From b5352ac5f7af8135e7bdda4981aa73c1a732993f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 10:29:21 +0200 Subject: [PATCH 1/2] fix: duplicate UUIDs --- rules/linux/macos_change_file_time_attr.yml | 2 +- rules/linux/macos_find_cred_in_files.yml | 2 +- rules/linux/macos_remote_system_discovery.yml | 2 +- .../powershell/powershell_invoke_obfuscation_via_var++.yml | 2 +- rules/windows/process_creation/process_creation_msdeploy.yml | 2 +- .../windows/process_creation/sysmon_proxy_execution_wuauclt.yml | 2 +- .../process_creation/sysmon_susp_webdav_client_execution.yml | 2 +- .../process_creation/win_invoke_obfuscation_via_var++.yml | 2 +- .../registry_event/sysmon_wdigest_enable_uselogoncredential.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml index f30750331..f4a0ca2d7 100644 --- a/rules/linux/macos_change_file_time_attr.yml +++ b/rules/linux/macos_change_file_time_attr.yml @@ -1,5 +1,5 @@ title: 'File Time Attribute Change' -id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 status: experimental description: 'Detect file time attribute change to hide new or changes to existing files.' # For this rule to work you must enable audit of process execution in OpenBSM, see diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml index 2f47f1034..a0b2a0cbd 100644 --- a/rules/linux/macos_find_cred_in_files.yml +++ b/rules/linux/macos_find_cred_in_files.yml @@ -1,5 +1,5 @@ title: 'Credentials In Files' -id: df3fcaea-2715-4214-99c5-0056ea59eb35 +id: 53b1b378-9b06-4992-b972-dde6e423d2b4 status: experimental description: 'Detecting attempts to extract passwords with grep and laZagne' # For this rule to work you must enable audit of process execution in OpenBSM, see diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index a7a1fdf22..fd5867314 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -1,5 +1,5 @@ title: Macos Remote System Discovery -id: 11063ec2-de63-4153-935e-b1a8b9e616f1 +id: 10227522-8429-47e6-a301-f2b2d014e7ad status: experimental description: Detects the enumeration of other remote systems. author: Alejandro Ortuno, oscd.community diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml index ac20a73c2..6d19dc2e1 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -1,5 +1,5 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +id: e54f5149-6ba3-49cf-b153-070d24679126 description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index 6fabd7686..08b586762 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -1,6 +1,6 @@ title: Execute Files with Msdeploy.exe status: experimental -id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +id: 646bc99f-6682-4b47-a73a-17b1b64c9d34 author: Beyu Denis, oscd.community date: 2020/10/18 description: Detects file execution using the msdeploy.exe lolbin diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml index 3feffbd61..439e99a78 100644 --- a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -1,5 +1,5 @@ title: Proxy Execution via Wuauclt -id: c649a6c7-cd8c-4a78-9c04-000fc76df954 +id: af77cf95-c469-471c-b6a0-946c685c4798 description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. status: experimental date: 2020/10/12 diff --git a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml index 300599791..6e66c04a3 100644 --- a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml @@ -1,5 +1,5 @@ title: Suspicious WebDav Client Execution -id: 40f9af16-589d-4984-b78d-8c2aec023197 +id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). status: experimental date: 2020/05/02 diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml index caeadc4e8..dd02c69ae 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -1,5 +1,5 @@ title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION -id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +id: e9f55347-2928-4c06-88e5-1a7f8169942e description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community diff --git a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml index 9b67116f1..875bbbeb4 100644 --- a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml +++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -1,5 +1,5 @@ title: Wdigest Enable UseLogonCredential -id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd +id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials status: experimental date: 2019/09/12 From 7812a4217cd31f082493d4caa5a39c5ed6f0e32f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 27 May 2021 11:36:05 +0200 Subject: [PATCH 2/2] rule: regedit as trustedinstaller --- .../win_susp_regedit_trustedinstaller.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml new file mode 100644 index 000000000..6b4964525 --- /dev/null +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -0,0 +1,18 @@ +title: Regedit as Trusted Installer +id: 883835a7-df45-43e4-bf1d-4268768afda4 +description: Detects a regedit started with TrustedInstaller privileges +references: + - https://twitter.com/1kwpeter/status/1397816101455765504 +author: Florian Roth +date: 2018/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + ParentImage|endswith: '\TrustedInstaller.exe' + condition: selection +falsepositives: + - Unlikely +level: high