From f1cd74e3037779bc902ddafe48e7b70dd866ccca Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 5 May 2023 17:52:47 +0200 Subject: [PATCH] feat: more updates --- ...e_thread_win_susp_remote_thread_target.yml | 4 +- .../file_event_win_moriya_rootkit.yml | 6 +-- ...le_event_win_malware_pingback_backdoor.yml | 0 ...te_remote_thread_win_malware_bumblebee.yml | 2 +- rules-emerging-threats/2023/TA/FIN7/README.md | 7 ++- .../TA/FIN7/posh_ps_apt_fin7_powerhold.yml | 2 +- ...n_apt_fin7_powertrash_lateral_movement.yml | 2 +- ...n_defender_real_time_protection_errors.yml | 10 ++++- ...te_remote_thread_win_hktl_cactustorch.yml} | 8 ++-- ...e_remote_thread_win_hktl_cobaltstrike.yml} | 6 +-- ...l => create_remote_thread_win_keepass.yml} | 5 ++- ..._remote_thread_win_powershell_generic.yml} | 0 ...te_remote_thread_win_powershell_lsass.yml} | 0 ...te_thread_win_powershell_susp_targets.yml} | 0 ...mote_thread_win_uncommon_source_image.yml} | 45 ++++++------------- ...mote_thread_win_uncommon_target_image.yml} | 35 +++++++++------ .../file_event_win_net_cli_artefact.yml | 4 +- .../file_event_win_ntds_dit_creation.yml | 21 +++++++++ ..._win_ntds_dit_uncommon_parent_process.yml} | 25 +++++------ ...e_event_win_ntds_dit_uncommon_process.yml} | 31 +++++++++---- .../file_event_win_ntds_exfil_tools.yml | 9 ++-- .../file_event_win_perflogs_susp_files.yml | 39 ++++++++++++++++ ...e_event_win_vhd_download_via_browsers.yml} | 4 +- .../image_load_side_load_dbgcore_dll.yml | 24 +++++----- .../image_load_side_load_dbghelp_dll.yml | 31 +++++++------ ...oad_side_load_from_non_system_location.yml | 23 +++++----- .../image_load_side_load_gup_libcurl.yml | 27 +++++++++++ 27 files changed, 234 insertions(+), 136 deletions(-) rename {rules/windows/create_remote_thread => deprecated/windows}/create_remote_thread_win_susp_remote_thread_target.yml (96%) rename {rules/windows/file/file_event => rules-emerging-threats/2021/Malware/Moriya-Rootkit}/file_event_win_moriya_rootkit.yml (67%) rename {rules/windows/file/file_event => rules-emerging-threats/2021/Malware/Pingback}/file_event_win_malware_pingback_backdoor.yml (100%) rename rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml => rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml (93%) rename rules/windows/create_remote_thread/{create_remote_thread_win_cactustorch.yml => create_remote_thread_win_hktl_cactustorch.yml} (91%) rename rules/windows/create_remote_thread/{create_remote_thread_win_cobaltstrike_process_injection.yml => create_remote_thread_win_hktl_cobaltstrike.yml} (76%) rename rules/windows/create_remote_thread/{create_remote_thread_win_password_dumper_keepass.yml => create_remote_thread_win_keepass.yml} (73%) rename rules/windows/create_remote_thread/{create_remote_thread_win_powershell_crt.yml => create_remote_thread_win_powershell_generic.yml} (100%) rename rules/windows/create_remote_thread/{create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml => create_remote_thread_win_powershell_lsass.yml} (100%) rename rules/windows/create_remote_thread/{create_remote_thread_win_powershell_crt_rundll32.yml => create_remote_thread_win_powershell_susp_targets.yml} (100%) rename rules/windows/create_remote_thread/{create_remote_thread_win_susp_remote_thread_source.yml => create_remote_thread_win_uncommon_source_image.yml} (72%) rename rules/windows/create_remote_thread/{create_remote_thread_win_susp_targets.yml => create_remote_thread_win_uncommon_target_image.yml} (52%) create mode 100644 rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml rename rules/windows/file/file_event/{file_event_win_ntds_dit.yml => file_event_win_ntds_dit_uncommon_parent_process.yml} (78%) rename rules/windows/file/file_event/{file_event_win_susp_ntds_dit.yml => file_event_win_ntds_dit_uncommon_process.yml} (50%) create mode 100644 rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml rename rules/windows/file/file_event/{file_event_win_mal_vhd_download.yml => file_event_win_vhd_download_via_browsers.yml} (95%) create mode 100644 rules/windows/image_load/image_load_side_load_gup_libcurl.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml b/deprecated/windows/create_remote_thread_win_susp_remote_thread_target.yml similarity index 96% rename from rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml rename to deprecated/windows/create_remote_thread_win_susp_remote_thread_target.yml index ec2c5b623..ac2162d76 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml +++ b/deprecated/windows/create_remote_thread_win_susp_remote_thread_target.yml @@ -1,6 +1,6 @@ title: Suspicious Remote Thread Target id: f016c716-754a-467f-a39e-63c06f773987 -status: experimental +status: deprecated description: | Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes. @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ author: Florian Roth (Nextron Systems) date: 2022/08/25 -modified: 2022/08/29 +modified: 2023/05/05 logsource: product: windows category: create_remote_thread diff --git a/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml b/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml