: Suspicious AdFind Enumeration id: 455b9d50-15a1-4b99-853f-8d37655a4c1b status: experimental -description: Detects the execution of a AdFind for enumeration +description: Detects the execution of a AdFind for enumeration based on it's commadline flags references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md author: frack113 date: 2021/12/13 +modified: 2022/08/12 logsource: product: windows category: process_creation detection: - selection: - Image|endswith: '\adfind.exe' - test_5: #Listing password policy + selection_password: #Listing password policy CommandLine|contains: - lockoutduration - lockoutthreshold @@ -23,14 +22,14 @@ detection: - minpwdlength - pwdhistorylength - pwdproperties - test_6: #Enumerate Active Directory Admins + selection_enum_ad: #Enumerate Active Directory Admins CommandLine|contains: '-sc admincountdmp' - test_8: #Enumerate Active Directory Exchange AD Objects + selection_enum_exchange: #Enumerate Active Directory Exchange AD Objects CommandLine|contains: '-sc exchaddresses' - condition: selection and 1 of test_* + condition: 1 of selection_* falsepositives: - Administrative activity -level: medium +level: high tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml similarity index 67% rename from rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml rename to rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml index 93d568e96..b75743797 100644 --- a/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml @@ -1,24 +1,31 @@ title: AdFind Usage Detection id: 9a132afa-654e-11eb-ae93-0242ac130002 +related: + - id: 75df3b17-8bcc-4565-b89b-c9898acef911 + type: obsoletes status: test description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. -author: Janantha Marasinghe (https://github.com/blueteam0ps) +author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community references: - https://thedfirreport.com/2020/05/08/adfind-recon/ - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ + - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx + - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md date: 2021/02/02 -modified: 2021/02/02 +modified: 2022/08/12 tags: - attack.discovery - - attack.t1482 - attack.t1018 + - attack.t1087.002 + - attack.t1482 + - attack.t1069.002 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'domainlist' - 'trustdmp' - 'dcmodes' @@ -37,7 +44,8 @@ detection: - 'fspdmp' - 'users_noexpire' - 'computers_active' + - 'computers_pwdnotreqd' condition: selection falsepositives: - - Admin activity + - Legitimate admin activity level: high From e4e24a00a708276c6453264ace91bff6a1dbbc91 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:44:03 +0100 Subject: [PATCH 082/129] Update procdump rules --- .../proc_creation_win_procdump.yml | 11 +++----- .../proc_creation_win_renamed_procdump.yml | 23 +++++++++------- .../proc_creation_win_susp_procdump.yml | 26 ------------------- .../proc_creation_win_susp_procdump_lsass.yml | 14 +++++----- 4 files changed, 23 insertions(+), 51 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_procdump.yml diff --git a/rules/windows/process_creation/proc_creation_win_procdump.yml b/rules/windows/process_creation/proc_creation_win_procdump.yml index 697a761b2..6d34d0b8b 100644 --- a/rules/windows/process_creation/proc_creation_win_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_procdump.yml @@ -1,11 +1,12 @@ title: Procdump Usage id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20 -description: Detects uses of the SysInternals Procdump utility +description: Detects usage of the SysInternals Procdump utility status: experimental references: - Internal Research author: Florian Roth date: 2021/08/16 +modified: 2022/08/11 tags: - attack.defense_evasion - attack.t1036 @@ -14,15 +15,11 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - selection2: - CommandLine|contains|all: - - ' -ma ' - - '.exe' - condition: selection1 or selection2 + condition: selection falsepositives: - Legitimate use of procdump by a developer or administrator level: medium diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 87107e01e..9469558c6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,12 +1,15 @@ title: Renamed ProcDump id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 +related: + - id: 03795938-1387-481b-9f4c-3f6241e604fe + type: obsoletes status: test description: Detects the execution of a renamed ProcDump executable often used by attackers or malware references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2021/08/16 +modified: 2022/08/12 tags: - attack.defense_evasion - attack.t1036.003 @@ -14,22 +17,22 @@ logsource: product: windows category: process_creation detection: - selection1: + original_file_name: OriginalFileName: 'procdump' - selection2: - CommandLine|contains|all: + selection_ma: + CommandLine|contains: - ' -ma ' + - ' /ma ' + selection_other: + CommandLine|contains: - ' -accepteula ' - selection3: - CommandLine|contains|all: - - ' -ma ' - - '.dmp' + - ' /accepteula ' filter: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: ( selection1 or selection2 or selection3 ) and not filter + condition: (original_file_name or all of selection_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries + - Weird admins who renamed binaries (and should be investigated) level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump.yml deleted file mode 100644 index 7c3256d94..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Suspicious Use of Procdump -id: 03795938-1387-481b-9f4c-3f6241e604fe -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -status: experimental -references: - - Internal Research -author: Florian Roth -date: 2021/02/02 -modified: 2021/08/16 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.t1003.001 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - ' -ma ' - - ' -accepteula ' - condition: selection -falsepositives: - - Another tool that uses the command line switches of Procdump - - Legitimate use of procdump by a developer or administrator -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml index fbefa0c1f..c19213fc3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth date: 2018/10/30 -modified: 2021/02/02 +modified: 2022/08/12 tags: - attack.defense_evasion - attack.t1036 @@ -18,14 +18,12 @@ logsource: product: windows detection: selection1: - CommandLine|contains: ' -ma ' - selection2: - CommandLine|contains: ' lsass' - selection3: - CommandLine|contains|all: + CommandLine|contains: - ' -ma ' - - ' ls' - condition: ( selection1 and selection2 ) or selection3 + - ' /ma ' + selection2: + CommandLine|contains: ' ls' # Short for lsass + condition: all of selection* falsepositives: - Unlikely, because no one should dump an lsass process memory - Another tool that uses the command line switches of Procdump From cf2a817801c3348a61a4b456d83e64d2ad3040d6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:44:16 +0100 Subject: [PATCH 083/129] New Rules --- .../win_anydesk_service_installation.yml | 22 +++++++++ ..._win_shell_write_susp_files_extensions.yml | 40 ++++++++++++++++ ...tion_win_cobaltstrike_bloopers_modules.yml | 46 +++++++++---------- 3 files changed, 85 insertions(+), 23 deletions(-) create mode 100644 rules/windows/builtin/system/win_anydesk_service_installation.yml create mode 100644 rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml diff --git a/rules/windows/builtin/system/win_anydesk_service_installation.yml b/rules/windows/builtin/system/win_anydesk_service_installation.yml new file mode 100644 index 000000000..0726fc8e3 --- /dev/null +++ b/rules/windows/builtin/system/win_anydesk_service_installation.yml @@ -0,0 +1,22 @@ +title: Anydesk Remote Access Software Service Installation +id: 530a6faa-ff3d-4022-b315-50828e77eef5 +status: experimental +description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used. +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ +date: 2022/08/11 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 + ServiceName: 'AnyDesk Service' + condition: selection +falsepositives: + - Legitimate usage of the anydesk tool +level: medium +tags: + - attack.persistence diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml new file mode 100644 index 000000000..eef0bcab0 --- /dev/null +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -0,0 +1,40 @@ +title: Windows Binaries Write Suspicious Extensions +id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62 +related: + - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 + type: derived +status: experimental +description: Detects windows executables that writes files with suspicious extensions +references: + - Internal Research +author: Nasreddine Bencherchali +date: 2022/08/12 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: + - '\rundll32.exe' + - '\svchost.exe' + - '\dllhost.exe' + - '\smss.exe' + - '\RuntimeBroker.exe' + - '\sihost.exe' + - '\lsass.exe' + - '\csrss.exe' + - '\winlogon.exe' + - '\wininit.exe' + TargetFilename|endswith: + - '.bat' + - '.vbe' + - '.txt' + - '.vbs' + - '.exe' + - '.ps1' + - '.hta' + - '.iso' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml index 871b46ca3..7539879eb 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml @@ -4,34 +4,34 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 description: Detects use of Cobalt Strike module commands accidentally entered in the CMD shell author: _pete_0, TheDFIRReport references: - - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf - - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ + - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf + - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ + - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ date: 2022/05/06 modified: 2022/05/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|startswith: - - 'cmd.exe' - - 'c:\windows\system32\cmd.exe' - CommandLine|contains: - - Invoke-UserHunter - - Invoke-ShareFinder - - Invoke-Kerberoast - - Invoke-SMBAutoBrute - - Invoke-Nightmare - - zerologon - - av_query - Image|endswith: '\cmd.exe' - condition: selection + selection: + Image|endswith: '\cmd.exe' + CommandLine|startswith: + - 'cmd.exe' + - 'c:\windows\system32\cmd.exe' + CommandLine|contains: + - Invoke-UserHunter + - Invoke-ShareFinder + - Invoke-Kerberoast + - Invoke-SMBAutoBrute + - Invoke-Nightmare + - zerologon + - av_query + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.003 \ No newline at end of file + - attack.execution + - attack.t1059.003 From 560916b3571d501bcd7b9f029f276788a6fa173b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 12 Aug 2022 15:09:32 +0200 Subject: [PATCH 084/129] Update file_change_win_2022_timestomping.yml --- .../file_change_win_2022_timestomping.