From 592485fac54d3539ee8b99677fd0facb67cbecd0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 12 Jan 2022 20:27:56 +0100 Subject: [PATCH 1/4] Windows Redcannary --- .../posh_ps_create_volume_shadow_copy.yml | 26 +++++++++++++++++++ .../posh_ps_suspicious_gwmi.yml | 25 ++++++++++++++++++ .../win_pc_uninstall_sysmon.yml | 24 +++++++++++++++++ .../sysmon/sysmon_config_modification.yml | 20 ++++++++++++++ 4 files changed, 95 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml create mode 100644 rules/windows/process_creation/win_pc_uninstall_sysmon.yml create mode 100644 rules/windows/sysmon/sysmon_config_modification.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml new file mode 100644 index 000000000..6c098c110 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml @@ -0,0 +1,26 @@ +title: Create Volume Shadow Copy with Powershell +id: afd12fed-b0ec-45c9-a13d-aa86625dac81 +status: experimental +description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - win32_shadowcopy + - ').Create(' + - ClientAccessible + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: high +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml new file mode 100644 index 000000000..de0c276a4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_gwmi.yml @@ -0,0 +1,25 @@ +title: Suspicious Get-WmiObject +id: 0332a266-b584-47b4-933d-a00b103e1b37 +status: experimental +description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers +date: 2022/01/12 +author: frack113 +references: + - https://attack.mitre.org/datasources/DS0005/ + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - Get-WmiObject + - gwmi + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.persistence + - attack.t1546 diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml new file mode 100644 index 000000000..11a90070f --- /dev/null +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -0,0 +1,24 @@ +title: Uninstall Sysinternals Sysmon +id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 +status: experimental +description: Uninstall Sysinternals Sysmon for Defense Evasion +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon +author: frack113 +date: 2022/01/12 +logsource: + category: process_creation + product: windows +detection: + sysmon: + Image|endswith: + - \Sysmon64.exe + - \Sysmon.exe + CommandLine|contains: '-u' + condition: sysmon +falsepositives: + - unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml new file mode 100644 index 000000000..87b371606 --- /dev/null +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -0,0 +1,20 @@ +title: Sysmon Configuration Change +id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 +description: Someone can try to hide from Sysmon +status: experimental +author: frack113 +date: 2022/01/12 +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 16 + condition: selection +falsepositives: + - legitimate administrative action +level: medium +tags: + - attack.defense_evasion From baaef207cb0378f6d915197e7e819a16226d6ced Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 13 Jan 2022 06:38:43 +0100 Subject: [PATCH 2/4] Add filter help --- rules/windows/sysmon/sysmon_config_modification.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index 87b371606..dc24421ae 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -12,6 +12,10 @@ logsource: detection: selection: EventID: 16 + # To avoid FP just add + # filter: + # ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML' + # condition: selection and not filter condition: selection falsepositives: - legitimate administrative action From c0bd1ef9bc036f14bfe2a28bacf213cc1779f759 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 21:07:11 +0100 Subject: [PATCH 3/4] Update sysmon_config_modification.yml --- rules/windows/sysmon/sysmon_config_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index dc24421ae..698bd1fb3 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -1,6 +1,6 @@ title: Sysmon Configuration Change id: 8ac03a65-6c84-4116-acad-dc1558ff7a77 -description: Someone can try to hide from Sysmon +description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration status: experimental author: frack113 date: 2022/01/12 From 21b3e5c6fd89212e5ca04e9245bca85d9acba591 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Jan 2022 21:07:59 +0100 Subject: [PATCH 4/4] Update win_pc_uninstall_sysmon.yml --- rules/windows/process_creation/win_pc_uninstall_sysmon.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml index 11a90070f..e9a92cdbb 100644 --- a/rules/windows/process_creation/win_pc_uninstall_sysmon.yml +++ b/rules/windows/process_creation/win_pc_uninstall_sysmon.yml @@ -1,7 +1,7 @@ title: Uninstall Sysinternals Sysmon id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939 status: experimental -description: Uninstall Sysinternals Sysmon for Defense Evasion +description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon author: frack113 @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1562.001 \ No newline at end of file + - attack.t1562.001