similarity index 67% rename from rules/windows/file/file_event/file_event_win_moriya_rootkit.yml rename to rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml index d09b370be..a224e5b0f 100644 --- a/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml +++ b/rules-emerging-threats/2021/Malware/Moriya-Rootkit/file_event_win_moriya_rootkit.yml @@ -1,15 +1,15 @@ -title: Moriya Rootkit +title: Moriya Rootkit File Created id: a1507d71-0b60-44f6-b17c-bf53220fdd88 related: - id: 25b9c01c-350d-4b95-bed1-836d04a4f324 type: derived status: test -description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report. references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj date: 2021/05/06 -modified: 2022/10/09 +modified: 2023/05/05 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/file/file_event/file_event_win_malware_pingback_backdoor.yml b/rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_malware_pingback_backdoor.yml rename to rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml similarity index 93% rename from rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml rename to rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml index a4a32a992..42584172b 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml +++ b/rules-emerging-threats/2022/Malware/Bumblebee/create_remote_thread_win_malware_bumblebee.yml @@ -1,4 +1,4 @@ -title: Bumblebee Remote Thread Creation +title: Potential Bumblebee Remote Thread Creation id: 994cac2b-92c2-44bf-8853-14f6ca39fbda status: experimental description: Detects remote thread injection events based on action seen used by bumblebee diff --git a/rules-emerging-threats/2023/TA/FIN7/README.md b/rules-emerging-threats/2023/TA/FIN7/README.md index 8b3182f83..85f72b6fd 100644 --- a/rules-emerging-threats/2023/TA/FIN7/README.md +++ b/rules-emerging-threats/2023/TA/FIN7/README.md @@ -2,7 +2,7 @@ ## Summary -Withsecure labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software. +WithSecure Labs reported on the 26th of April 2023 on attacks their intelligence teams identified in late March 2023 against internet-facing servers running Veeam Backup & Replication software. You can find more information on the threat in the following articles: @@ -10,4 +10,7 @@ You can find more information on the threat in the following articles: ## Rules -- \ No newline at end of file +- [Potential APT FIN7 Related PowerShell Script Created](./file_event_win_apt_fin7_powershell_scripts_naming_convention.yml) +- [Potential APT FIN7 POWERHOLD Execution](./posh_ps_apt_fin7_powerhold.yml) +- [Potential POWERTRASH Script Execution](./posh_ps_apt_fin7_powertrash_execution.yml) +- [Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity](./proc_creation_win_apt_fin7_powertrash_lateral_movement.yml) diff --git a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml index 4d5c08ea0..95c28d8c5 100644 --- a/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml +++ b/rules-emerging-threats/2023/TA/FIN7/posh_ps_apt_fin7_powerhold.yml @@ -1,4 +1,4 @@ -title: FIN7 POWERHOLD Execution +title: Potential APT FIN7 POWERHOLD Execution id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca status: test description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs diff --git a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml index 49084403e..dfc6c3258 100644 --- a/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml +++ b/rules-emerging-threats/2023/TA/FIN7/proc_creation_win_apt_fin7_powertrash_lateral_movement.yml @@ -1,4 +1,4 @@ -title: Potential FIN7 Reconnaissance/POWERTRASH Related Activity +title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e status: experimental description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution diff --git a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml index 60e13e208..6154f8796 100644 --- a/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml +++ b/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml @@ -5,9 +5,10 @@ description: Detects issues with Windows Defender Real-Time Protection features references: - Internal Research - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ - - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 + - https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 # Contains the list of Feature Names (use for filtering purposes) author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update) date: 2023/03/28 +modified: 2023/05/05 tags: - attack.defense_evasion - attack.t1562.001 @@ -19,7 +20,12 @@ detection: EventID: - 3002 # Real-Time Protection feature has encountered an error and failed - 3007 # Real-time Protection feature has restarted - condition: selection + filter_optional_network_inspection: + Feature_Name: '%%886' # Network Inspection System + Reason: + - '%%892' # The system is missing updates that are required for running Network Inspection System. Install the required updates and restart the device. + - '%%858' # Antimalware security intelligence has stopped functioning for an unknown reason. In some