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 7fd1e4d00..00ba16fd9 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -6,17 +6,21 @@ description: | Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html -author: frack113 +author: frack113, Florian Roth date: 2022/08/12 logsource: category: file_change product: windows detection: - selection: + selection1: PreviousCreationUtcTime|startswith: 2022 - filter: + filter1: CreationUtcTime|startswith: 2022 - condition: selection and not filter + selection2: + PreviousCreationUtcTime|startswith: 202 + filter2: + CreationUtcTime|startswith: 202 + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) falsepositives: - NTP change level: high From 970b15f440ea23aafa4cd257233e133ab7e96111 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 12 Aug 2022 15:10:24 +0200 Subject: [PATCH 085/129] Update file_change_win_2022_timestomping.yml --- rules/windows/file_change/file_change_win_2022_timestomping.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 00ba16fd9..11b21c196 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -22,7 +22,7 @@ detection: CreationUtcTime|startswith: 202 condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) falsepositives: - - NTP change + - Changes made to or by the local NTP service level: high tags: - attack.t1070.006 From 8477c4976be74ebdfad72090b75f404e9970f511 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:02:54 +0100 Subject: [PATCH 086/129] Update proc_creation_win_renamed_procdump.yml --- .../process_creation/proc_creation_win_renamed_procdump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 9469558c6..5e1b13880 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -31,7 +31,7 @@ detection: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: (original_file_name or all of selection_*) and not filter + condition: original_file_name or all of selection_* and not filter falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries (and should be investigated) From 4a0c1b41f2828e9dfe9a3ff8984b45a4e19520d7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:04:38 +0100 Subject: [PATCH 087/129] Update proc_creation_win_renamed_procdump.yml --- .../proc_creation_win_renamed_procdump.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 5e1b13880..9a09c3246 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -17,13 +17,13 @@ logsource: product: windows category: process_creation detection: - original_file_name: + selection_org: OriginalFileName: 'procdump' - selection_ma: + selection_args_ma: CommandLine|contains: - ' -ma ' - ' /ma ' - selection_other: + selection_args_other: CommandLine|contains: - ' -accepteula ' - ' /accepteula ' @@ -31,7 +31,7 @@ detection: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: original_file_name or all of selection_* and not filter + condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries (and should be investigated) From b6fda3e7588f47593cca91fd4bce6c208d5f41f8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:09:20 +0100 Subject: [PATCH 088/129] Fix FP --- .../file_event_win_win_shell_write_susp_files_extensions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml index eef0bcab0..5eb617acc 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -16,7 +16,7 @@ detection: selection: Image|endswith: - '\rundll32.exe' - - '\svchost.exe' + #- '\svchost.exe' # Might generate some FP - '\dllhost.exe' - '\smss.exe' - '\RuntimeBroker.exe' From 2e438a5312fd0d636f3cad5e20151c46c967747b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:16:17 +0200 Subject: [PATCH 089/129] Add file_event_win_iphlpapi_dll_sideloading --- ...ile_event_win_iphlpapi_dll_sideloading.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml diff --git a/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml new file mode 100644 index 000000000..658c067f2 --- /dev/null +++ b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -0,0 +1,27 @@ +title: Malicious DLL File Dropped in the Teams or OneDrive Folder +id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163 +status: experimental +description: | + Detects creation of a malicious DLL file in the location where the OneDrive or Team applications + Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded +references: + - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ +author: frack113 +date: 2022/08/12 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains|all: + - 'iphlpapi.dll' + - '\AppData\Local\Microsoft' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.002 From dd4a32e50f2910a3dd98718d4d40b577d9f92f3a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:25:49 +0200 Subject: [PATCH 090/129] Add Ref --- rules/windows/file_rename/file_rename_win_ransomware.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_rename/file_rename_win_ransomware.yml b/rules/windows/file_rename/file_rename_win_ransomware.yml index 6a245c7f7..6af06ac6f 100644 --- a/rules/windows/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file_rename/file_rename_win_ransomware.yml @@ -4,6 +4,7 @@ status: experimental description: Detects possible ransomware adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky" etc. references: - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/ + - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 tags: From fa522f68c9a814ad448f70b855e193e4800f34f3 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 12 Aug 2022 15:29:49 +0000 Subject: [PATCH 091/129] False positive fix, needs to match ALL of selectioN_delete, not 1 of them --- .../proc_creation_win_reg_delete_safeboot.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index b9fa47a79..9ef55c3e1 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -4,8 +4,9 @@ status: experimental description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali, Tim Shelton date: 2022/08/08 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -14,7 +15,7 @@ detection: - Image|endswith: 'reg.exe' - OriginalFileName: 'reg.exe' selection_delete: - CommandLine|contains: + CommandLine|contains|all: - ' delete ' - '\SYSTEM\CurrentControlSet\Control\SafeBoot' condition: all of selection* From 4f7738b8674efdfd1908b40c851a739176ac2c2b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:29:52 +0100 Subject: [PATCH 092/129] Add rule CVE-2022-31656 --- rules/web/web_cve_2021_43798_grafana.yml | 2 +- rules/web/web_cve_2022_31656_auth_bypass.yml | 22 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 rules/web/web_cve_2022_31656_auth_bypass.yml diff --git a/rules/web/web_cve_2021_43798_grafana.yml b/rules/web/web_cve_2021_43798_grafana.yml index fc4fc7478..e4622ae43 100644 --- a/rules/web/web_cve_2021_43798_grafana.yml +++ b/rules/web/web_cve_2021_43798_grafana.yml @@ -1,7 +1,7 @@ title: Grafana Path Traversal Exploitation CVE-2021-43798 id: 7b72b328-5708-414f-9a2a-6a6867c26e16 status: experimental -description: Detects a successful Grafana path traversal exploitation +description: Detects a successful Grafana path traversal exploitation author: Florian Roth references: - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ diff --git a/rules/web/web_cve_2022_31656_auth_bypass.yml b/rules/web/web_cve_2022_31656_auth_bypass.yml new file mode 100644 index 000000000..1d5de9178 --- /dev/null +++ b/rules/web/web_cve_2022_31656_auth_bypass.yml @@ -0,0 +1,22 @@ +title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass +id: fcf1101d-07c9-49b2-ad81-7e421ff96d80 +status: experimental +description: | + Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 + VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. +author: Nasreddine Bencherchali +date: 2022/08/12 +references: + - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/SAAS/t/_/;/' + condition: selection +falsepositives: + - Vulnerability scanners +level: high +tags: + - attack.initial_access + - attack.t1190 From 3fffd6a8f39357607daaa22da11390abcd698e57 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:12:35 +0100 Subject: [PATCH 093/129] Create proc_creation_win_wab_execution_from_non_default_location.yml --- ...ab_execution_from_non_default_location.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml new file mode 100644 index 000000000..601a65f63 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -0,0 +1,27 @@ +title: Wab Execution From Non Default Location +id: 395907ee-96e5-4666-af2e-2ca91688e151 +status: experimental +description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime +author: Nasreddine Bencherchali +date: 2022/08/12 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\wab.exe' + filter: + Image|startswith: + - 'C:\Windows\WinSxS\' + - 'C:\Program Files\Windows Mail\' + - 'C:\Program Files (x86)\Windows Mail\' + condition: selection and not filter +falsepositives: + - Unlikely +level: high From 0cca5208e9940a3e3e5da4871ea95b3538be8440 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:18:44 +0100 Subject: [PATCH 094/129] Create proc_creation_win_wab_unusual_parents.yml --- .../proc_creation_win_wab_unusual_parents.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml new file mode 100644 index 000000000..ad84a9698 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -0,0 +1,29 @@ +title: Wab.Exe Unusual Parent Or Child Processes +id: 63d1ccc0-2a43-4f4b-9289-361b308991ff +status: experimental +description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime +author: Nasreddine Bencherchali +date: 2022/08/12 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + # Add more if known + - \WmiPrvSE.exe + - \svchost.exe + - \dllhost.exe + Image|endswith: '\wab.exe' + selection_child: + ParentImage|endswith: '\wab.exe' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high From ce43b1da5c070a1d81005c926cdfc8a1db0ba67b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 18:50:08 +0100 Subject: [PATCH 095/129] Create web_cve_2022_31659_vmware_rce.yml --- rules/web/web_cve_2022_31659_vmware_rce.yml | 22 +++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/web/web_cve_2022_31659_vmware_rce.yml diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml new file mode 100644 index 000000000..5d9fd9897 --- /dev/null +++ b/rules/web/web_cve_2022_31659_vmware_rce.yml @@ -0,0 +1,22 @@ +title: CVE-2022-31659 VMware Workspace ONE Access RCE +id: efdb2003-a922-48aa-8f37-8b80021a9706 +status: experimental +description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 +author: Nasreddine Bencherchali +date: 2022/08/12 +references: + - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to look spot the difference between benign and malicious requests to this URL + condition: selection +falsepositives: + - Vulnerability scanners + - Legitimate access to the URI +level: medium +tags: + - attack.initial_access + - attack.t1190 From 5bc4b2de27d5ac803204f9891df23e0831ba9ba0 Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Fri, 12 Aug 2022 21:39:11 +0200 Subject: [PATCH 096/129] Update lnx_auditd_bpfdoor_file_accessed.yml --- rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml index 0c5ceb1ce..1c948709a 100644 --- a/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml @@ -23,5 +23,5 @@ tags: - attack.t1106 - attack.t1059 falsepositives: - - Less Likely + - Unlikely level: high From 1339317b165b52ccecaf42c938da865ee453e547 Mon Sep 17 00:00:00 2001 From: Zandmann <72525963+Zandmann@users.noreply.github.com> Date: Fri, 12 Aug 2022 21:41:35 +0200 Subject: [PATCH 097/129] Update lnx_auditd_bpfdoor_port_redirect.yml --- rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml index 4676e895b..d4d4624b3 100644 --- a/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml +++ b/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml @@ -1,4 +1,4 @@ -title: BPFDoor_TCP_ports_redirect +title: Bpfdoor TCP Ports Redirect id: 70b4156e-50fc-4523-aa50-c9dddf1993fc status: experimental description: All TCP traffic on particular port from attacker is routed to diffrent port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only. From 3426dfb6e90e825cc6202ed9b7ef9236d5e2c286 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 13 Aug 2022 09:59:31 +0200 Subject: [PATCH 098/129] Update backslash --- .../win_defender_alert_lsass_access.yml | 4 ++-- ...win_susp_system_interactive_powershell.yml | 3 ++- ...le_event_win_writing_local_admin_share.yml | 3 ++- .../image_load_susp_system_drawing_load.yml | 12 ++++++---- .../image_load_uipromptforcreds_dlls.yml | 23 +++++++++++-------- ..._susp_prog_location_network_connection.yml | 2 +- .../posh_ps_susp_new_psdrive.yml | 4 ++-- ...ess_win_lazagne_cred_dump_lsass_access.yml | 5 ++-- ...proc_access_win_rare_proc_access_lsass.yml | 13 ++++------- .../proc_creation_win_anydesk_susp_folder.yml | 7 +++--- ...eation_win_apt_turla_commands_critical.yml | 2 +- ...proc_creation_win_conti_cmd_ransomware.yml | 3 ++- ..._creation_win_lolbin_diantz_remote_cab.yml | 3 ++- .../proc_creation_win_lolbin_extrac32.yml | 4 ++-- ...eation_win_mal_hermetic_wiper_activity.yml | 3 ++- .../proc_creation_win_net_enum.yml | 4 ++-- .../proc_creation_win_susp_gup.yml | 13 +++++++---- ..._win_susp_powershell_empire_uac_bypass.yml | 6 ++--- 18 files changed, 63 insertions(+), 51 deletions(-) diff --git a/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml b/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml index 49dec79f7..ab074cb22 100644 --- a/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml +++ b/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter author: Markus Neis date: 2018/08/26 -modified: 2022/02/09 +modified: 2022/08/13 tags: - attack.credential_access # Defender Attack Surface Reduction @@ -36,7 +36,7 @@ detection: - 'C:\Windows\SysWOW64\msiexec.exe' filter_begins: ProcessName|startswith: - - 'C:\Windows\System32\\DriverStore\' + - 'C:\Windows\System32\DriverStore\' - 'C:\WINDOWS\Installer\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' diff --git a/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml b/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml index 6efe66678..fd68a54eb 100644 --- a/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml +++ b/rules/windows/file_event/file_event_win_susp_system_interactive_powershell.yml @@ -6,6 +6,7 @@ author: Florian Roth references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm date: 2021/12/07 +modified: 2022/08/13 logsource: product: windows category: file_event @@ -13,7 +14,7 @@ detection: selection: TargetFilename: - 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt' - - 'C:\Windows\System32\config\systemprofile\AppData\\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive' + - 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive' condition: selection falsepositives: - Administrative activity diff --git a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml index 0eef7528d..380927c1f 100644 --- a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml @@ -8,13 +8,14 @@ author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share date: 2022/01/01 +modified: 2022/08/13 logsource: product: windows category: file_event detection: selection: TargetFilename|contains|all: - - '\\127.0.0' + - '\\\\127.0.0' - '\ADMIN$\' condition: selection falsepositives: diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml index 866440fb5..01d5c3647 100644 --- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ b/rules/windows/image_load/image_load_susp_system_drawing_load.yml @@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental date: 2020/05/02 -modified: 2021/12/05 +modified: 2022/08/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -27,10 +27,12 @@ detection: - 'C:\Windows\Microsoft.NET\' - 'C:\Windows\ImmersiveControlPanel\' filter2: - Image: - - 'C:\Users\\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' - - 'C:\Users\\*\GitHubDesktop\Update.exe' - - 'C:\Windows\System32\NhNotifSys.exe' + Image: 'C:\Windows\System32\NhNotifSys.exe' + filter3: + Image|startswith: 'C:\Users\' + Image|endswith: + - '\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' + - '\GitHubDesktop\Update.exe' condition: selection and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index 69cac05e7..e82154a0b 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/04/29 +modified: 2022/08/13 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -24,19 +24,22 @@ detection: - OriginalFileName: - 'credui.dll' - 'wincredui.dll' - filter: - - Image|startswith: + filter_start: + Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\explorer.exe' - 'C:\Program Files\' - - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\\*\Microsoft.SharePoint.exe' - 'C:\Program Files (x86)\' - - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - - 'C:\Users\\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe' - - 'C:\Users\\*\AppData\Roaming\Spotify\Spotify.exe' - - Image|endswith: '\opera_autoupdate.exe' - - Image|contains: '\Local\Microsoft\OneDrive\' - condition: selection and not filter + filter_end: + Image|endswith: '\opera_autoupdate.exe' + filter_full: + Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + filter_user: + Image|startswith: 'C:\Users\' + Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe' + filter_path: + Image|contains: '\Local\Microsoft\OneDrive\' + condition: selection and not 1 of filter_* falsepositives: - Other legitimate processes loading those DLLs in your environment. level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 46bbb9671..2c87f50da 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -14,7 +14,7 @@ logsource: detection: selection: - Image|contains: - # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows + # - '\ProgramData\' # too many false positives, e.g. with Webex for Windows - '\Users\All Users\' - '\Users\Default\' - '\Users\Public\' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 5e32f9eec..046048072 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 status: experimental author: frack113 -date: 2022/01/01 +date: 2022/08/13 logsource: product: windows category: ps_script @@ -18,7 +18,7 @@ detection: - '-psprovider ' - 'filesystem' - '-root ' - - '\\' + - '\\\\' - '$' condition: selection falsepositives: diff --git a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml index 5fe6da531..2ee526a84 100644 --- a/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml @@ -3,6 +3,7 @@ id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 description: Detects LSASS process access by LaZagne for credential dumping. status: stable date: 2020/09/09 +modified: 2022/08/13 author: Bhabesh Raj, Jonhnathan Ribeiro references: - https://twitter.com/bh4b3sh/status/1303674603819081728 @@ -17,8 +18,8 @@ detection: selection: TargetImage|endswith: '\lsass.exe' CallTrace|contains|all: - - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' - - '|C:\\Windows\\System32\\KERNELBASE.dll+' + - 'C:\Windows\SYSTEM32\ntdll.dll+' + - '|C:\Windows\System32\KERNELBASE.dll+' - '_ctypes.pyd+' - 'python27.dll+' GrantedAccess: '0x1FFFFF' diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 1ea9488ab..51c980f05 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/07/21 +modified: 2022/08/13 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -32,12 +32,14 @@ detection: - 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe' - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' - 'C:\WINDOWS\system32\taskhostw.exe' - - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' - 'C:\Windows\System32\lsass.exe' - 'C:\WINDOWS\System32\perfmon.exe' + - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' + - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' + - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' @@ -61,12 +63,6 @@ detection: - 'C:\Program Files\' - 'C:\Program Files (x86)\' SourceImage|contains: 'Antivirus' - filter7: - SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' - filter8: - SourceImage: 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' - filter_mcafee: - SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' filter_nextron: # SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' # Can be a manual THOR installation SourceImage|endswith: @@ -95,6 +91,7 @@ detection: - '\DropboxUpdate.exe' - '\MBAMInstallerService.exe' - '\WebEx\WebexHost.exe ' + - '\Programs\Microsoft VS Code\Code.exe' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml index f4bd71b95..5738bf3c8 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth date: 2022/05/20 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -20,9 +21,9 @@ detection: - Company: AnyDesk Software GmbH filter: Image|contains: - - '\\AppData\\' - - 'Program Files (x86)\\AnyDesk' - - 'Program Files\\AnyDesk' + - '\AppData\' + - 'Program Files (x86)\AnyDesk' + - 'Program Files\AnyDesk' condition: selection and not filter falsepositives: - Legitimate use of AnyDesk from a non-standard folder diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml index 1761c0054..043666225 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml @@ -22,7 +22,7 @@ logsource: detection: selection: CommandLine: - - 'net use \\%DomainController%\C$ "P@ssw0rd" *' + - 'net use \\\\%DomainController%\C$ "P@ssw0rd" *' - 'dir c:\\*.doc* /s' - 'dir %TEMP%\\*.exe' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml b/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml index b0ecd7906..ee40b2161 100644 --- a/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml @@ -3,6 +3,7 @@ id: 689308fc-cfba-4f72-9897-796c1dc61487 status: test author: frack113 date: 2021/10/12 +modified: 2022/08/13 description: Conti ransomware command line ioc references: - https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/ @@ -21,7 +22,7 @@ detection: - '-net ' - '-size ' #size 10 in references - '-nomutex ' - - '-p \\' + - '-p \\\\' - '$' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml index 5b7ef48c7..0963ea8cf 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml @@ -9,6 +9,7 @@ tags: - attack.t1105 author: frack113 date: 2021/11/26 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -16,7 +17,7 @@ detection: selection: CommandLine|contains|all: - diantz.exe - - ' \\' + - ' \\\\' - '.cab' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml index 7b7d0d1cd..686037a0e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml @@ -9,7 +9,7 @@ tags: - attack.t1105 author: frack113 date: 2021/11/26 -modified: 2022/07/08 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -24,7 +24,7 @@ detection: CommandLine|contains: - /C - /Y - - ' \\' + - ' \\\\' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index fe63247ce..6d2b0f135 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -6,6 +6,7 @@ author: Florian Roth references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia date: 2022/02/25 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -15,7 +16,7 @@ detection: selection2: - CommandLine|contains: - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - - ' 1> \\127.0.0.1\ADMIN$\__16' + - ' 1> \\\\127.0.0.1\ADMIN$\__16' - CommandLine|contains|all: - 'powershell -c ' - '\comsvcs.dll MiniDump ' diff --git a/rules/windows/process_creation/proc_creation_win_net_enum.yml b/rules/windows/process_creation/proc_creation_win_net_enum.yml index 698626b70..35720fb76 100644 --- a/rules/windows/process_creation/proc_creation_win_net_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_net_enum.