instances, restarting the service may resolve the problem. + condition: selection and not 1 of filter_optional_* falsepositives: - Some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. Manual exception is required level: medium diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml similarity index 91% rename from rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml index 97afdee38..8c55c5882 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cactustorch.yml @@ -1,17 +1,17 @@ -title: CACTUSTORCH Remote Thread Creation +title: HackTool - CACTUSTORCH Remote Thread Creation id: 2e4e488a-6164-4811-9ea1-f960c7359c40 status: test description: Detects remote thread creation from CACTUSTORCH as described in references. references: - - https://twitter.com/SBousseaden/status/1090588499517079552 + - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted - https://github.com/mdsecactivebreach/CACTUSTORCH author: '@SBousseaden (detection), Thomas Patzke (rule)' date: 2019/02/01 -modified: 2022/12/25 +modified: 2023/05/05 tags: - attack.defense_evasion - - attack.t1055.012 - attack.execution + - attack.t1055.012 - attack.t1059.005 - attack.t1059.007 - attack.t1218.005 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml similarity index 76% rename from rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml index 2759aebda..65d3671a0 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml @@ -1,13 +1,13 @@ -title: CobaltStrike Process Injection +title: HackTool - Potential CobaltStrike Process Injection id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42 status: test -description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons +description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons references: - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community date: 2018/11/30 -modified: 2022/12/25 +modified: 2023/05/05 tags: - attack.defense_evasion - attack.t1055.001 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml similarity index 73% rename from rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml index 1efcac162..6bacc3f50 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml @@ -1,13 +1,14 @@ -title: KeePass Password Dumping +title: Remote Thread Created In KeePass.EXE id: 77564cc2-7382-438b-a7f6-395c2ae53b9a status: experimental -description: Detects remote thread creation in KeePass.exe indicating password dumping activity +description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity references: - https://www.cisa.gov/uscert/ncas/alerts/aa20-259a - https://github.com/denandz/KeeFarce - https://github.com/GhostPack/KeeThief author: Timon Hackenjos date: 2022/04/22 +modified: 2023/05/05 tags: - attack.credential_access - attack.t1555.005 diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml similarity index 100% rename from rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_powershell_generic.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml similarity index 100% rename from rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_powershell_lsass.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt_rundll32.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml similarity index 100% rename from rules/windows/create_remote_thread/create_remote_thread_win_powershell_crt_rundll32.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml similarity index 72% rename from rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml index 7593e2bef..e464d1397 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_source_image.yml @@ -1,16 +1,13 @@ -title: Suspicious Remote Thread Source +title: Remote Thread Creation By Uncommon Source Image id: 66d31e5f-52d6-40a4-9615-002d3789a119 status: experimental -description: | - Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. - This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes. - It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. +description: Detects uncommon processes creating remote threads references: - Personal research, statistical analysis - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2023/03/09 +modified: 2023/05/05 tags: - attack.privilege_escalation - attack.defense_evasion @@ -22,8 +19,8 @@ detection: selection: SourceImage|endswith: - '\bash.exe' - - '\cvtres.exe' - '\cscript.exe' + - '\cvtres.exe' - '\defrag.exe' - '\dnx.exe' - '\esentutl.exe' @@ -41,7 +38,7 @@ detection: - '\lync.exe' - '\makecab.exe' - '\mDNSResponder.exe' - - '\monitoringhost.exe' + - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. - '\msbuild.exe' - '\mshta.exe' - '\msiexec.exe' @@ -66,56 +63,42 @@ detection: - '\w3wp.exe' - '\winlogon.exe' - '\winscp.exe' - - '\wmic.exe' - '\winword.exe' + - '\wmic.exe' - '\wscript.exe' filter_vs: - SourceImage|contains: 'Visual Studio' - SourceParentImage|contains: '\Programs\Microsoft VS Code\' - filter2: + filter_main_winlogon_1: SourceImage: 'C:\Windows\System32\winlogon.exe' TargetImage: - 'C:\Windows\System32\services.exe' # happens on Windows 7 - 'C:\Windows\System32\wininit.exe' # happens on Windows 7 - 'C:\Windows\System32\csrss.exe' # multiple