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/10/30 -modified: 2019/11/11 +modified: 2022/08/13 tags: - attack.discovery - attack.t1018 @@ -21,7 +21,7 @@ detection: - '\net1.exe' CommandLine|contains: 'view' filter: - CommandLine|contains: \\\ + CommandLine|contains: \\\\ condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup.yml b/rules/windows/process_creation/proc_creation_win_susp_gup.yml index 4d09b1602..22e132d76 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup.yml @@ -6,20 +6,23 @@ author: Florian Roth references: - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html date: 2019/02/06 -modified: 2021/11/27 +modified: 2022/08/13 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\GUP.exe' - filter: + filter_end: Image|endswith: - - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' - - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' - '\Program Files\Notepad++\updater\GUP.exe' - '\Program Files (x86)\Notepad++\updater\GUP.exe' - condition: selection and not filter + filter_user: + Image|contains: '\Users\' + Image|endswith: + - '\AppData\Local\Notepad++\updater\GUP.exe' + - '\AppData\Roaming\Notepad++\updater\GUP.exe' + condition: selection and not 1 of filter_* falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml index a8b3ce72a..0ead24280 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml @@ -7,15 +7,15 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 date: 2019/08/30 -modified: 2021/11/27 +modified: 2022/08/13 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' - - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' + - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)' + - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);' condition: selection fields: - CommandLine From fecd7e2fbd6719b4e49c2753a2ad1b6c95c22584 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 13 Aug 2022 11:56:57 +0200 Subject: [PATCH 099/129] Update backslash --- .../proc_creation_win_apt_bear_activity_gtr19.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml index 001409a2b..c1ed7c5f5 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ date: 2019/02/21 -modified: 2022/06/28 +modified: 2022/08/13 logsource: category: process_creation product: windows @@ -19,7 +19,7 @@ detection: - '/C' - '/Q' - '/H' - - '\\' + - '\\\\' selection2: Image|endswith: '\adexplorer.exe' CommandLine|contains|all: From c8ab5329551d4b7f36ec2f0b1f69d3f072ce2fa1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 13 Aug 2022 12:11:32 +0200 Subject: [PATCH 100/129] Search ? char --- rules/windows/process_creation/proc_creation_win_sdelete.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sdelete.yml index 179b39028..b235477bd 100644 --- a/rules/windows/process_creation/proc_creation_win_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sdelete.yml @@ -3,6 +3,7 @@ id: a4824fca-976f-4964-b334-0621379e84c4 status: experimental author: frack113 date: 2021/06/03 +modified: 2022/08/13 description: Use of SDelete to erase a file not the free space references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md @@ -20,7 +21,7 @@ detection: - ' -h' - ' -c' - ' -z' - - ' /?' + - ' /\?' condition: selection and not filter fields: - ComputerName From 0f760a6822c98744735525722c738a4ac0900bb6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 13 Aug 2022 13:02:33 +0200 Subject: [PATCH 101/129] Fix ? char --- .../proc_creation_win_malware_conti_shadowcopy.yml | 4 ++-- .../proc_creation_win_susp_cmd_shadowcopy_access.yml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 36f686290..ecd19d24a 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -3,7 +3,7 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command that accesses password storing registry hives via volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 -modified: 2021/12/02 +modified: 2022/08/13 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 @@ -13,7 +13,7 @@ logsource: product: windows detection: selection_1: - CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + CommandLine|contains: '\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' selection_2: CommandLine|contains: - '\\NTDS.dit' diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml index a03d6071b..2f8f2a72c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml @@ -3,6 +3,7 @@ id: c73124a7-3e89-44a3-bdc1-25fe4df754b1 description: Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use) author: Max Altgelt, Tobias Michalski date: 2021/08/09 +modified: 2022/08/13 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 @@ -12,7 +13,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + CommandLine|contains: 'copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' condition: selection falsepositives: - Some rare backup scenarios From 6749532ae5c58557fde1a2fe291f95042b46c413 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 13 Aug 2022 13:31:52 +0200 Subject: [PATCH 102/129] Update ref --- .../proc_creation_win_malware_conti_shadowcopy.yml | 4 +++- .../proc_creation_win_susp_cmd_shadowcopy_access.yml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index ecd19d24a..46f530fb0 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -8,12 +8,14 @@ status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection + - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ logsource: category: process_creation product: windows detection: selection_1: - CommandLine|contains: '\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + #copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1 + CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' selection_2: CommandLine|contains: - '\\NTDS.dit' diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml index 2f8f2a72c..58b3afad5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml @@ -8,12 +8,14 @@ status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection + - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: 'copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' + #cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ + CommandLine|contains: 'copy \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy' condition: selection falsepositives: - Some rare backup scenarios From db137c48556707e5a77cfb0893b6bd3737395b84 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Aug 2022 19:16:58 +0200 Subject: [PATCH 103/129] Add proc_creation_win_netsh_fw_delete --- .../proc_creation_win_netsh_fw_delete.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml new file mode 100644 index 000000000..147befbbd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml @@ -0,0 +1,24 @@ +title: Netsh Port or Application Delete +id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 +status: experimental +description: Detect removing Port or Application on Windows Firewall +author: frack113 +references: + - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ +date: 2022/08/14 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'firewall' + - 'delete' + condition: selection +falsepositives: + - Legitimate administration +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 From bd3502148f5de25e3a386555ba39bdbd78c93ede Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 14 Aug 2022 20:22:25 +0200 Subject: [PATCH 104/129] Filter dropbax --- .../process_creation/proc_creation_win_netsh_fw_delete.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml index 147befbbd..30367c3d2 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml @@ -15,7 +15,10 @@ detection: CommandLine|contains|all: - 'firewall' - 'delete' - condition: selection + filter_dropbox: + ParentImage|endswith: '\Dropbox.exe' + CommandLine|contains: 'name=Dropbox' + condition: selection and not filter_dropbox falsepositives: - Legitimate administration level: medium From d09037c9addec96e23e7179970a2e25a2f9fe095 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 14 Aug 2022 21:38:36 +0100 Subject: [PATCH 105/129] Add 2 New EventLog Sources - Microsoft-Windows-Shell-Core/Operational - Microsoft-Windows-Diagnosis-Scripted/Operational --- tools/config/elk-windows.yml | 16 +++++++++++++--- tools/config/elk-winlogbeat-sp.yml | 12 +++++++++++- tools/config/elk-winlogbeat.yml | 10 ++++++++++ tools/config/fireeye-helix.yml | 10 ++++++++++ tools/config/logpoint-windows.yml | 10 ++++++++++ tools/config/logstash-windows.yml | 10 ++++++++++ tools/config/powershell.yml | 12 +++++++++++- tools/config/splunk-windows.yml | 10 ++++++++++ tools/config/sumologic.yml | 10 ++++++++++ tools/config/thor.yml | 10 ++++++++++ tools/config/winlogbeat-modules-enabled.yml | 10 ++++++++++ tools/config/winlogbeat-old.yml | 10 ++++++++++ tools/config/winlogbeat.yml | 10 ++++++++++ 13 files changed, 135 insertions(+), 5 deletions(-) diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 9f04061e9..e86e7a48e 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -81,12 +81,22 @@ logsources: product: windows service: bits-client conditions: - EventLog: 'Microsoft-Windows-Bits-Client/Operational' + EventLog: 'Microsoft-Windows-Bits-Client/Operational' windows-security-mitigations: product: windows service: security-mitigations conditions: EventLog: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + EventLog: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index ef2728b92..ede0ae7e2 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -87,8 +87,18 @@ logsources: service: security-mitigations conditions: log_name: - - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' + - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 7a6f87482..0ca14b2b1 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -89,6 +89,16 @@ logsources: logname: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + logname: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index 151e464e7..ee7c5fb7b 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -115,6 +115,16 @@ logsources: channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + channel: 'Microsoft-Windows-Shell-Core/Operational' linux: product: linux index: posix diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 235bfeb17..a9beaeaa4 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -89,6 +89,16 @@ logsources: event_source: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + event_source: 'Microsoft-Windows-Shell-Core/Operational' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 494395b20..7a2d7aee5 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -110,4 +110,14 @@ logsources: Channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: logstash-* diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 012c5e1fc..47aab0d95 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -128,4 +128,14 @@ logsources: conditions: LogName: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - - 'Microsoft-Windows-Security-Mitigations/User Mode' \ No newline at end of file + - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + LogName: 'Microsoft-Windows-Shell-Core/Operational' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 46b2c86db..7e1d1e381 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -144,6 +144,16 @@ logsources: source: - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + source: 'Microsoft-Windows-Shell-Core/Operational' windows-defender: product: windows service: windefend diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index 634d96c21..d4900e2eb 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -118,6 +118,16 @@ logsources: EventChannel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + EventChannel: 'Microsoft-Windows-Shell-Core/Operational' apache: service: apache index: WEBSERVER diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 150e4052a..37d2b8682 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -391,6 +391,16 @@ logsources: sources: - 'WinEventLog:Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + sources: + - 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + sources: + - 'Microsoft-Windows-Shell-Core/Operational' apache: category: webserver sources: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 3a9d377be..6dfda1b3c 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -132,6 +132,16 @@ logsources: winlog.channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index a04e65c65..ca436d147 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -95,6 +95,16 @@ logsources: log_name: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + log_name: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 1860d3dcc..d5da9d965 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -121,6 +121,16 @@ logsources: winlog.channel: - 'Microsoft-Windows-Security-Mitigations/Kernel Mode' - 'Microsoft-Windows-Security-Mitigations/User Mode' + windows-diagnosis: + product: windows + service: diagnosis + conditions: + winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + winlog.channel: 'Microsoft-Windows-Shell-Core/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' From 6798d69d00db58037bfaa92b7421db462bbf7440 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:22:08 +0100 Subject: [PATCH 106/129] Update --- rules/web/web_cve_2022_31659_vmware_rce.yml | 2 +- ...ile_event_win_iphlpapi_dll_sideloading.yml | 6 ++--- .../image_load/image_load_msdt_sdiageng.yml | 23 +++++++++---------- .../image_load_pingback_backdoor.yml | 4 ++-- ...in_susp_rundll32_js_runhtmlapplication.yml | 2 +- 5 files changed, 18 insertions(+), 19 deletions(-) diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml index 5d9fd9897..f4c8b747d 100644 --- a/rules/web/web_cve_2022_31659_vmware_rce.yml +++ b/rules/web/web_cve_2022_31659_vmware_rce.yml @@ -11,7 +11,7 @@ logsource: detection: selection: cs-method: 'POST' - c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to look spot the difference between benign and malicious requests to this URL + c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to spot the difference between benign and malicious requests to this URL condition: selection falsepositives: - Vulnerability scanners diff --git a/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml index 658c067f2..195227579 100644 --- a/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml +++ b/rules/windows/file_event/file_event_win_iphlpapi_dll_sideloading.yml @@ -2,8 +2,8 @@ title: Malicious DLL File Dropped in the Teams or OneDrive Folder id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163 status: experimental description: | - Detects creation of a malicious DLL file in the location where the OneDrive or Team applications - Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded + Detects creation of a malicious DLL file in the location where the OneDrive or Team applications + Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ author: frack113 @@ -24,4 +24,4 @@ tags: - attack.persistence - attack.privilege_escalation - attack.defense_evasion - - attack.t1574.002 + - attack.t1574.002 diff --git a/rules/windows/image_load/image_load_msdt_sdiageng.yml b/rules/windows/image_load/image_load_msdt_sdiageng.yml index 1db0d173d..dbcb49246 100644 --- a/rules/windows/image_load/image_load_msdt_sdiageng.yml +++ b/rules/windows/image_load/image_load_msdt_sdiageng.yml @@ -4,21 +4,20 @@ status: experimental description: Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary author: Greg (rule) references: - - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ + - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ date: 2022/06/17 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - selection_img: - Image|endswith: '\msdt.exe' - selection_load: - ImageLoaded|endswith: '\sdiageng.dll' - condition: all of selection* + selection: + Image|endswith: '\msdt.exe' + ImageLoaded|endswith: '\sdiageng.dll' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1202 - - cve.2022.30190 + - attack.defense_evasion + - attack.t1202 + - cve.2022.30190 diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml index fd9ed05c8..75f0206d0 100644 --- a/rules/windows/image_load/image_load_pingback_backdoor.yml +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report author: Bhabesh Raj date: 2021/05/05 -modified: 2021/09/09 +modified: 2022/08/14 references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 @@ -16,7 +16,7 @@ logsource: category: image_load detection: selection: - Image|endswith: 'msdtc.exe' + Image|endswith: '\msdtc.exe' ImageLoaded: 'C:\Windows\oci.dll' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index dfef79f64..8d41da599 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -21,6 +21,6 @@ detection: CommandLine|contains: ';document.write();GetObject("script' condition: 1 of selection* falsepositives: - - Unknown + - Unlikely level: high From 8869bc6cfff2ac6b2eb71d346e552a44565fe5b2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:22:16 +0100 Subject: [PATCH 107/129] New rules --- .../application/win_esent_ntdsutil_abuse.yml | 34 ++ ...win_esent_ntdsutil_abuse_susp_location.yml | 28 ++ ...diagnosis_scripted_load_remote_diagcab.yml | 22 ++ ...win_shell_core_susp_packages_installed.yml | 34 ++ ..._load_rundll32_loading_renamed_comsvcs.yml | 31 ++ ...oad_side_load_from_non_system_location.yml | 368 ++++++++++++++++++ ...ion_win_susp_mshtml_runhtmlapplication.yml | 26 ++ 7 files changed, 543 insertions(+) create mode 100644 rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml create mode 100644 rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml create mode 100644 rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml create mode 100644 rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml create mode 100644 rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml create mode 100644 rules/windows/image_load/image_load_side_load_from_non_system_location.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml new file mode 100644 index 000000000..fc953c4cc --- /dev/null +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml @@ -0,0 +1,34 @@ +title: Ntdsutil Abuse +id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f +status: experimental +description: Detects potential abuse of ntdsutil to dump ntds.dit database +author: Nasreddine Bencherchali +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +date: 2022/08/14 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'ESENT' + EventID: 325 # New Database Created + Data|contains: 'ntds.dit' + selection_paths: + Data|contains: + # Add more locations that you don't use in your env or that are just suspicious + - '\Users\Public\' + - '\Perflogs\' + - '\Temp\' + - '\Appdata\' + - '\Desktop\' + - '\Downloads\' + - 'C:\ntds.dit' + condition: selection +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +tags: + - attack.execution diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml new file mode 100644 index 000000000..47f24809b --- /dev/null +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml @@ -0,0 +1,28 @@ +title: Dump Ntds.dit To Suspicious Location +id: 94dc4390-6b7c-4784-8ffc-335334404650 +status: experimental +description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location +author: Nasreddine Bencherchali +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +date: 2022/08/14 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'ESENT' + EventID: + - 216 + - 325 + - 326 + - 327 + Data|contains: 'ntds.dit' + condition: selection +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +tags: + - attack.execution diff --git a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml new file mode 100644 index 000000000..16264d94f --- /dev/null +++ b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -0,0 +1,22 @@ +title: Loading Diagcab Package From Remote Path +id: 50cb47b8-2c33-4b23-a2e9-4600657d9746 +status: experimental +description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/nas_bench/status/1539679555908141061 + - https://twitter.com/j00sean/status/1537750439701225472 +tags: + - attack.execution +logsource: + product: windows + service: diagnosis +detection: + selection: + EventID: 101 + PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package + condition: selection +falsepositives: + - Legitimate package