OS - filter2b: + filter_main_winlogon_2: SourceImage: 'C:\Windows\System32\winlogon.exe' TargetParentImage: 'System' TargetParentProcessId: 4 - filter3: + filter_main_provtool: SourceImage: 'C:\Windows\System32\provtool.exe' TargetParentProcessId: 0 - filter4: - SourceImage|endswith: '\git.exe' - TargetImage|endswith: - - '\git.exe' - - 'C:\Windows\System32\conhost.exe' - filter5: + filter_main_vssvc: SourceImage: 'C:\Windows\System32\VSSVC.exe' TargetImage: 'System' - filter_powershell: - SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe' - filter_schtasks_conhost: + filter_main_schtasks_conhost: SourceImage: - 'C:\Windows\System32\schtasks.exe' - 'C:\Windows\SysWOW64\schtasks.exe' TargetImage: 'C:\Windows\System32\conhost.exe' - filter_nvidia: + filter_optional_nvidia: SourceImage: 'C:\Windows\explorer.exe' TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' - #filter_powerpnt: + #filter_optional_powerpnt: # # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 # SourceImage|contains: '\Microsoft Office\' # SourceImage|endswith: '\POWERPNT.EXE' # TargetImage: 'C:\Windows\System32\csrss.exe' - condition: selection and not 1 of filter* -fields: - - ComputerName - - User - - SourceImage - - TargetImage + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high -notes: - - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml similarity index 52% rename from rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml index b5f21ce85..a108acf74 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_uncommon_target_image.yml @@ -1,12 +1,15 @@ -title: Remote Thread Creation in Suspicious Targets +title: Remote Thread Creation In Uncommon Target Image id: a1a144b7-5c9b-4853-a559-2172be8d4a03 +related: + - id: f016c716-754a-467f-a39e-63c06f773987 + type: obsoletes status: experimental -description: Detects a remote thread creation in suspicious target images +description: Detects uncommon target processes for remote thread creation references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth (Nextron Systems) date: 2022/03/16 -modified: 2022/09/29 +modified: 2023/05/05 tags: - attack.defense_evasion - attack.privilege_escalation @@ -17,20 +20,24 @@ logsource: detection: selection: TargetImage|endswith: - - '\mspaint.exe' - '\calc.exe' - - '\notepad.exe' - - '\sethc.exe' - - '\write.exe' - - '\wordpad.exe' + - '\calculator.exe' - '\explorer.exe' - filter: + - '\mspaint.exe' + - '\notepad.exe' + - '\ping.exe' + - '\sethc.exe' + - '\spoolsv.exe' + - '\wordpad.exe' + - '\write.exe' + filter_optional_aurora_1: StartFunction: 'EtwpNotificationThread' - filter_programfiles: - SourceImage|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not 1 of filter* + filter_optional_aurora_2: + SourceImage|contains: 'unknown process' + filter_main_spoolsv: + SourceImage: 'C:\Windows\System32\csrss.exe' + TargetImage: 'C:\Windows\System32\spoolsv.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index e23f600aa..97262ef5b 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -34,7 +34,7 @@ detection: - '\UsageLogs\svchost.exe.log' - '\UsageLogs\wscript.exe.log' - '\UsageLogs\wmic.exe.log' - filter_rundll: + filter_main_rundll32: # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity ParentImage|endswith: '\MsiExec.exe' ParentCommandLine|contains: ' -Embedding' @@ -42,7 +42,7 @@ detection: CommandLine|contains|all: - 'Temp' - 'zzzzInvokeManagedCustomActionOutOfProc' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* falsepositives: - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 level: high diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml new file mode 100644 index 000000000..f4d39dfd6 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_creation.yml @@ -0,0 +1,21 @@ +title: NTDS.DIT Created +id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c +status: experimental +description: Detects creation of a file named "ntds.dit" (Active Directory Database) +references: + - Internal Research +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/05 +tags: + - attack.credential_access + - attack.t1003.003 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: 'ntds.dit' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml similarity index 78% rename from rules/windows/file/file_event/file_event_win_ntds_dit.yml rename to rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml index 45dafcf4a..2d7c89e2e 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml @@ -1,7 +1,10 @@ -title: Suspicious NTDS.DIT Creation +title: NTDS.DIT Creation By Uncommon Parent Process id: 4e7050dd-e548-483f-b7d6-527ab4fa784d +related: + - id: 11b1ed55-154d-4e82-8ad7-83739298f720 + type: similar status: test -description: Detects suspicious creations of a file named "ntds.dit" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner +description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process, directory references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ @@ -16,21 +19,21 @@ tags: logsource: product: windows category: file_event - definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data' + definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data' detection: selection_file: TargetFilename|endswith: '\ntds.dit' selection_process_parent: # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|endswith: + - '\cscript.