hosted on a known and authorized remote location +level: high diff --git a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml new file mode 100644 index 000000000..853b1a314 --- /dev/null +++ b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -0,0 +1,34 @@ +title: Suspicious Application Installed +id: 83c161b6-ca67-4f33-8ad0-644a0737cf07 +status: experimental +description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 +tags: + - attack.execution +logsource: + product: windows + service: shell-core +detection: + selection_name: + EventID: 28115 + Name|contains: + # Please add more + - 'Zenmap' + - 'AnyDesk' + - 'wireshark' + - 'openvpn' + selection_packageid: + EventID: 28115 + AppID|contains: + # Please add more + - 'zenmap.exe' + - 'prokzult ad' # AnyDesk + - 'wireshark' + - 'openvpn' + condition: selection +falsepositives: + - Packages or applications being legitimately used by users or administrators +level: medium diff --git a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml new file mode 100644 index 000000000..8c30f6338 --- /dev/null +++ b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml @@ -0,0 +1,31 @@ +title: Rundll32 Loading Renamed Comsvcs DLL +id: 8cde342c-ba48-4b74-b615-172c330f2e93 +status: experimental +description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/sbousseaden/status/1555200155351228419 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.t1003.001 +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: '\rundll32.exe' + Hashes|contains: + # Add more hashes for other windows verions + - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64 + - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607 + - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809 + - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64 + - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86 + filter: + ImageLoaded|endswith: '\comsvcs.dll' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml new file mode 100644 index 000000000..1d99e4852 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -0,0 +1,368 @@ +title: System DLL Sideloading From Non System Locations +id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 +status: experimental +description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...) +references: + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) + - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll + - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll +author: Nasreddine Bencherchali, Wietze Beukema (project and research) +date: 2022/08/14 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection_both: + ImageLoaded|endswith: + - '\shfolder.dll' + - '\activeds.dll' + - '\adsldpc.dll' + - '\aepic.dll' + - '\apphelp.dll' + - '\applicationframe.dll' + - '\appxalluserstore.dll' + - '\appxdeploymentclient.dll' + - '\archiveint.dll' + - '\atl.dll' + - '\audioses.dll' + - '\auditpolcore.dll' + - '\authfwcfg.dll' + - '\authz.dll' + - '\avrt.dll' + - '\bcd.dll' + - '\bcp47langs.dll' + - '\bcp47mrm.dll' + - '\bcrypt.dll' + - '\cabinet.dll' + - '\cabview.dll' + - '\certenroll.dll' + - '\cldapi.dll' + - '\clipc.dll' + - '\clusapi.dll' + - '\cmpbk32.dll' + - '\coloradapterclient.dll' + - '\colorui.dll' + - '\comdlg32.dll' + - '\connect.dll' + - '\coremessaging.dll' + - '\credui.dll' + - '\cryptbase.dll' + - '\cryptdll.dll' + - '\cryptui.dll' + - '\cryptxml.dll' + - '\cscapi.dll' + - '\cscobj.dll' + - '\cscui.dll' + - '\d2d1.dll' + - '\d3d10.dll' + - '\d3d10_1.dll' + - '\d3d10_1core.dll' + - '\d3d10core.dll' + - '\d3d10warp.dll' + - '\d3d11.dll' + - '\d3d12.dll' + - '\d3d9.dll' + - '\dataexchange.dll' + - '\davclnt.dll' + - '\dcomp.dll' + - '\defragproxy.dll' + - '\desktopshellext.dll' + - '\deviceassociation.dll' + - '\devicecredential.dll' + - '\devicepairing.dll' + - '\devobj.dll' + - '\devrtl.dll' + - '\dhcpcmonitor.dll' + - '\dhcpcsvc.dll' + - '\dhcpcsvc6.dll' + - '\directmanipulation.dll' + - '\dismapi.dll' + - '\dismcore.dll' + - '\dmcfgutils.dll' + - '\dmcmnutils.dll' + - '\dmenrollengine.dll' + - '\dmenterprisediagnostics.dll' + - '\dmiso8601utils.dll' + - '\dmoleaututils.dll' + - '\dmprocessxmlfiltered.dll' + - '\dmpushproxy.dll' + - '\dmxmlhelputils.dll' + - '\dnsapi.dll' + - '\dot3api.dll' + - '\dot3cfg.dll' + - '\dpx.dll' + - '\drprov.dll' + - '\dsclient.dll' + - '\dsparse.dll' + - '\dsreg.dll' + - '\dsrole.dll' + - '\dui70.dll' + - '\duser.dll' + - '\dusmapi.dll' + - '\dwmapi.dll' + - '\dwrite.dll' + - '\dxgi.dll' + - '\dxva2.dll' + - '\eappcfg.dll' + - '\eappprxy.dll' + - '\edputil.dll' + - '\efsadu.dll' + - '\efsutil.dll' + - '\esent.dll' + - '\execmodelproxy.dll' + - '\explorerframe.dll' + - '\fastprox.dll' + - '\faultrep.dll' + - '\fddevquery.dll' + - '\feclient.dll' + - '\fhcfg.dll' + - '\firewallapi.dll' + - '\flightsettings.dll' + - '\fltlib.dll' + - '\fveapi.dll' + - '\fwbase.dll' + - '\fwcfg.dll' + - '\fwpolicyiomgr.dll' + - '\fwpuclnt.dll' + - '\getuname.dll' + - '\hid.dll' + - '\hnetmon.dll' + - '\httpapi.dll' + - '\idstore.dll' + - '\ieadvpack.dll' + - '\iedkcs32.dll' + - '\iertutil.dll' + - '\ifmon.dll' + - '\iphlpapi.dll' + - '\iri.dll' + - '\iscsidsc.dll' + - '\iscsium.dll' + - '\isv.exe_rsaenh.dll' + - '\joinutil.dll' + - '\ksuser.dll' + - '\ktmw32.dll' + - '\licensemanagerapi.dll' + - '\licensingdiagspp.dll' + - '\linkinfo.dll' + - '\loadperf.dll' + - '\logoncli.dll' + - '\logoncontroller.dll' + - '\lpksetupproxyserv.dll' + - '\magnification.dll' + - '\mapistub.dll' + - '\mfcore.dll' + - '\mfplat.dll' + - '\mi.dll' + - '\midimap.dll' + - '\miutils.dll' + - '\mlang.dll' + - '\mmdevapi.dll' + - '\mobilenetworking.dll' + - '\mpr.dll' + - '\mprapi.dll' + - '\mrmcorer.dll' + - '\msacm32.dll' + - '\mscms.dll' + - '\mscoree.dll' + - '\msctf.dll' + - '\msctfmonitor.dll' + - '\msdrm.dll' + - '\msftedit.dll' + - '\msi.dll' + - '\msutb.dll' + - '\mswb7.dll' + - '\mswsock.dll' + - '\msxml3.dll' + - '\mtxclu.dll' + - '\napinsp.dll' + - '\ncrypt.dll' + - '\ndfapi.dll' + - '\netid.dll' + - '\netiohlp.dll' + - '\netplwiz.dll' + - '\netprofm.dll' + - '\netsetupapi.dll' + - '\netshell.dll' + - '\netutils.dll' + - '\networkexplorer.dll' + - '\newdev.dll' + - '\ninput.dll' + - '\nlaapi.dll' + - '\nlansp_c.dll' + - '\npmproxy.dll' + - '\nshhttp.dll' + - '\nshipsec.dll' + - '\nshwfp.dll' + - '\ntdsapi.dll' + - '\ntlanman.dll' + - '\ntlmshared.dll' + - '\ntmarta.dll' + - '\ntshrui.dll' + - '\oleacc.dll' + - '\omadmapi.dll' + - '\onex.dll' + - '\osbaseln.dll' + - '\osuninst.dll' + - '\p2p.dll' + - '\p2pnetsh.dll' + - '\p9np.dll' + - '\pcaui.dll' + - '\pdh.dll' + - '\peerdistsh.dll' + - '\pla.dll' + - '\pnrpnsp.dll' + - '\policymanager.dll' + - '\polstore.dll' + - '\printui.dll' + - '\propsys.dll' + - '\prvdmofcomp.dll' + - '\puiapi.dll' + - '\radcui.dll' + - '\rasapi32.dll' + - '\rasgcw.dll' + - '\rasman.dll' + - '\rasmontr.dll' + - '\reagent.dll' + - '\regapi.dll' + - '\resutils.dll' + - '\rmclient.dll' + - '\rpcnsh.dll' + - '\rsaenh.dll' + - '\rtutils.dll' + - '\rtworkq.dll' + - '\samcli.dll' + - '\samlib.dll' + - '\sapi_onecore.dll' + - '\sas.dll' + - '\scansetting.dll' + - '\scecli.dll' + - '\schedcli.dll' + - '\secur32.dll' + - '\shell32.dll' + - '\slc.dll' + - '\snmpapi.dll' + - '\spp.dll' + - '\sppc.dll' + - '\srclient.dll' + - '\srpapi.dll' + - '\srvcli.dll' + - '\ssp.exe_rsaenh.dll' + - '\ssp_isv.exe_rsaenh.dll' + - '\sspicli.dll' + - '\ssshim.dll' + - '\staterepository.core.dll' + - '\structuredquery.dll' + - '\sxshared.dll' + - '\tapi32.dll' + - '\tbs.dll' + - '\tdh.dll' + - '\tquery.dll' + - '\tsworkspace.dll' + - '\ttdrecord.dll' + - '\twext.dll' + - '\twinapi.dll' + - '\twinui.appcore.dll' + - '\uianimation.dll' + - '\uiautomationcore.dll' + - '\uireng.dll' + - '\uiribbon.dll' + - '\updatepolicy.dll' + - '\userenv.dll' + - '\utildll.dll' + - '\uxinit.dll' + - '\uxtheme.dll' + - '\vaultcli.dll' + - '\virtdisk.dll' + - '\vssapi.dll' + - '\vsstrace.dll' + - '\wbemprox.dll' + - '\wbemsvc.dll' + - '\wcmapi.dll' + - '\wcnnetsh.dll' + - '\wdi.dll' + - '\wdscore.dll' + - '\webservices.dll' + - '\wecapi.dll' + - '\wer.dll' + - '\wevtapi.dll' + - '\whhelper.dll' + - '\wimgapi.dll' + - '\winbrand.dll' + - '\windows.storage.dll' + - '\windows.storage.search.dll' + - '\windowscodecs.dll' + - '\windowscodecsext.dll' + - '\windowsudk.shellcommon.dll' + - '\winhttp.dll' + - '\wininet.dll' + - '\winipsec.dll' + - '\winmde.dll' + - '\winmm.dll' + - '\winnsi.dll' + - '\winrnr.dll' + - '\winsqlite3.dll' + - '\winsta.dll' + - '\wkscli.dll' + - '\wlanapi.dll' + - '\wlancfg.dll' + - '\wldp.dll' + - '\wlidprov.dll' + - '\wmiclnt.dll' + - '\wmidcom.dll' + - '\wmiutils.dll' + - '\wmsgapi.dll' + - '\wofutil.dll' + - '\wpdshext.dll' + - '\wshbth.dll' + - '\wshelper.dll' + - '\wtsapi32.dll' + - '\wwapi.dll' + - '\xmllite.dll' + - '\xolehlp.dll' + - '\xwizards.dll' + - '\xwtpw32.dll' + - '\aclui.dll' + selection_sys32: + ImageLoaded|endswith: + - '*\bderepair.dll' + - '\bootmenuux.dll' + - '\dcntel.dll' + - '\dwmcore.dll' + - '\dynamoapi.dll' + - '\fhsvcctl.dll' + - '\fxsst.dll' + - '\inproclogger.dll' + - '\iumbase.dll' + - '\kdstub.dll' + - '\maintenanceui.dll' + - '\mdmdiagnostics.dll' + - '\mintdh.dll' + - '\msdtctm.dll' + - '\nettrace.dll' + - '\osksupport.dll' + - '\reseteng.dll' + - '\resetengine.dll' + - '\spectrumsyncclient.dll' + - '\srcore.dll' + - '\systemsettingsthresholdadminflowui.dll' + - '\timesync.dll' + - '\upshared.dll' + - '\wmpdui.dll' + - '\wwancfg.dll' + + filter_sys32: + ImageLoaded|startswith: 'C:\Windows\System32\' + filter_both: + ImageLoaded|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: (selection_both and not filter_both) or (selection_sys32 and not filter_sys32) +falsepositives: + - Legitimate applications loading their own versions of the DLLs mentioned in this rule +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml new file mode 100644 index 000000000..16b66e8cb --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml @@ -0,0 +1,26 @@ +title: Rundll32 JS RunHTMLApplication Pattern +id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c +related: + - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 + type: derived +status: experimental +description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/n1nj4sec/status/1421190238081277959 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '\..\' + - 'mshtml' + - 'RunHTMLApplication' + condition: selection +falsepositives: + - Unlikely +level: high From e092872e87dfeea5e5158326db07e0c9e45b9a09 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:26:15 +0100 Subject: [PATCH 108/129] Update proc_creation_win_susp_mshtml_runhtmlapplication.yml --- .../proc_creation_win_susp_mshtml_runhtmlapplication.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml index 16b66e8cb..da52f9558 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml @@ -1,4 +1,4 @@ -title: Rundll32 JS RunHTMLApplication Pattern +title: Mshtml DLL RunHTMLApplication Abuse id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c related: - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 From 11b4b4625817ffeab3f3fd17d0d9bdb6f462a42f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:32:18 +0100 Subject: [PATCH 109/129] Update win_shell_core_susp_packages_installed.yml --- .../shell_core/win_shell_core_susp_packages_installed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml index 853b1a314..0c11855c6 100644 --- a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml +++ b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -28,7 +28,7 @@ detection: - 'prokzult ad' # AnyDesk - 'wireshark' - 'openvpn' - condition: selection + condition: 1 of selection_* falsepositives: - Packages or applications being legitimately used by users or administrators level: medium From 28793298184e2b32dab371ba6b0f212363b81272 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:34:58 +0100 Subject: [PATCH 110/129] Update image_load_side_load_from_non_system_location.yml --- .../image_load_side_load_from_non_system_location.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 1d99e4852..aaa934975 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -357,11 +357,14 @@ detection: - '\wwancfg.dll' filter_sys32: - ImageLoaded|startswith: 'C:\Windows\System32\' + ImageLoaded|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\WinSxS\' filter_both: ImageLoaded|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' condition: (selection_both and not filter_both) or (selection_sys32 and not filter_sys32) falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule From 1bb24879fecb7020eaff308bd521ab5b1878b2fc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:42:46 +0100 Subject: [PATCH 111/129] Update image_load_side_load_from_non_system_location.yml --- ...oad_side_load_from_non_system_location.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index aaa934975..98e77ec5b 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -18,7 +18,7 @@ logsource: category: image_load product: windows detection: - selection_both: + selection: ImageLoaded|endswith: - '\shfolder.dll' - '\activeds.dll' @@ -96,7 +96,6 @@ detection: - '\dnsapi.dll' - '\dot3api.dll' - '\dot3cfg.dll' - - '\dpx.dll' - '\drprov.dll' - '\dsclient.dll' - '\dsparse.dll' @@ -328,9 +327,7 @@ detection: - '\xwizards.dll' - '\xwtpw32.dll' - '\aclui.dll' - selection_sys32: - ImageLoaded|endswith: - - '*\bderepair.dll' + - '\bderepair.dll' - '\bootmenuux.dll' - '\dcntel.dll' - '\dwmcore.dll' @@ -355,17 +352,15 @@ detection: - '\upshared.dll' - '\wmpdui.dll' - '\wwancfg.dll' - - filter_sys32: - ImageLoaded|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\WinSxS\' - filter_both: + - '\dpx.dll' + filter: ImageLoaded|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - condition: (selection_both and not filter_both) or (selection_sys32 and not filter_sys32) + - 'C:\Windows\SoftwareDistribution\' + - 'C:\Windows\SystemTemp\' + condition: selection and not filter falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule level: medium From 44d8f5bc9a6a2c2b26d30e6814b6e1eb97419e9b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:51:19 +0100 Subject: [PATCH 112/129] Update win_esent_ntdsutil_abuse.yml --- .../windows/builtin/application/win_esent_ntdsutil_abuse.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml index fc953c4cc..a09620508 100644 --- a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml @@ -12,7 +12,7 @@ logsource: service: application # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: - selection: + selection_root: Provider_Name: 'ESENT' EventID: 325 # New Database Created Data|contains: 'ntds.dit' @@ -26,7 +26,7 @@ detection: - '\Desktop\' - '\Downloads\' - 'C:\ntds.dit' - condition: selection + condition: all of selection_* falsepositives: - Legitimate backup operation/creating shadow copies level: medium From 429e219d5b0a27b345f165245097ca54805301f5 Mon Sep 17 00:00:00 2001 From: Tobias Michalski Date: Mon, 15 Aug 2022 10:42:09 +0200 Subject: [PATCH 113/129] chore: Change subrepo from ssh to https --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 5d64ad6dc..af5385f20 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "tests/cti"] path = tests/cti - url = git@github.com:mitre/cti.git + url = https://github.com/mitre/cti.git From 643f77aafff553b70defe3647fb1fae55761675a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 15 Aug 2022 11:38:50 +0200 Subject: [PATCH 114/129] Update proc_creation_win_netsh_fw_delete.yml --- .../process_creation/proc_creation_win_netsh_fw_delete.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml index 30367c3d2..745649667 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml @@ -1,7 +1,7 @@ -title: Netsh Port or Application Delete +title: Netsh Firewall Rule Deletion id: 1a5fefe6-734f-452e-a07d-fc1c35bce4b2 status: experimental -description: Detect removing Port or Application on Windows Firewall +description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh author: frack113 references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ From 6407089a40e876867b8a282727c1f648351643f9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 12:45:12 +0100 Subject: [PATCH 115/129] Change service to diagnosis scripted --- .../scripted/win_diagnosis_scripted_load_remote_diagcab.yml | 2 +- tools/config/elk-windows.yml | 2 +- tools/config/elk-winlogbeat-sp.yml | 2 +- tools/config/elk-winlogbeat.yml | 2 +- tools/config/fireeye-helix.yml | 2 +- tools/config/logpoint-windows.yml | 2 +- tools/config/logstash-windows.yml | 2 +- tools/config/powershell.yml | 2 +- tools/config/splunk-windows.yml | 2 +- tools/config/sumologic.yml | 2 +- tools/config/thor.yml | 2 +- tools/config/winlogbeat-modules-enabled.yml | 2 +- tools/config/winlogbeat-old.yml | 2 +- tools/config/winlogbeat.yml | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml index 16264d94f..985646ec8 100644 --- a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml +++ b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -11,7 +11,7 @@ tags: - attack.execution logsource: product: windows - service: diagnosis + service: diagnosis-scripted detection: selection: EventID: 101 diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index e86e7a48e..d2d0f9e2e 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -91,7 +91,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: EventLog: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index ede0ae7e2..abdd5c3cc 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -91,7 +91,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 0ca14b2b1..79300a018 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -91,7 +91,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: logname: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index ee7c5fb7b..613ec4c7b 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -117,7 +117,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index a9beaeaa4..60ca2c22c 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -91,7 +91,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: event_source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 7a2d7aee5..03ed667ad 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -112,7 +112,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index 47aab0d95..aaa9038aa 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -131,7 +131,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: LogName: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 7e1d1e381..88f0ee855 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -146,7 +146,7 @@ logsources: - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: source: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index d4900e2eb..c289dcc6c 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -120,7 +120,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: EventChannel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 37d2b8682..6cddafdd6 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -393,7 +393,7 @@ logsources: - 'WinEventLog:Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted sources: - 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 6dfda1b3c..456756902 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -134,7 +134,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index ca436d147..263ba8731 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -97,7 +97,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: log_name: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index d5da9d965..22f9afb67 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -123,7 +123,7 @@ logsources: - 'Microsoft-Windows-Security-Mitigations/User Mode' windows-diagnosis: product: windows - service: diagnosis + service: diagnosis-scripted conditions: winlog.channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' windows-shell-core: From 306fc8aba023858755b965a5e12c2370b6da8c6e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 12:46:59 +0100 Subject: [PATCH 116/129] Fix typo --- .../application/win_esent_ntdsutil_abuse.yml | 20 +++++++------------ ...win_esent_ntdsutil_abuse_susp_location.yml | 20 ++++++++++++------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml index a09620508..5e469d8ea 100644 --- a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml @@ -12,21 +12,15 @@ logsource: service: application # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: - selection_root: + selection: Provider_Name: 'ESENT' - EventID: 325 # New Database Created + EventID: + - 216 + - 325 + - 326 + - 327 Data|contains: 'ntds.dit' - selection_paths: - Data|contains: - # Add more locations that you don't use in your env or that are just suspicious - - '\Users\Public\' - - '\Perflogs\' - - '\Temp\' - - '\Appdata\' - - '\Desktop\' - - '\Downloads\' - - 'C:\ntds.dit' - condition: all of selection_* + condition: selection falsepositives: - Legitimate backup operation/creating shadow copies level: medium diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml index 47f24809b..e38efe053 100644 --- a/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml @@ -12,15 +12,21 @@ logsource: service: application # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: - selection: + selection_root: Provider_Name: 'ESENT' - EventID: - - 216 - - 325 - - 326 - - 327 + EventID: 325 # New Database Created Data|contains: 'ntds.dit' - condition: selection + selection_paths: + Data|contains: + # Add more locations that you don't use in your env or that are just suspicious + - '\Users\Public\' + - '\Perflogs\' + - '\Temp\' + - '\Appdata\' + - '\Desktop\' + - '\Downloads\' + - 'C:\ntds.dit' + condition: all of selection_* falsepositives: - Legitimate backup operation/creating shadow copies level: medium From a0f8e508b553746e9d9446930aaa79e45574059a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 12:49:46 +0100 Subject: [PATCH 117/129] Update image_load_side_load_from_non_system_location.yml --- .../image_load_side_load_from_non_system_location.