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' - '\powershell.exe' - '\pwsh.exe' - - '\wscript.exe' - - '\cscript.exe' - '\w3wp.exe' - - '\php-cgi.exe' - - '\nginx.exe' - - '\httpd.exe' + - '\wscript.exe' selection_process_parent_path: # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|contains: @@ -40,12 +43,6 @@ detection: - '\Temp\' - '\Public\' - '\PerfLogs\' - selection_process_child: - Image|contains: - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' condition: selection_file and 1 of selection_process_* falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml similarity index 50% rename from rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml rename to rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml index 8b51a9b82..6bda3c05c 100644 --- a/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml @@ -1,11 +1,14 @@ -title: Suspicious Process Writes Ntds.dit +title: NTDS.DIT Creation By Uncommon Process id: 11b1ed55-154d-4e82-8ad7-83739298f720 -status: experimental -description: Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file +related: + - id: 4e7050dd-e548-483f-b7d6-527ab4fa784d + type: similar +status: test +description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory references: - https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/ - https://adsecurity.org/?p=2398 -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/01/11 modified: 2022/07/14 tags: @@ -16,18 +19,28 @@ logsource: product: windows category: file_event detection: - selection: + selection_ntds: TargetFilename|endswith: '\ntds.dit' + selection_process_img: Image|endswith: # Add more suspicious processes as you see fit - - '\powershell.exe' - - '\pwsh.exe' - '\cmd.exe' - - '\wscript.exe' - '\cscript.exe' - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' - '\wsl.exe' - condition: selection + - '\wt.exe' + selection_process_paths: + Image|contains: + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + condition: selection_ntds and 1 of selection_process_* falsepositives: - Unknown level: high diff --git a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml index db55e294c..d33c027ce 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml @@ -1,13 +1,14 @@ -title: Suspicious NTDS Exfil Filename Patterns +title: NTDS Exfiltration Filename Patterns id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a status: test -description: Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration +description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. references: - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 - https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 author: Florian Roth (Nextron Systems) date: 2022/03/11 +modified: 2023/05/05 tags: - attack.credential_access - attack.t1003.003 @@ -15,11 +16,11 @@ logsource: product: windows category: file_event detection: - selection_file: + selection: TargetFilename|endswith: - '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1 - '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 - condition: selection_file + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml new file mode 100644 index 000000000..3999f8481 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml @@ -0,0 +1,39 @@ +title: Suspicious File Created In PerfLogs +id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b +status: experimental +description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files +references: + - Internal Research + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/05 +tags: + - attack.execution + - attack.t1059 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\PerfLogs\' + TargetFilename|endswith: + - '.7z' + - '.bat' + - '.bin' + - '.chm' + - '.dll' + - '.exe' + - '.hta' + - '.lnk' + - '.ps1' + - '.psm1' + - '.py' + - '.scr' + - '.sys' + - '.vbe' + - '.vbs' + - '.zip' + condition: selection +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml b/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml similarity index 95% rename from rules/windows/file/file_event/file_event_win_mal_vhd_download.yml rename to rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml index a40ea7dbf..81a996985 100644 --- a/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml +++ b/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml @@ -1,4 +1,4 @@ -title: Suspicious VHD Image Download From Browser +title: VHD Image Download Via Browser id: 8468111a-ef07-4654-903b-b863a80bbc95 status: test description: | @@ -10,7 +10,7 @@ references: - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021/10/25 -modified: 2023/04/18 +modified: 2023/05/05 tags: - attack.resource_development - attack.t1587.001 diff --git a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml index 0ebfc7f14..80b1818f6 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml @@ -1,4 +1,4 @@ -title: DLL Sideloading Of DBGCORE.DLL +title: Potential DLL Sideloading Of DBGCORE.DLL id: 9ca2bf31-0570-44d8-a543-534c47c33ed7 status: experimental description: Detects DLL sideloading of "dbgcore.dll" @@ -6,7 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/10/25 -modified: 2023/03/15 +modified: 2023/05/05 tags: - attack.defense_evasion - attack.persistence @@ -19,18 +19,18 @@ logsource: detection: selection: ImageLoaded|endswith: '\dbgcore.dll' - filter_generic: + filter_main_generic: ImageLoaded|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' - - 'C:\Windows\SoftwareDistribution\' - - 'C:\Windows\SystemTemp\' - 'C:\Program Files (x86)\' - 'C:\Program Files\' - #filter_steam: - # ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll' - condition: selection and not 1 of filter_* + - 'C:\Windows\SoftwareDistribution\' + - 'C:\Windows\System32\' + - 'C:\Windows\SystemTemp\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + filter_optional_steam: + ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLL mentioned in this rule -level: high +level: medium diff --git a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml index 9bcedcfa8..aca8455ca 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml @@ -1,4 +1,4 @@ -title: DLL Sideloading Of DBGHELP.DLL +title: Potential DLL Sideloading Of DBGHELP.DLL id: 6414b5cd-b19d-447e-bb5e-9f03940b5784 status: experimental description: Detects DLL sideloading of "dbghelp.dll" @@ -6,7 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022/10/25 -modified: 2023/03/15 +modified: 2023/05/05 tags: - attack.defense_evasion - attack.persistence @@ -19,21 +19,24 @@ logsource: detection: selection: ImageLoaded|endswith: '\dbghelp.dll' - filter_generic: - - ImageLoaded|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' - - 'C:\Windows\SoftwareDistribution\' - - 'C:\Windows\SystemTemp\' + filter_main_generic: + ImageLoaded|startswith: - 'C:\Program Files (x86)\' - 'C:\Program Files\' - - ImageLoaded|endswith: - - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll' - - '\Epic Games\MagicLegends\x86\dbghelp.dll' + - 'C:\Windows\SoftwareDistribution\' + - 'C:\Windows\System32\' + - 'C:\Windows\SystemTemp\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + filter_optional_anaconda: + ImageLoaded|endswith: - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll' - '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\i386\dbghelp.dll' - condition: selection and not 1 of filter_* + filter_optional_epicgames: + ImageLoaded|endswith: + - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll' + - '\Epic Games\MagicLegends\x86\dbghelp.dll' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLL mentioned in this rule -level: high +level: medium diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 458a53329..9ba7d5d57 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2023/03/15 +modified: 2023/05/05 tags: - attack.defense_evasion - attack.persistence @@ -440,32 +440,29 @@ detection: - '\wow64log.dll' - '\WptsExtensions.dll' - '\wbemcomn.dll' - filter_generic: + filter_main_generic: + # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots ImageLoaded|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - 'C:\Windows\SoftwareDistribution\' - 'C:\Windows\SystemTemp\' - filter_appvpolicy: - ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' + - 'C:\$WINDOWS.~BT\' + filter_optional_office_appvpolicy: Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' - filter_azure: + ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' + filter_optional_azure: ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' - filter_dell: + filter_optional_dell: Image|startswith: - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' - 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' - filter_cleanmgr: - Image: 'C:\Windows\System32\cleanmgr.exe' - ImageLoaded|endswith: '\ssshim.dll' - filter_upgrade: - Image|startswith: 'C:\$WINDOWS.~BT\' - filter_dell_wldp: + filter_optional_dell_wldp: Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' Image|endswith: '\wldp.dll' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule level: high diff --git a/rules/windows/image_load/image_load_side_load_gup_libcurl.yml b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml new file mode 100644 index 000000000..08ae58472 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_gup_libcurl.yml @@ -0,0 +1,27 @@ +title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE +id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e +status: experimental +description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from uncommon location +references: + - https://labs.withsecure.com/publications/fin7-target-veeam-servers +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/05/05 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\gup.exe' + ImageLoaded|endswith: '\libcurl.dll' + filter_main_notepad_plusplus: + Image|endswith: '\Notepad++\updater\GUP.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: medium