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 98e77ec5b..bdef52fee 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -353,14 +353,18 @@ detection: - '\wmpdui.dll' - '\wwancfg.dll' - '\dpx.dll' - filter: + filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - 'C:\Windows\SoftwareDistribution\' - - 'C:\Windows\SystemTemp\' - condition: selection and not filter + filter_systemp: + ImageLoaded|startswith: 'C:\Windows\SystemTemp\' + User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule level: medium From 29901228fd4f3b90f442cebb7074e6653e4f5f94 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:32:07 +0200 Subject: [PATCH 118/129] Update proxy_baby_shark.yml --- rules/proxy/proxy_baby_shark.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_baby_shark.yml b/rules/proxy/proxy_baby_shark.yml index e768fba26..84f28d7fe 100644 --- a/rules/proxy/proxy_baby_shark.yml +++ b/rules/proxy/proxy_baby_shark.yml @@ -4,6 +4,7 @@ status: experimental description: Detects Baby Shark C2 Framework communication patterns author: Florian Roth date: 2021/06/09 +modified: 2022/08/15 references: - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 logsource: From f50de1d4e1d17500cb722ffab53b74f51b61fb8b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:32:20 +0200 Subject: [PATCH 119/129] Update proxy_chafer_malware.yml --- rules/proxy/proxy_chafer_malware.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 6e2c7c79b..d3a9e9283 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://securelist.com/chafer-used-remexi-malware/89538/ date: 2019/01/31 -modified: 2021/11/27 +modified: 2022/08/15 logsource: category: proxy detection: From 2ea7fc0c51ffa01ccfa1a1ece2c8d3d270b830a1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:32:34 +0200 Subject: [PATCH 120/129] Update proxy_turla_comrat.yml --- rules/proxy/proxy_turla_comrat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_turla_comrat.yml b/rules/proxy/proxy_turla_comrat.yml index 4423e4a74..cee9dee4a 100644 --- a/rules/proxy/proxy_turla_comrat.yml +++ b/rules/proxy/proxy_turla_comrat.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf date: 2020/05/26 -modified: 2021/11/27 +modified: 2022/08/15 logsource: category: proxy detection: From 9d914ac240edd6b027dc93a0de19b58add5bd23c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:33:00 +0200 Subject: [PATCH 121/129] Update proxy_cobalt_onedrive.yml --- rules/proxy/proxy_cobalt_onedrive.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 273851d5d..d57deaf5d 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -6,7 +6,7 @@ author: Markus Neis references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile date: 2019/11/12 -modified: 2022/01/07 +modified: 2022/08/15 logsource: category: proxy detection: From 91dbc5e7217170cceb87cd1f7e8b8e08908cb2a1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:33:17 +0200 Subject: [PATCH 122/129] Update proxy_ursnif_malware_download_url.yml --- rules/proxy/proxy_ursnif_malware_download_url.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ursnif_malware_download_url.yml b/rules/proxy/proxy_ursnif_malware_download_url.yml index d34d4fd40..223ad147c 100644 --- a/rules/proxy/proxy_ursnif_malware_download_url.yml +++ b/rules/proxy/proxy_ursnif_malware_download_url.yml @@ -4,7 +4,7 @@ status: stable description: Detects download of Ursnif malware done by dropper documents. author: Thomas Patzke date: 2019/12/19 -modified: 2021/08/09 +modified: 2022/08/15 logsource: category: proxy detection: From 80632dc4d0632dd1131d05c981189bf6e5b32351 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:33:39 +0200 Subject: [PATCH 123/129] Update proxy_ios_implant.yml --- rules/proxy/proxy_ios_implant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index 4e65c5efb..389bf2f5c 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -7,7 +7,7 @@ references: - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html - https://twitter.com/craiu/status/1167358457344925696 date: 2019/08/30 -modified: 2021/11/27 +modified: 2022/08/15 logsource: category: proxy detection: From bebeedb6239570017d0235592c012817bfaef530 Mon Sep 17 00:00:00 2001 From: Ben4FH <98482457+Ben4FH@users.noreply.github.com> Date: Mon, 15 Aug 2022 17:28:48 +0100 Subject: [PATCH 124/129] Update EID 5156 field names Update to keep field names consistent for all rules using EID 5156 --- .../builtin/security/win_global_catalog_enumeration.yml | 4 ++-- .../security/win_susp_outbound_kerberos_connection.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/security/win_global_catalog_enumeration.yml b/rules/windows/builtin/security/win_global_catalog_enumeration.yml index 6659a8c0c..6738b172e 100644 --- a/rules/windows/builtin/security/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/security/win_global_catalog_enumeration.yml @@ -4,7 +4,7 @@ status: experimental author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 -modified: 2021/06/01 +modified: 2022/08/15 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 5156 - DestinationPort: + DestPort: - 3268 - 3269 timeframe: 1h diff --git a/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml index 8f331063c..785337246 100644 --- a/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_susp_outbound_kerberos_connection.yml @@ -6,16 +6,16 @@ author: Ilyas Ochkov, oscd.community references: - https://github.com/GhostPack/Rubeus date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/08/15 logsource: product: windows service: security detection: selection: EventID: 5156 - DestinationPort: 88 + DestPort: 88 filter: - Image|endswith: + Application|endswith: - '\lsass.exe' - '\opera.exe' - '\chrome.exe' From b6c5967443ab1e20d15a24c9979f1efb017befb4 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 16 Aug 2022 13:45:20 +0000 Subject: [PATCH 125/129] Filter out FP for LANDesk app --- .../file_event/file_event_win_susp_adsi_cache_usage.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml index 997330451..81b34659c 100755 --- a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml @@ -2,13 +2,13 @@ title: Suspicious ADSI-Cache Usage By Unknown Tool id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb status: test description: Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. -author: xknow @xknow_infosec +author: xknow @xknow_infosec, Tim Shelton references: - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961 - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger date: 2019/03/24 -modified: 2022/04/21 +modified: 2022/08/16 logsource: product: windows category: file_event @@ -27,6 +27,8 @@ detection: - 'C:\Windows\System32\wbem\WmiPrvSE.exe' filter_begins: Image|startswith: 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + filter_ends: + Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe' filter_domain_controller: Image: - 'C:\Windows\system32\efsui.exe' From 29645068346b1602b7996291ea10848d14d36e88 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Tue, 16 Aug 2022 16:14:08 +0200 Subject: [PATCH 126/129] proxy_ua_bitsadmin_susp_tld.yml fp filter --- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 6516f0304..c16637dc0 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth, Tim Shelton date: 2019/03/07 -modified: 2022/05/09 +modified: 2022/08/16 logsource: category: proxy detection: @@ -16,6 +16,7 @@ detection: - '.net' - '.org' - '.scdn.co' # spotify streaming + - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json condition: selection and not falsepositives fields: - ClientIP From 48f8f788e8f6bb843b2a63bdbb98457128715221 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 16 Aug 2022 13:45:12 +0200 Subject: [PATCH 127/129] fix: FP in testing from localhost to localhost from BITs service --- ...et_connection_win_remote_powershell_session_network.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index 15e2a2d54..465b440ff 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html date: 2019/09/12 -modified: 2022/08/09 +modified: 2022/08/16 logsource: category: network_connection product: windows @@ -29,7 +29,10 @@ detection: - Image: - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' - condition: selection and not filter + filter_localhost: + SourceIp: '::1' + DestinationIp: '::1' + condition: selection and not 1 of filter* falsepositives: - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. - Network Service user name of a not-covered localization From cfd3e17bc754e7de32bc617321022f504fbb1215 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 16 Aug 2022 19:27:06 +0000 Subject: [PATCH 128/129] Fixes spelling mistake of success (missing a c) --- rules/cloud/azure/azure_privileged_account_creation.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_privileged_account_creation.yml b/rules/cloud/azure/azure_privileged_account_creation.yml index f417e2832..f93dbd842 100644 --- a/rules/cloud/azure/azure_privileged_account_creation.yml +++ b/rules/cloud/azure/azure_privileged_account_creation.yml @@ -2,8 +2,9 @@ title: Privileged Account Creation id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947 status: experimental description: Detects when a new admin is created. -author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton date: 2022/08/11 +modified: 2022/08/16 references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts logsource: @@ -14,7 +15,7 @@ detection: properties.message|contains|all: - Add user - Add member to role - Status: Sucess + Status: Success condition: selection falsepositives: - A legitmate new admin account being created From 726406f64dc8f38a79fc515d82510b10c0766ed0 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 16 Aug 2022 19:58:16 +0000 Subject: [PATCH 129/129] Backend: hawk. last udpate to config until pySigma migration (hopefully) --- tools/config/hawk.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 2930e0f25..f93f31ff0 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -787,7 +787,7 @@ fieldmappings: AccountName: target_username TargetDomainName: target_domain DnsServerIpAddress: dns_address - QueryName: hostname_dst + QueryName: dns_query AuthenticationPackageName: package_name HostProcess: image Application: image @@ -846,10 +846,10 @@ fieldmappings: DeviceClassName: object_name CallTrace: calltrace IpAddress: ip_src - WorkstationName: hostname_src - Workstation: hostname_src + WorkstationName: ip_src_host + Workstation: ip_src_host DestinationIp: ip_dst - DestinationHostname: hostname_dst + DestinationHostname: ip_dst_host DestinationPort: ip_dport GrantedAccess: access_mask StartModule: target_process_name